darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
059460b72a
PEASS-ng/build_lists/sensitive_files.yaml
Carlos Polop 3a367d2112 linpeas-ng
2021-07-11 18:51:48 +02:00

2311 lines
54 KiB
YAML
Raw Blame History

root_folders:
- /applications #common
- /bin #common
- /.cache #common
- /cdrom #common
- /etc #common
- $HOMESEARCH #common, use this instead of "/home"
- /lib
- /lib32
- /lib64
- /media #common
- /mnt #common
- /opt #common
- /private #common
- /run
- /sbin #common
- /snap #common
- /srv #common
- /sys
- /system
- /systemd
- /tmp #common
- /usr #common
- /var #common
common_file_folders:
- /applications
- /bin
- /.cache
- /cdrom
- /etc
- $HOMESEARCH
- /media
- /mnt
- /opt
- /private
- /sbin
- /snap
- /srv
- /tmp
- /usr
- /var
common_directory_folders:
- /applications
- /bin
- /.cache
- /cdrom
- /etc
- $HOMESEARCH
- /media
- /mnt
- /opt
- /private
- /sbin
- /snap
- /srv
- /tmp
- /usr
- /var
peas_extrasections_markup: "peass{EXTRA_SECTIONS}"
peas_finds_markup: "peass{FINDS_HERE}"
find_line_markup: "peass{FIND_PARAMS_HERE}"
find_template: >
`eval_bckgrd "find peass{FIND_PARAMS_HERE} 2>/dev/null | sort; printf \\\$YELLOW'. '\\\$NC 1>&2;"`
peas_storages_markup: "peass{STORAGES_HERE}"
storage_line_markup: "peass{STORAGE_PARAMS_HERE}"
storage_line_extra_markup: "peass{STORAGE_PARAMS_EXTRA_HERE}"
storage_template: >
$(echo -e "peass{STORAGE_PARAMS_HERE}" peass{STORAGE_PARAMS_EXTRA_HERE} | sort | uniq | head -n 70)
int_hidden_files_markup: "peass{INT_HIDDEN_FILES}"
defaults:
auto_check: False #The builder will generate a check for the file
bad_regex: "" #The regex used to color red and grep lines (if only_bad_lines and no line_grep)
check_extra_path: "" #Check if the found files are in a specific path
good_regex: "" #The regex to color green
just_list_file: False #Just mention the path to the file, do not cat it
line_grep: "" #The regex to grep lines in a file (if only_bad_lines), by default bad_regex is used here if empty
only_bad_lines: False #Only print lines containing something red
remove_empty_lines: False #Remove empty lines, use only for text files (-I param in grep)
remove_path: "" #Not interested in files containing this path
remove_regex: "" #Extra regex to remove some lines
search_in: #By default search in defined common
- common
type: f #File by default
exec: []
variables_markup: "peass{VARIABLES}"
variables:
- name: pwd_inside_history
value: "7z|unzip|useradd|linenum|linpeas|mkpasswd|htpasswd|openssl|PASSW|passw|shadow|root|sudo|^su|pkexec|^ftp|mongo|psql|mysql|rdesktop|xfreerdp|^ssh|steghide|@"
#Files & folders to search
search:
- name: Systemd
value:
disable:
- winpeas
config:
auto_check: False
files:
- name: "*.service"
value:
type: f
search_in:
- all
- name: Timer
value:
disable:
- winpeas
config:
auto_check: False
files:
- name: "*.timer"
value:
type: f
search_in:
- all
- name: Socket
value:
disable:
- winpeas
config:
auto_check: False
files:
- name: "*.socket"
value:
type: f
search_in:
- all
- name: DBus
value:
disable:
- winpeas
config:
auto_check: False
files:
- name: "system.d"
value:
type: d
search_in:
- /etc
- name: MySQL
value:
config:
auto_check: False
files:
- name: mysql
value:
type: d
check_extra_path: "^/etc/.*mysql|/usr/var/lib/.*mysql|/var/lib/.*mysql"
remove_path: "mysql/mysql"
search_in:
- common
- name: "debian.cnf"
value:
bad_regex: "user.*|password.*"
type: f
only_bad_lines: True
search_in:
- common
- name: PostgreSQL
value:
config:
auto_check: True
exec:
- 'echo "Version: $(warn_exec psql -V 2>/dev/null)"'
files:
- name: "pgadmin*.db"
value:
type: f
just_list_file: True
search_in:
- common
- name: "pg_hba.conf"
value:
bad_regex: "auth|password|md5|user=|pass=|trust"
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#'
search_in:
- common
- name: "postgresql.conf"
value:
bad_regex: "auth|password|md5|user=|pass=|trust"
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#'
search_in:
- common
- name: "pgsql.conf"
value:
bad_regex: "auth|password|md5|user=|pass=|trust"
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#'
search_in:
- common
- name: Apache
value:
config:
auto_check: True
exec:
- 'echo "Version: $(warn_exec apache2 -v 2>/dev/null; warn_exec httpd -v 2>/dev/null)"'
- "print_3title 'PHP exec extensions'"
- 'grep -R -B1 "httpd-php" /etc/apache2 2>/dev/null'
files:
- name: "sites-enabled"
value:
type: d
files:
- name: "*"
value:
bad_regex: "AuthType|AuthName|AuthUserFile|ServerName|ServerAlias"
only_bad_lines: True
remove_empty_lines: True
remove_regex: '^#'
search_in:
- common
- name: "000-default.conf"
value:
bad_regex: "AuthType|AuthName|AuthUserFile|ServerName|ServerAlias"
type: f
search_in:
- common
- name: PHP Sessions
value:
config:
auto_check: True
exec:
- "ls /var/lib/php/sessions 2>/dev/null || echo_not_found /var/lib/php/sessions"
files:
- name: "sess_*"
value:
check_extra_path: '/tmp/.*sess_.*|/var/tmp/.*sess_.*'
type: f
search_in:
- /tmp
- /var
- /mnt
- name: PHP_files
value:
config:
auto_check: False
files:
- name: "*config*.php"
value:
type: f
search_in:
- common
- name: "database.php"
value:
type: f
search_in:
- common
- name: "db.php"
value:
type: f
search_in:
- common
- name: "storage.php"
value:
type: f
search_in:
- common
- name: "settings.php"
value:
type: f
search_in:
- common
- name: Wordpress
value:
config:
auto_check: True
files:
- name: "wp-config.php"
value:
bad_regex: "PASSWORD|USER|NAME|HOST"
only_bad_lines: True
type: f
search_in:
- common
- name: Drupal
value:
config:
auto_check: True
files:
- name: "settings.php"
value:
bad_regex: "drupal_hash_salt|'database'|'username'|'password'|'host'|'port'|'driver'|'prefix'"
check_extra_path: "/default/settings.php"
only_bad_lines: True
type: f
search_in:
- common
- name: Moodle
value:
config:
auto_check: True
files:
- name: "config.php"
value:
bad_regex: "dbtype|dbhost|dbuser|dbhost|dbpass|dbport"
check_extra_path: "moodle/config.php"
only_bad_lines: True
type: f
search_in:
- common
- name: Tomcat
value:
config:
auto_check: True
files:
- name: "tomcat-users.xml"
value:
bad_regex: "dbtype|dbhost|dbuser|dbhost|dbpass|dbport"
line_grep: '"username=|password="'
only_bad_lines: True
type: f
search_in:
- common
- name: Mongo
value:
config:
auto_check: True
exec:
- 'echo "Version: $(warn_exec mongo --version 2>/dev/null; warn_exec mongod --version 2>/dev/null)"'
files:
- name: "mongod*.conf"
value:
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#'
search_in:
- common
- name: Supervisord
value:
config:
auto_check: True
files:
- name: "supervisord.conf"
value:
bad_regex: "port.*=|username.*=|password.*="
only_bad_lines: True
type: f
search_in:
- common
- name: Cesi
value:
config:
auto_check: True
files:
- name: "cesi.conf"
value:
bad_regex: "username.*=|password.*=|host.*=|port.*=|database.*="
only_bad_lines: True
type: f
search_in:
- common
- name: Rsync
value:
config:
auto_check: True
files:
- name: "rsyncd.conf"
value:
bad_regex: "secrets.*|auth.*users.*="
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#'
search_in:
- common
- name: "rsyncd.secrets"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: Hostapd
value:
config:
auto_check: True
files:
- name: "hostapd.conf"
value:
bad_regex: "passphrase.*"
type: f
search_in:
- common
- name: Anaconda ks
value:
config:
auto_check: True
files:
- name: "anaconda-ks.cfg"
value:
bad_regex: "rootpw.*"
only_bad_lines: True
type: f
search_in:
- common
- name: VNC
value:
config:
auto_check: True
files:
- name: ".vnc"
value:
files:
- name: "passwd"
value:
just_list_file: True
type: d
search_in:
- common
- name: "*vnc*.c*nf*"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: "*vnc*.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "*vnc*.txt"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: "*vnc*.xml"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: Ldap
value:
config:
auto_check: True
exec:
- echo "The password hash is from the {SSHA} to 'structural'"
files:
- name: "ldap"
value:
files:
- name: "*.bdb"
value:
bad_regex: "administrator|password|ADMINISTRATOR|PASSWORD|Password|Administrator"
line_grep: '-i -a -o "description.*" | sort | uniq'
type: f
type: d
search_in:
- common
- name: OpenVPN
value:
config:
auto_check: True
files:
- name: "*.ovpn"
value:
bad_regex: "auth-user-pass.+"
only_bad_lines: True
type: f
search_in:
- common
- name: SSH
value:
config:
auto_check: True
files:
- name: "id_dsa*"
value:
type: f
search_in:
- common
- name: "id_rsa*"
value:
type: f
search_in:
- common
- name: "known_hosts"
value:
type: f
search_in:
- common
- name: "authorized_hosts"
value:
type: f
search_in:
- common
- name: "authorized_keys"
value:
good_regex: 'from=[\w\._\-]+'
type: f
search_in:
- common
- name: CERTSB4
value:
config:
auto_check: False
files:
- name: "*.pem"
value:
type: f
remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib.*'
search_in:
- common
- name: "*.cer"
value:
type: f
remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib.*'
search_in:
- common
- name: "*.crt"
value:
type: f
remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib.*'
search_in:
- common
- name: CERTSBIN
value:
config:
auto_check: False
files:
- name: "*.csr"
value:
type: f
remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib/.*'
search_in:
- common
- name: "*.der"
value:
type: f
remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib/.*'
search_in:
- common
- name: CERTSCLIENT
value:
config:
auto_check: False
files:
- name: "*.pfx"
value:
type: f
remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib/.*'
search_in:
- common
- name: "*.p12"
value:
type: f
remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib/.*'
search_in:
- common
- name: SSH AGENTS
value:
config:
auto_check: False
files:
- name: "agent*"
value:
type: f
search_in:
- /tmp
- name: SSH_CONFIG
value:
config:
auto_check: False
files:
- name: "ssh*config"
value:
type: f
search_in:
- /usr
- $HOMESEARCH
- name: Cloud Credentials
value:
config:
auto_check: True
files:
- name: "credentials"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: "credentials.db"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: "legacy_credentials.db"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: "access_tokens.db"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: "access_tokens.json"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: "accessTokens.json"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: "azureProfile.json"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: "TokenCache.dat"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: "AzureRMContext.json"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: ".bluemix"
value:
files:
- name: "config.json"
value:
bad_regex: ".*"
type: d
search_in:
- common
- name: Kerberos
value:
config:
auto_check: False
files:
- name: "krb5.conf"
value:
type: f
search_in:
- common
- name: "krb5.keytab"
value:
type: f
search_in:
- common
- name: ".k5login"
value:
type: f
search_in:
- common
- name: "kadm5.acl"
value:
type: f
search_in:
- common
- name: Kibana
value:
config:
auto_check: True
files:
- name: "kibana.y*ml"
value:
bad_regex: "username|password|host|port|elasticsearch|ssl"
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#|^[[:space:]]*$'
search_in:
- common
- name: Knockd
value:
config:
auto_check: True
files:
- name: "*knockd*"
value:
check_extra_path: "/etc/init.d/"
type: f
search_in:
- /etc
- name: Logstash
value:
config:
auto_check: False
files:
- name: "logstash"
value:
type: d
search_in:
- common
- name: Elasticsearch
value:
config:
auto_check: True
exec:
- echo "The version is $(curl -X GET '127.0.0.1:9200' 2>/dev/null | grep number | cut -d ':' -f 2)"
files:
- name: "elasticsearch.y*ml"
value:
line_grep: '"path.data|path.logs|cluster.name|node.name|network.host|discovery.zen.ping.unicast.hosts"'
remove_regex: '\W+\#|^#'
type: f
search_in:
- common
- name: Vault_ssh_helper
value:
config:
auto_check: False
files:
- name: "vault-ssh-helper.hcl"
value:
type: f
search_in:
- common
- name: Vault_ssh_token
value:
config:
auto_check: False
files:
- name: ".vault-token"
value:
type: f
search_in:
- common
- name: CouchDB
value:
config:
auto_check: True
files:
- name: "couchdb"
value:
files:
- name: "local.ini"
value:
bad_regex: "admin.*|password.*|cert_file.*|key_file.*|hashed.*|pbkdf2.*"
remove_empty_lines: True
remove_regex: "^;"
type: d
search_in:
- common
- name: Redis
value:
config:
auto_check: True
files:
- name: "redis.conf"
value:
bad_regex: "masterauth.*|requirepass.*"
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#'
search_in:
- common
- name: Mosquitto
value:
config:
auto_check: True
files:
- name: "mosquitto.conf"
value:
bad_regex: "password_file.*|psk_file.*|allow_anonymous.*true|auth"
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#'
search_in:
- common
- name: Neo4j
value:
config:
auto_check: True
files:
- name: "neo4j"
value:
files:
- name: "auth"
value:
bad_regex: ".*"
remove_empty_lines: True
type: d
search_in:
- common
- name: Cloud Init
value:
config:
auto_check: True
files:
- name: "cloud.cfg"
value:
bad_regex: "consumer_key|token_key|token_secret|metadata_url|password:|passwd:|PRIVATE KEY|PRIVATE KEY|encrypted_data_bag_secret|_proxy"
only_bad_lines: True
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#'
search_in:
- common
- name: Erlang
value:
config:
auto_check: True
files:
- name: ".erlang.cookie"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: GMV Auth
value:
config:
auto_check: True
files:
- name: "gvm-tools.conf"
value:
bad_regex: "username.*|password.*"
type: f
search_in:
- common
- name: IPSec
value:
config:
auto_check: True
files:
- name: "ipsec.secrets"
value:
bad_regex: ".*PSK.*|.*RSA.*|.*EAP =.*|.*XAUTH.*"
type: f
search_in:
- common
- name: "ipsec.conf"
value:
bad_regex: ".*PSK.*|.*RSA.*|.*EAP =.*|.*XAUTH.*"
type: f
search_in:
- common
- name: IRSSI
value:
config:
auto_check: True
files:
- name: ".irssi"
value:
files:
- name: "config"
value:
bad_regex: "password.*"
type: d
search_in:
- common
- name: Keyring
value:
config:
auto_check: True
files:
- name: "keyrings"
value:
type: d
search_in:
- common
- name: "*.keyring"
value:
just_list_file: True
type: f
search_in:
- common
- name: "*.keystore"
value:
just_list_file: True
type: f
search_in:
- common
- name: "*.jks"
value:
just_list_file: True
type: f
search_in:
- common
- name: Filezilla
value:
config:
auto_check: True
files:
- name: "filezilla"
value:
files:
- name: "sitemanager.xml"
value:
bad_regex: "Host.*|Port.*|Protocol.*|User.*|Pass.*"
remove_empty_lines: True
remove_regex: "^;"
type: d
search_in:
- common
- name: "filezilla.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "recentservers.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: Backup Manager
value:
config:
auto_check: True
files:
- name: "storage.php"
value:
bad_regex: "password|pass|user|database|host"
line_grep: >-
"'pass'|'password'|'user'|'database'|'host'"
type: f
search_in:
- common
- name: "database.php"
value:
bad_regex: "password|pass|user|database|host"
line_grep: >-
"'pass'|'password'|'user'|'database'|'host'"
only_bad_lines: True
type: f
search_in:
- common
- name: Splunk
value:
config:
auto_check: False
files:
- name: "passwd"
value:
type: f
search_in:
- common
- name: GitLab
value:
config:
auto_check: False
files:
- name: "secrets.yml"
value:
type: f
remove_path: "/lib"
search_in:
- common
- name: "gitlab.yml"
value:
type: f
remove_path: "/lib"
search_in:
- common
- name: "gitlab.rm"
value:
type: f
remove_path: "/lib"
search_in:
- common
- name: PGP-GPG
value:
config:
auto_check: True
exec:
- '((command -v gpg && gpg --list-keys) || echo_not_found "gpg") 2>/dev/null'
- '((command -v netpgpkeys && netpgpkeys --list-keys) || echo_not_found "netpgpkeys") 2>/dev/null'
- '(command -v netpgp || echo_not_found "netpgp") 2>/dev/null'
files:
- name: "*.pgp"
value:
type: f
search_in:
- common
- name: "*.gpg"
value:
type: f
search_in:
- common
- name: "*.gnupg"
value:
type: f
remove_path: "README.gnupg"
search_in:
- common
- name: Cache Vi
value:
disable:
- winpeas
config:
auto_check: True
files:
- name: "*.swp"
value:
just_list_file: True
type: f
search_in:
- common
- name: "*.viminfo"
value:
just_list_file: True
type: f
search_in:
- common
- name: Docker
value:
config:
auto_check: False
files:
- name: "docker.socket"
value:
type: f
search_in:
- common
- name: "docker.sock"
value:
type: f
search_in:
- common
- name: "Dockerfile"
value:
type: f
search_in:
- common
- name: "docker-compose.yml"
value:
type: f
search_in:
- common
- name: Firefox
value:
disable:
- winpeas
config:
auto_check: True
files:
- name: ".mozilla"
value:
files:
- name: "places.sqlite"
value:
just_list_file: True
- name: "bookmarkbackups"
value:
just_list_file: True
- name: "formhistory.sqlite"
value:
just_list_file: True
- name: "handlers.json"
value:
just_list_file: True
- name: "persdict.dat"
value:
just_list_file: True
- name: "addons.json"
value:
just_list_file: True
- name: "cookies.sqlite"
value:
just_list_file: True
- name: "cache2"
value:
just_list_file: True
- name: "startupCache"
value:
just_list_file: True
- name: "favicons.sqlite"
value:
just_list_file: True
- name: "prefs.js"
value:
just_list_file: True
- name: "downloads.sqlite"
value:
just_list_file: True
- name: "thumbnails"
value:
just_list_file: True
- name: "logins.json"
value:
just_list_file: True
- name: "key4.db"
value:
just_list_file: True
- name: "key3.db"
value:
just_list_file: True
type: d
search_in:
- $HOMESEARCH
- name: Chrome
value:
disable:
- winpeas
config:
auto_check: True
files:
- name: "google-chrome"
value:
files:
- name: "Cookies"
value:
just_list_file: True
- name: "Cache"
value:
just_list_file: True
- name: "Bookmarks"
value:
just_list_file: True
- name: "Web Data"
value:
just_list_file: True
- name: "Favicons"
value:
just_list_file: True
- name: "Login Data"
value:
just_list_file: True
- name: "Current Session"
value:
just_list_file: True
- name: "Current Tabs"
value:
just_list_file: True
- name: "Last Session"
value:
just_list_file: True
- name: "Last Tabs"
value:
just_list_file: True
- name: "Extensions"
value:
just_list_file: True
- name: "Thumbnails"
value:
just_list_file: True
type: d
search_in:
- $HOMESEARCH
- name: Autologin
value:
disable:
- winpeas
config:
auto_check: True
files:
- name: "autologin"
value:
bad_regex: "passwd"
type: f
search_in:
- common
- name: "autologin.conf"
value:
bad_regex: "passwd"
type: f
search_in:
- common
- name: FastCGI
value:
config:
auto_check: True
files:
- name: "fastcgi_params"
value:
bad_regex: "DB_NAME|DB_USER|DB_PASS"
only_bad_lines: True
type: f
search_in:
- common
- name: SNMP
value:
config:
auto_check: True
files:
- name: "snmpd.conf"
value:
bad_regex: "rocommunity|rwcommunity|extend.*"
only_bad_lines: True
type: f
search_in:
- common
- name: Pypirc
value:
config:
auto_check: True
files:
- name: ".pypirc"
value:
bad_regex: "username|password"
type: f
search_in:
- common
- name: CloudFlare
value:
config:
auto_check: True
files:
- name: ".cloudflared"
value:
type: d
just_list_file: True
search_in:
- common
- name: History
value:
config:
auto_check: False
files:
- name: ".*_history.*"
value:
bad_regex: "$pwd_inside_history"
line_grep: '-a "$pwd_inside_history"'
type: f
search_in:
- common
- name: Http_conf
value:
config:
auto_check: True
files:
- name: "httpd.conf"
value:
bad_regex: "htaccess.*|htpasswd.*"
only_bad_lines: True
remove_regex: '\W+\#|^#'
remove_empty_lines: True
type: f
search_in:
- common
- name: Htpasswd
value:
config:
auto_check: True
files:
- name: ".htpasswd"
value:
bad_regex: ".*"
remove_regex: '^#'
remove_empty_lines: True
type: f
search_in:
- common
- name: Ldaprc
value:
config:
auto_check: True
files:
- name: ".ldaprc"
value:
bad_regex: ".*"
remove_regex: '^#'
remove_empty_lines: True
type: f
search_in:
- common
- name: Env
value:
config:
auto_check: True
files:
- name: ".env"
value:
bad_regex: "[pP][aA][sS][sS].*"
remove_regex: '^#'
remove_empty_lines: True
type: f
search_in:
- common
- name: Msmtprc
value:
config:
auto_check: True
files:
- name: ".msmtprc"
value:
bad_regex: "user.*|password.*"
remove_regex: '^#'
remove_empty_lines: True
type: f
search_in:
- common
- name: Github
value:
config:
auto_check: True
files:
- name: ".github"
value:
just_list_file: True
type: f
search_in:
- common
- name: ".gitconfig"
value:
just_list_file: True
type: f
search_in:
- common
- name: ".git-credentials"
value:
just_list_file: True
type: f
search_in:
- common
- name: ".git"
value:
just_list_file: True
type: f
search_in:
- common
- name: Svn
value:
config:
auto_check: True
files:
- name: ".svn"
value:
just_list_file: True
type: d
search_in:
- common
- name: Keepass
value:
config:
auto_check: True
files:
- name: "*.kdbx"
value:
just_list_file: True
type: f
search_in:
- common
- name: "KeePass.config*"
value:
just_list_file: True
type: f
search_in:
- common
- name: "KeePass.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "KeePass.enforced*"
value:
just_list_file: True
type: f
search_in:
- common
- name: FTP
value:
config:
auto_check: True
files:
- name: "*.ftpconfig"
value:
just_list_file: True
type: f
search_in:
- common
- name: "ffftp.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "ftp.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "ftp.config"
value:
just_list_file: True
type: f
search_in:
- common
- name: "sites.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "wcx_ftp.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "winscp.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "ws_ftp.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: Bind
value:
config:
auto_check: True
files:
- name: "bind"
value:
files:
- name: "*"
value:
just_list_file: True
- name: "*.key"
value:
bad_regex: ".*"
remove_empty_lines: True
remove_regex: '^#'
type: d
search_in:
- common
- name: SeedDMS
value:
config:
auto_check: True
files:
- name: "seeddms*"
value:
files:
- name: "settings.xml"
value:
bad_regex: "[pP][aA][sS][sS]"
line_grep: '"="'
type: d
search_in:
- common
- name: Ddclient
value:
config:
auto_check: True
files:
- name: "ddclient.conf"
value:
bad_regex: ".*password.*"
type: f
search_in:
- common
- name: Cacti
value:
config:
auto_check: True
files:
- name: "cacti"
value:
files:
- name: "config.php"
value:
bad_regex: "database_pw.*|database_user.*|database_pass.*"
line_grep: '"database_pw|database_user|database_pass|database_type|database_default|detabase_hostname|database_port|database_ssl"'
- name: "config.php.dist"
value:
bad_regex: "database_pw.*|database_user.*|database_pass.*"
line_grep: '"database_pw|database_user|database_pass|database_type|database_default|detabase_hostname|database_port|database_ssl"'
- name: "installer.php"
value:
bad_regex: "database_pw.*|database_user.*|database_pass.*"
line_grep: '"database_pw|database_user|database_pass|database_type|database_default|detabase_hostname|database_port|database_ssl"'
- name: "check_all_pages"
value:
bad_regex: "database_pw.*|database_user.*|database_pass.*"
line_grep: '"database_pw|database_user|database_pass|database_type|database_default|detabase_hostname|database_port|database_ssl"'
type: d
search_in:
- common
- name: Interesting logs
value:
config:
auto_check: True
files:
- name: "access.log"
value:
just_list_file: True
type: f
search_in:
- common
- name: "error.log"
value:
just_list_file: True
type: f
search_in:
- common
- name: Other Interesting Files
value:
config:
auto_check: True
files:
- name: ".bashrc"
value:
just_list_file: True
type: f
search_in:
- common
- name: ".google_authenticator"
value:
just_list_file: True
type: f
search_in:
- common
- name: "hosts.equiv"
value:
just_list_file: True
type: f
search_in:
- common
- name: ".lesshst"
value:
just_list_file: True
type: f
search_in:
- common
- name: ".plan"
value:
just_list_file: True
type: f
search_in:
- common
- name: ".profile"
value:
just_list_file: True
type: f
search_in:
- common
- name: ".recently-used.xbel"
value:
just_list_file: True
type: f
search_in:
- common
- name: ".rhosts"
value:
just_list_file: True
type: f
search_in:
- common
- name: ".sudo_as_admin_successful"
value:
just_list_file: True
type: f
search_in:
- common
- name: Windows Files
value:
config:
auto_check: True
files:
- name: "unattend.inf"
value:
just_list_file: True
type: f
search_in:
- common
- name: "*.rdg"
value:
just_list_file: True
type: f
search_in:
- common
- name: "AppEvent.Evt"
value:
just_list_file: True
type: f
search_in:
- common
- name: "ConsoleHost_history.txt"
value:
just_list_file: True
type: f
search_in:
- common
- name: "FreeSSHDservice.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "NetSetup.log"
value:
just_list_file: True
type: f
search_in:
- common
- name: "Ntds.dit"
value:
just_list_file: True
type: f
search_in:
- common
- name: "protecteduserkey.bin"
value:
just_list_file: True
type: f
search_in:
- common
- name: "RDCMan.settings"
value:
just_list_file: True
type: f
search_in:
- common
- name: "SAM"
value:
just_list_file: True
type: f
search_in:
- common
- name: "SYSTEM"
value:
just_list_file: True
type: f
search_in:
- common
- name: "SecEvent.Evt"
value:
just_list_file: True
type: f
search_in:
- common
- name: "appcmd.exe"
value:
just_list_file: True
type: f
search_in:
- common
- name: "bash.exe"
value:
just_list_file: True
type: f
search_in:
- common
- name: "datasources.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "default.sav"
value:
just_list_file: True
type: f
search_in:
- common
- name: "drives.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "groups.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "https-xampp.conf"
value:
just_list_file: True
type: f
search_in:
- common
- name: "https.conf"
value:
just_list_file: True
type: f
search_in:
- common
- name: "iis6.log"
value:
just_list_file: True
type: f
search_in:
- common
- name: "index.dat"
value:
just_list_file: True
type: f
search_in:
- common
- name: "my.cnf"
value:
just_list_file: True
type: f
search_in:
- common
- name: "my.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "ntuser.dat"
value:
just_list_file: True
type: f
search_in:
- common
- name: "pagefile.sys"
value:
just_list_file: True
type: f
search_in:
- common
- name: "php.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "printers.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "recentservers.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "scclient.exe"
value:
just_list_file: True
type: f
search_in:
- common
- name: "scheduledtasks.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "security.sav"
value:
just_list_file: True
type: f
search_in:
- common
- name: "server.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "setupinfo"
value:
just_list_file: True
type: f
search_in:
- common
- name: "setupinfo.bak"
value:
just_list_file: True
type: f
search_in:
- common
- name: "sitemanager.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "sites.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "software"
value:
just_list_file: True
type: f
search_in:
- common
- name: "software.sav"
value:
just_list_file: True
type: f
search_in:
- common
- name: "sysprep.inf"
value:
just_list_file: True
type: f
search_in:
- common
- name: "sysprep.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "system"
value:
just_list_file: True
type: f
search_in:
- common
- name: "system.sav"
value:
just_list_file: True
type: f
search_in:
- common
- name: "unattend.txt"
value:
just_list_file: True
type: f
search_in:
- common
- name: "unattend.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "unattended.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "wcx_ftp.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "ws_ftp.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "web*.config"
value:
just_list_file: True
type: f
search_in:
- common
- name: "winscp.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "wsl.exe"
value:
just_list_file: True
type: f
search_in:
- common
- name: Other Windows Files
value:
config:
auto_check: True
disable:
- linpeas
files:
- name: "security"
value:
just_list_file: True
type: f
search_in:
- common
- name: "services.xml"
value:
just_list_file: True
type: f
search_in:
- common
# Final section
- name: Database
value:
config:
auto_check: False
files:
- name: "*.db"
value:
remove_path: "/man/|/usr/|/var/cache/"
type: f
search_in:
- common
- name: "*.sqlite"
value:
remove_path: "/man/|/usr/|/var/cache/"
type: f
search_in:
- common
- name: "*.sqlite3"
value:
remove_path: "/man/|/usr/|/var/cache/"
type: f
search_in:
- common
- name: Backups
value:
config:
auto_check: False
files:
- name: "backup"
value:
type: f
search_in:
- common
- name: "backups"
value:
type: f
search_in:
- common
- name: Password Files
value:
config:
auto_check: False
files:
- name: "*password*"
value:
just_list_file: True
type: f
search_in:
- common
- name: "*credential*"
value:
just_list_file: True
type: f
search_in:
- common
- name: "creds*"
value:
just_list_file: True
type: f
search_in:
- common
- name: "*.key"
value:
just_list_file: True
type: f
search_in:
- common
Reference in New Issue View Git Blame Copy Permalink