darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
87fe48a900
PEASS-ng/build_lists/sensitive_files.yaml
carlospolop 87fe48a900 more_checks
2021-12-19 08:31:53 -05:00

3041 lines
75 KiB
YAML
Raw Blame History

############################
## LINPEAS SPECIFICATIONS ##
############################
root_folders:
- /applications #common
- /bin #common
- /.cache #common
- /cdrom #common
- /etc #common
- $HOMESEARCH #common, use this instead of "/home"
- /lib
- /lib32
- /lib64
- /media #common
- /mnt #common
- /opt #common
- /private #common
- /run
- /sbin #common
- /snap #common
- /srv #common
- /sys
- /system
- /systemd
- /tmp #common
- /usr #common
- /var #common
common_file_folders:
- /applications
- /bin
- /.cache
- /cdrom
- /etc
- $HOMESEARCH
- /media
- /mnt
- /opt
- /private
- /sbin
- /snap
- /srv
- /tmp
- /usr
- /var
common_directory_folders:
- /applications
- /bin
- /.cache
- /cdrom
- /etc
- $HOMESEARCH
- /media
- /mnt
- /opt
- /private
- /sbin
- /snap
- /srv
- /tmp
- /usr
- /var
peas_checks: "peass{CHECKS}"
peas_extrasections_markup: "peass{EXTRA_SECTIONS}"
peas_finds_markup: "peass{FINDS_HERE}"
find_line_markup: "peass{FIND_PARAMS_HERE}"
find_template: >
`eval_bckgrd "find peass{FIND_PARAMS_HERE} 2>/dev/null | sort; printf \\\$YELLOW'. '\\\$NC 1>&2;"`
peas_storages_markup: "peass{STORAGES_HERE}"
storage_line_markup: "peass{STORAGE_PARAMS_HERE}"
storage_line_extra_markup: "peass{STORAGE_PARAMS_EXTRA_HERE}"
storage_template: >
$(echo -e "peass{STORAGE_PARAMS_HERE}" peass{STORAGE_PARAMS_EXTRA_HERE} | sort | uniq | head -n 70)
int_hidden_files_markup: "peass{INT_HIDDEN_FILES}"
suidVB1_markup: "peass{SUIDVB1_HERE}"
suidVB2_markup: "peass{SUIDVB2_HERE}"
sudoVB1_markup: "peass{SUDOVB1_HERE}"
sudoVB2_markup: "peass{SUDOVB2_HERE}"
cap_setuid_markup: "peass{CAP_SETUID_HERE}"
cap_setgid_markup: "peass{CAP_SETGID_HERE}"
les_markup: "peass{LES}"
les2_markup: "peass{LES2}"
##############################
## AUTO GENERATED VARIABLES ##
## FOR WINPEAS & LINPEAS ##
##############################
variables_markup: "peass{VARIABLES}"
variables:
- name: pwd_inside_history
value: "enable_autologin|7z|unzip|useradd|linenum|linpeas|mkpasswd|htpasswd|openssl|PASSW|passw|shadow|root|sudo|^su|pkexec|^ftp|mongo|psql|mysql|rdesktop|xfreerdp|^ssh|steghide|@|KEY=|TOKEN=|BEARER=|Authorization:"
####################
## DEFAULT VALUES ##
####################
defaults:
auto_check: False #The builder will generate a check for the file (only linpeas)
bad_regex: "" #The regex used to color red. If only_bad_lines and no line_grep, then only lines containing this regex will be printed
very_bad_regex: "" #The regex used to color yellow/red
check_extra_path: "" #Check if the found files are in a specific path (only linpeas)
good_regex: "" #The regex to color green
just_list_file: False #Just mention the path to the file, do not cat it
line_grep: "" #The regex to grep lines in a file. IMPORTANT: This is the argument for "grep" command so you need to specify the single and double quotes (see examples)
only_bad_lines: False #Only print lines containing something red (cnotaining bad_regex)
remove_empty_lines: False #Remove empty lines, use only for text files (-I param in grep)
remove_path: "" #Not interested in files containing this path (only linpeas)
remove_regex: "" #Remove linpeas containing this regex
search_in: #By default search in defined common (only linpeas)
- common
type: f #File by default
exec: [] #Cmd to execute with the check (only linpeas)
##############
## EXAMPLES ##
##############
#-) In the following example PostgreSQL searches are performed:
## - auto_check is True (by default set it always to True)
## - exec is and array of sh commands to execute, in this case a command is executed to get the postgresql version
## - The file "pgadmin*.db" is searched
### - just_list_file is True, so the content of the list is not going to be read, just the path of the file will be indicated
### - type is f (file, not dir)
### - search_in is "common", so look for this file in common directories
## - The file "pg_hba.conf" is searched
### - bad_regex indicates the content of the file that if found is going to be written in red in the output
### - type is f (file, not dir)
### - remove_empty_lines is True, this indicates that empty lines of the file aren't going to be written in the output
### - remove_regex is a regex to avoid printing lines where the regex is found
### - search_in is "common", so look for this file in common directories
#- name: PostgreSQL
# value:
# config:
# auto_check: True
# exec:
# - 'echo "Version: $(warn_exec psql -V 2>/dev/null)"'
#
# files:
# - name: "pgadmin*.db"
# value:
# type: f
# just_list_file: True
# search_in:
# - common
#
# - name: "pg_hba.conf"
# value:
# bad_regex: "auth|password|md5|user=|pass=|trust"
# type: f
# remove_empty_lines: True
# remove_regex: '\W+\#|^#'
# search_in:
# - common
#-) In the following example Elasticsearch searches are performed:
## - auto_check is True (by default set it always to True)
## - exec is and array of sh commands to execute, in this case a HTTP request is performed to obtain the version
## - The file "elasticsearch.y*ml" is searched
### - line_grep is the grep argument to filter interesting lineas
### - remove_regex is a regex to avoid printing lines where the regex is found
### - type is f (file, not dir)
### - search_in is "common", so look for this file in common directories
#- name: Elasticsearch
# value:
# config:
# auto_check: True
# exec:
# - echo "The version is $(curl -X GET '127.0.0.1:9200' 2>/dev/null | grep number | cut -d ':' -f 2)"
#
# files:
# - name: "elasticsearch.y*ml"
# value:
# line_grep: '"path.data|path.logs|cluster.name|node.name|network.host|discovery.zen.ping.unicast.hosts"'
# remove_regex: '\W+\#|^#'
# type: f
# search_in:
# - common
#-) In the following example Apache searches are performed:
## - auto_check is True (by default set it always to True)
## - exec is and array of sh commands to execute during the check
## - The directory "sites-enabled" is searched
### - type is d (dir)
### - search_in is "common", so look for this file in common directories
#### Inside this directory the file "*" is searched (in this case "*" will get all the files, but more specific regex can be used)
##### - bad_regex indicates the content of the file that if found is going to be written in red in the output
##### - only_bad_lines indicate that only lines that contains the regex indicated in bad_regex are going to be printed
##### - remove_empty_lines is True, this indicates that empty lines of the file aren't going to be written in the output
##### - remove_regex is a regex to avoid printing lines where the regex is found
#- name: Apache
# value:
# config:
# auto_check: True
# exec:
# - 'echo "Version: $(warn_exec apache2 -v 2>/dev/null; warn_exec httpd -v 2>/dev/null)"'
# - "print_3title 'PHP exec extensions'"
# - 'grep -R -B1 "httpd-php" /etc/apache2 2>/dev/null'
#
# files:
# - name: "sites-enabled"
# value:
# type: d
# files:
# - name: "*"
# value:
# bad_regex: "AuthType|AuthName|AuthUserFile|ServerName|ServerAlias"
# only_bad_lines: True
# remove_empty_lines: True
# remove_regex: '^#'
# search_in:
# - common
###############################
## Files & folders to search ##
###############################
search:
- name: Systemd
value:
disable:
- winpeas
config:
auto_check: False
files:
- name: "*.service"
value:
type: f
search_in:
- all
- name: Timer
value:
disable:
- winpeas
config:
auto_check: False
files:
- name: "*.timer"
value:
type: f
search_in:
- all
- name: Socket
value:
disable:
- winpeas
config:
auto_check: False
files:
- name: "*.socket"
value:
type: f
search_in:
- all
- name: DBus
value:
disable:
- winpeas
config:
auto_check: False
files:
- name: "system.d"
value:
type: d
search_in:
- /etc
- name: MySQL
value:
config:
auto_check: False
files:
- name: mysql
value:
type: d
check_extra_path: "^/etc/.*mysql|/usr/var/lib/.*mysql|/var/lib/.*mysql"
remove_path: "mysql/mysql"
search_in:
- common
- name: MariaDB
value:
config:
auto_check: True
files:
- name: "mariadb.cnf"
value:
bad_regex: "user.*|password.*"
type: f
remove_regex: '^#'
remove_empty_lines: True
search_in:
- common
- name: "debian.cnf"
value:
bad_regex: "user.*|password.*"
type: f
only_bad_lines: True
search_in:
- common
- name: PostgreSQL
value:
config:
auto_check: True
exec:
- 'echo "Version: $(warn_exec psql -V 2>/dev/null)"'
files:
- name: "pgadmin*.db"
value:
type: f
just_list_file: True
search_in:
- common
- name: "pg_hba.conf"
value:
bad_regex: "auth|password|md5|user=|pass=|trust"
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#'
search_in:
- common
- name: "postgresql.conf"
value:
bad_regex: "auth|password|md5|user=|pass=|trust"
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#'
search_in:
- common
- name: "pgsql.conf"
value:
bad_regex: "auth|password|md5|user=|pass=|trust"
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#'
search_in:
- common
- name: Apache
value:
config:
auto_check: True
exec:
- 'echo "Version: $(warn_exec apache2 -v 2>/dev/null; warn_exec httpd -v 2>/dev/null)"'
- "print_3title 'PHP exec extensions'"
- 'grep -R -B1 "httpd-php" /etc/apache2 2>/dev/null'
files:
- name: "sites-enabled"
value:
type: d
files:
- name: "*"
value:
bad_regex: "AuthType|AuthName|AuthUserFile|ServerName|ServerAlias"
only_bad_lines: True
remove_empty_lines: True
remove_regex: '#'
search_in:
- common
- name: "000-default.conf"
value:
bad_regex: "AuthType|AuthName|AuthUserFile|ServerName|ServerAlias"
type: f
search_in:
- common
- name: "php.ini"
value:
bad_regex: "On"
remove_regex: "^;"
line_grep: "allow_"
type: f
search_in:
- common
- name: PHP Sessions
value:
config:
auto_check: True
exec:
- "ls /var/lib/php/sessions 2>/dev/null || echo_not_found /var/lib/php/sessions"
files:
- name: "sess_*"
value:
check_extra_path: '/tmp/.*sess_.*|/var/tmp/.*sess_.*'
type: f
search_in:
- /tmp
- /var
- /mnt
- /private
- name: PHP_files
value:
config:
auto_check: False
files:
- name: "*config*.php"
value:
type: f
search_in:
- common
- name: "database.php"
value:
type: f
search_in:
- common
- name: "db.php"
value:
type: f
search_in:
- common
- name: "storage.php"
value:
type: f
search_in:
- common
- name: "settings.php"
value:
type: f
search_in:
- common
- name: Wordpress
value:
config:
auto_check: True
files:
- name: "wp-config.php"
value:
bad_regex: "PASSWORD|USER|NAME|HOST"
only_bad_lines: True
type: f
search_in:
- common
- name: Drupal
value:
config:
auto_check: True
files:
- name: "settings.php"
value:
bad_regex: "drupal_hash_salt|'database'|'username'|'password'|'host'|'port'|'driver'|'prefix'"
check_extra_path: "/default/settings.php"
only_bad_lines: True
type: f
search_in:
- common
- name: Moodle
value:
config:
auto_check: True
files:
- name: "config.php"
value:
bad_regex: "dbtype|dbhost|dbuser|dbhost|dbpass|dbport"
check_extra_path: "moodle/config.php"
only_bad_lines: True
type: f
search_in:
- common
- name: Tomcat
value:
config:
auto_check: True
files:
- name: "tomcat-users.xml"
value:
bad_regex: "dbtype|dbhost|dbuser|dbhost|dbpass|dbport"
line_grep: '"username=|password="'
only_bad_lines: True
type: f
search_in:
- common
- name: Mongo
value:
config:
auto_check: True
exec:
- 'echo "Version: $(warn_exec mongo --version 2>/dev/null; warn_exec mongod --version 2>/dev/null)"'
files:
- name: "mongod*.conf"
value:
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#'
search_in:
- common
- name: Supervisord
value:
config:
auto_check: True
files:
- name: "supervisord.conf"
value:
bad_regex: "port.*=|username.*=|password.*="
only_bad_lines: True
type: f
search_in:
- common
- name: Cesi
value:
config:
auto_check: True
files:
- name: "cesi.conf"
value:
bad_regex: "username.*=|password.*=|host.*=|port.*=|database.*="
only_bad_lines: True
type: f
search_in:
- common
- name: Rsync
value:
config:
auto_check: True
files:
- name: "rsyncd.conf"
value:
bad_regex: "secrets.*|auth.*users.*="
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#'
search_in:
- common
- name: "rsyncd.secrets"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: Hostapd
value:
config:
auto_check: True
files:
- name: "hostapd.conf"
value:
bad_regex: "passphrase.*"
remove_regex: '^#'
remove_empty_lines: True
type: f
search_in:
- common
- name: Wifi Connections
value:
config:
auto_check: True
files:
- name: "system-connections"
value:
files:
- name: "*"
value:
bad_regex: "psk.*"
only_bad_lines: True
type: f
type: d
search_in:
- /etc
- name: PAM Auth
value:
config:
auto_check: True
files:
- name: "pam.d"
value:
files:
- name: "sshd"
value:
bad_regex: ".*"
line_grep: '-i "auth"'
remove_regex: "^#|^@"
type: f
type: d
search_in:
- /etc
- name: NFS Exports
value:
config:
auto_check: True
files:
- name: exports
value:
very_bad_regex: "no_root_squash|no_all_squash"
bad_regex: "insecure"
remove_regex: '\W+\#|^#'
type: f
search_in:
- /etc
- name: Anaconda ks
value:
config:
auto_check: True
files:
- name: "anaconda-ks.cfg"
value:
bad_regex: "rootpw.*"
only_bad_lines: True
type: f
search_in:
- common
- name: Racoon
value:
config:
auto_check: True
files:
- name: "racoon.conf"
value:
remove_empty_lines: True
bad_regex: "pre_shared_key.*"
remove_regex: '^#'
type: f
search_in:
- common
- name: "psk.txt"
value:
remove_empty_lines: True
bad_regex: ".*"
type: f
search_in:
- common
- name: VNC
value:
config:
auto_check: True
files:
- name: ".vnc"
value:
files:
- name: "passwd"
value:
just_list_file: True
type: d
search_in:
- common
- name: "*vnc*.c*nf*"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: "*vnc*.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "*vnc*.txt"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: "*vnc*.xml"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: Ldap
value:
config:
auto_check: True
exec:
- echo "The password hash is from the {SSHA} to 'structural'"
files:
- name: "ldap"
value:
files:
- name: "*.bdb"
value:
bad_regex: "administrator|password|ADMINISTRATOR|PASSWORD|Password|Administrator"
line_grep: '-i -a -o "description.*" | sort | uniq'
type: f
type: d
search_in:
- common
- name: OpenVPN
value:
config:
auto_check: True
files:
- name: "*.ovpn"
value:
bad_regex: "auth-user-pass.+"
only_bad_lines: True
type: f
search_in:
- common
- name: SSH
value:
config:
auto_check: True
files:
- name: "id_dsa*"
value:
type: f
search_in:
- common
- name: "id_rsa*"
value:
type: f
search_in:
- common
- name: "known_hosts"
value:
type: f
search_in:
- common
- name: "authorized_hosts"
value:
type: f
search_in:
- common
- name: "authorized_keys"
value:
good_regex: 'from=[\w\._\-]+'
type: f
search_in:
- common
- name: CERTSB4
value:
config:
auto_check: False
files:
- name: "*.pem"
value:
type: f
remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib.*'
search_in:
- common
- name: "*.cer"
value:
type: f
remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib.*'
search_in:
- common
- name: "*.crt"
value:
type: f
remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib.*'
search_in:
- common
- name: CERTSBIN
value:
config:
auto_check: False
files:
- name: "*.csr"
value:
type: f
remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib/.*'
search_in:
- common
- name: "*.der"
value:
type: f
remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib/.*'
search_in:
- common
- name: CERTSCLIENT
value:
config:
auto_check: False
files:
- name: "*.pfx"
value:
type: f
remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib/.*'
search_in:
- common
- name: "*.p12"
value:
type: f
remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib/.*'
search_in:
- common
- name: SSH AGENTS
value:
config:
auto_check: False
files:
- name: "agent*"
value:
type: f
search_in:
- /tmp
- /private
- name: SSH_CONFIG
value:
config:
auto_check: False
files:
- name: "ssh*config"
value:
type: f
search_in:
- /usr
- $HOMESEARCH
- name: Cloud Credentials
value:
config:
auto_check: True
files:
- name: "credentials"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: "credentials.db"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: "legacy_credentials.db"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: "access_tokens.db"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: "access_tokens.json"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: "accessTokens.json"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: "azureProfile.json"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: "TokenCache.dat"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: "AzureRMContext.json"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: ".bluemix"
value:
files:
- name: "config.json"
value:
bad_regex: ".*"
type: d
search_in:
- common
- name: Kerberos
value:
config:
auto_check: False
files:
- name: "krb5.conf"
value:
type: f
search_in:
- common
- name: "krb5.keytab"
value:
type: f
search_in:
- common
- name: ".k5login"
value:
type: f
search_in:
- common
- name: "kadm5.acl"
value:
type: f
search_in:
- common
- name: "secrets.ldb"
value:
type: f
search_in:
- common
- name: ".secrets.mkey"
value:
type: f
search_in:
- common
- name: "sssd.conf"
value:
type: f
search_in:
- common
- name: Kibana
value:
config:
auto_check: True
files:
- name: "kibana.y*ml"
value:
bad_regex: "username|password|host|port|elasticsearch|ssl"
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#|^[[:space:]]*$'
search_in:
- common
- name: Knockd
value:
config:
auto_check: True
files:
- name: "*knockd*"
value:
check_extra_path: "/etc/init.d/"
type: f
search_in:
- /etc
- name: Logstash
value:
config:
auto_check: False
files:
- name: "logstash"
value:
type: d
search_in:
- common
- name: Elasticsearch
value:
config:
auto_check: True
exec:
- echo "The version is $(curl -X GET '127.0.0.1:9200' 2>/dev/null | grep number | cut -d ':' -f 2)"
files:
- name: "elasticsearch.y*ml"
value:
line_grep: '"path.data|path.logs|cluster.name|node.name|network.host|discovery.zen.ping.unicast.hosts"'
remove_regex: '\W+\#|^#'
type: f
search_in:
- common
- name: Vault_ssh_helper
value:
config:
auto_check: False
files:
- name: "vault-ssh-helper.hcl"
value:
type: f
search_in:
- common
- name: Vault_ssh_token
value:
config:
auto_check: False
files:
- name: ".vault-token"
value:
type: f
search_in:
- common
- name: CouchDB
value:
config:
auto_check: True
files:
- name: "couchdb"
value:
files:
- name: "local.ini"
value:
bad_regex: "admin.*|password.*|cert_file.*|key_file.*|hashed.*|pbkdf2.*"
remove_empty_lines: True
remove_regex: "^;"
type: d
search_in:
- common
- name: Redis
value:
config:
auto_check: True
files:
- name: "redis.conf"
value:
bad_regex: "masterauth.*|requirepass.*"
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#'
search_in:
- common
- name: Mosquitto
value:
config:
auto_check: True
files:
- name: "mosquitto.conf"
value:
bad_regex: "password_file.*|psk_file.*|allow_anonymous.*true|auth"
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#'
search_in:
- common
- name: Neo4j
value:
config:
auto_check: True
files:
- name: "neo4j"
value:
files:
- name: "auth"
value:
bad_regex: ".*"
remove_empty_lines: True
type: d
search_in:
- common
- name: Cloud Init
value:
config:
auto_check: True
files:
- name: "cloud.cfg"
value:
bad_regex: "consumer_key|token_key|token_secret|metadata_url|password:|passwd:|PRIVATE KEY|PRIVATE KEY|encrypted_data_bag_secret|_proxy"
only_bad_lines: True
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#'
search_in:
- common
- name: Erlang
value:
config:
auto_check: True
files:
- name: ".erlang.cookie"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: GMV Auth
value:
config:
auto_check: True
files:
- name: "gvm-tools.conf"
value:
bad_regex: "username.*|password.*"
type: f
search_in:
- common
- name: IPSec
value:
config:
auto_check: True
files:
- name: "ipsec.secrets"
value:
bad_regex: ".*PSK.*|.*RSA.*|.*EAP =.*|.*XAUTH.*"
type: f
search_in:
- common
- name: "ipsec.conf"
value:
bad_regex: ".*PSK.*|.*RSA.*|.*EAP =.*|.*XAUTH.*"
type: f
search_in:
- common
- name: IRSSI
value:
config:
auto_check: True
files:
- name: ".irssi"
value:
files:
- name: "config"
value:
bad_regex: "password.*"
type: d
search_in:
- common
- name: Keyring
value:
config:
auto_check: True
files:
- name: "keyrings"
value:
type: d
search_in:
- common
- name: "*.keyring"
value:
just_list_file: True
type: f
search_in:
- common
- name: "*.keystore"
value:
just_list_file: True
type: f
search_in:
- common
- name: "*.jks"
value:
just_list_file: True
type: f
search_in:
- common
- name: Filezilla
value:
config:
auto_check: True
files:
- name: "filezilla"
value:
files:
- name: "sitemanager.xml"
value:
bad_regex: "Host.*|Port.*|Protocol.*|User.*|Pass.*"
remove_empty_lines: True
remove_regex: "^;"
type: d
search_in:
- common
- name: "filezilla.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "recentservers.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: Backup Manager
value:
config:
auto_check: True
files:
- name: "storage.php"
value:
bad_regex: "password|pass|user|database|host"
line_grep: >-
"'pass'|'password'|'user'|'database'|'host'"
type: f
search_in:
- common
- name: "database.php"
value:
bad_regex: "password|pass|user|database|host"
line_grep: >-
"'pass'|'password'|'user'|'database'|'host'"
only_bad_lines: True
type: f
search_in:
- common
- name: Splunk
value:
config:
auto_check: False
files:
- name: "passwd"
value:
type: f
search_in:
- common
- name: GitLab
value:
config:
auto_check: False
files:
- name: "secrets.yml"
value:
type: f
remove_path: "/lib"
search_in:
- common
- name: "gitlab.yml"
value:
type: f
remove_path: "/lib"
search_in:
- common
- name: "gitlab.rm"
value:
type: f
remove_path: "/lib"
search_in:
- common
- name: PGP-GPG
value:
config:
auto_check: True
exec:
- '( (command -v gpg && gpg --list-keys) || echo_not_found "gpg") 2>/dev/null'
- '( (command -v netpgpkeys && netpgpkeys --list-keys) || echo_not_found "netpgpkeys") 2>/dev/null'
- '(command -v netpgp || echo_not_found "netpgp") 2>/dev/null'
files:
- name: "*.pgp"
value:
type: f
search_in:
- common
- name: "*.gpg"
value:
type: f
search_in:
- common
- name: "*.gnupg"
value:
type: f
remove_path: "README.gnupg"
search_in:
- common
- name: Cache Vi
value:
disable:
- winpeas
config:
auto_check: True
files:
- name: "*.swp"
value:
just_list_file: True
type: f
search_in:
- common
- name: "*.viminfo"
value:
just_list_file: True
type: f
search_in:
- common
- name: Docker
value:
config:
auto_check: False
files:
- name: "docker.socket"
value:
type: f
search_in:
- common
- name: "docker.sock"
value:
type: f
search_in:
- common
- name: "Dockerfile"
value:
type: f
search_in:
- common
- name: "docker-compose.yml"
value:
type: f
search_in:
- common
- name: Firefox
value:
disable:
- winpeas
config:
auto_check: True
files:
- name: ".mozilla"
value:
files:
- name: "places.sqlite"
value:
just_list_file: True
- name: "bookmarkbackups"
value:
just_list_file: True
- name: "formhistory.sqlite"
value:
just_list_file: True
- name: "handlers.json"
value:
just_list_file: True
- name: "persdict.dat"
value:
just_list_file: True
- name: "addons.json"
value:
just_list_file: True
- name: "cookies.sqlite"
value:
just_list_file: True
- name: "cache2"
value:
just_list_file: True
- name: "startupCache"
value:
just_list_file: True
- name: "favicons.sqlite"
value:
just_list_file: True
- name: "prefs.js"
value:
just_list_file: True
- name: "downloads.sqlite"
value:
just_list_file: True
- name: "thumbnails"
value:
just_list_file: True
- name: "logins.json"
value:
just_list_file: True
- name: "key4.db"
value:
just_list_file: True
- name: "key3.db"
value:
just_list_file: True
type: d
search_in:
- $HOMESEARCH
- name: "Firefox"
value:
files:
- name: "places.sqlite"
value:
just_list_file: True
- name: "bookmarkbackups"
value:
just_list_file: True
- name: "formhistory.sqlite"
value:
just_list_file: True
- name: "handlers.json"
value:
just_list_file: True
- name: "persdict.dat"
value:
just_list_file: True
- name: "addons.json"
value:
just_list_file: True
- name: "cookies.sqlite"
value:
just_list_file: True
- name: "cache2"
value:
just_list_file: True
- name: "startupCache"
value:
just_list_file: True
- name: "favicons.sqlite"
value:
just_list_file: True
- name: "prefs.js"
value:
just_list_file: True
- name: "downloads.sqlite"
value:
just_list_file: True
- name: "thumbnails"
value:
just_list_file: True
- name: "logins.json"
value:
just_list_file: True
- name: "key4.db"
value:
just_list_file: True
- name: "key3.db"
value:
just_list_file: True
type: d
search_in:
- $HOMESEARCH
- name: Chrome
value:
disable:
- winpeas
config:
auto_check: True
files:
- name: "google-chrome"
value:
files:
- name: "History"
value:
just_list_file: True
- name: "Cookies"
value:
just_list_file: True
- name: "Cache"
value:
just_list_file: True
- name: "Bookmarks"
value:
just_list_file: True
- name: "Web Data"
value:
just_list_file: True
- name: "Favicons"
value:
just_list_file: True
- name: "Login Data"
value:
just_list_file: True
- name: "Current Session"
value:
just_list_file: True
- name: "Current Tabs"
value:
just_list_file: True
- name: "Last Session"
value:
just_list_file: True
- name: "Last Tabs"
value:
just_list_file: True
- name: "Extensions"
value:
just_list_file: True
- name: "Thumbnails"
value:
just_list_file: True
- name: "Preferences"
value:
just_list_file: True
type: d
search_in:
- $HOMESEARCH
- name: "Chrome"
value:
files:
- name: "History"
value:
just_list_file: True
- name: "Cookies"
value:
just_list_file: True
- name: "Cache"
value:
just_list_file: True
- name: "Bookmarks"
value:
just_list_file: True
- name: "Web Data"
value:
just_list_file: True
- name: "Favicons"
value:
just_list_file: True
- name: "Login Data"
value:
just_list_file: True
- name: "Current Session"
value:
just_list_file: True
- name: "Current Tabs"
value:
just_list_file: True
- name: "Last Session"
value:
just_list_file: True
- name: "Last Tabs"
value:
just_list_file: True
- name: "Extensions"
value:
just_list_file: True
- name: "Thumbnails"
value:
just_list_file: True
- name: "Preferences"
value:
just_list_file: True
type: d
search_in:
- $HOMESEARCH
- name: Opera
value:
disable:
- winpeas
config:
auto_check: True
files:
- name: "com.operasoftware.Opera"
value:
files:
- name: "History"
value:
just_list_file: True
- name: "Cookies"
value:
just_list_file: True
- name: "Cache"
value:
just_list_file: True
- name: "Bookmarks"
value:
just_list_file: True
- name: "Web Data"
value:
just_list_file: True
- name: "Favicons"
value:
just_list_file: True
- name: "Login Data"
value:
just_list_file: True
- name: "Current Session"
value:
just_list_file: True
- name: "Current Tabs"
value:
just_list_file: True
- name: "Last Session"
value:
just_list_file: True
- name: "Last Tabs"
value:
just_list_file: True
- name: "Extensions"
value:
just_list_file: True
- name: "Thumbnails"
value:
just_list_file: True
- name: "Preferences"
value:
just_list_file: True
type: d
search_in:
- $HOMESEARCH
- name: Safari
value:
disable:
- winpeas
config:
auto_check: True
files:
- name: "Safari"
value:
files:
- name: "History.db"
value:
just_list_file: True
- name: "Downloads.plist"
value:
just_list_file: True
- name: "Book-marks.plist"
value:
just_list_file: True
- name: "TopSites.plist"
value:
just_list_file: True
- name: "UserNotificationPermissions.plist"
value:
just_list_file: True
- name: "LastSession.plist"
value:
just_list_file: True
type: d
search_in:
- $HOMESEARCH
- name: Autologin
value:
disable:
- winpeas
config:
auto_check: True
files:
- name: "autologin"
value:
bad_regex: "passwd"
type: f
search_in:
- common
- name: "autologin.conf"
value:
bad_regex: "passwd"
type: f
search_in:
- common
- name: FastCGI
value:
config:
auto_check: True
files:
- name: "fastcgi_params"
value:
bad_regex: "DB_NAME|DB_USER|DB_PASS"
only_bad_lines: True
type: f
search_in:
- common
- name: SNMP
value:
config:
auto_check: True
files:
- name: "snmpd.conf"
value:
bad_regex: "rocommunity|rwcommunity|extend.*"
only_bad_lines: True
type: f
search_in:
- common
- name: Pypirc
value:
config:
auto_check: True
files:
- name: ".pypirc"
value:
bad_regex: "username|password"
type: f
search_in:
- common
- name: Postfix
value:
config:
auto_check: True
files:
- name: "postfix"
value:
files:
- name: "master.cf"
value:
bad_regex: "user=|argv="
remove_empty_lines: True
line_grep: '"user="'
type: d
search_in:
- common
- name: CloudFlare
value:
config:
auto_check: True
files:
- name: ".cloudflared"
value:
type: d
just_list_file: True
search_in:
- common
- name: History
value:
config:
auto_check: False
files:
- name: '*_history*'
value:
bad_regex: "$pwd_inside_history"
line_grep: '-a "$pwd_inside_history"'
type: f
search_in:
- common
- name: Http_conf
value:
config:
auto_check: True
files:
- name: "httpd.conf"
value:
bad_regex: "htaccess.*|htpasswd.*"
only_bad_lines: True
remove_regex: '\W+\#|^#'
remove_empty_lines: True
type: f
search_in:
- common
- name: Htpasswd
value:
config:
auto_check: True
files:
- name: ".htpasswd"
value:
bad_regex: ".*"
remove_regex: '^#'
remove_empty_lines: True
type: f
search_in:
- common
- name: Ldaprc
value:
config:
auto_check: True
files:
- name: ".ldaprc"
value:
bad_regex: ".*"
remove_regex: '^#'
remove_empty_lines: True
type: f
search_in:
- common
- name: Env
value:
config:
auto_check: True
files:
- name: ".env"
value:
bad_regex: "[pP][aA][sS][sS].*|[tT][oO][kK][eE][N]|[dD][bB]"
remove_regex: '^#'
remove_empty_lines: True
type: f
search_in:
- common
- name: Msmtprc
value:
config:
auto_check: True
files:
- name: ".msmtprc"
value:
bad_regex: "user.*|password.*"
remove_regex: '^#'
remove_empty_lines: True
type: f
search_in:
- common
- name: InfluxDB
value:
config:
auto_check: True
files:
- name: "influxdb.conf"
value:
bad_regex: "auth-enabled.*=.*false|token|https-private-key"
remove_regex: '^#'
remove_empty_lines: True
type: f
search_in:
- common
- name: Zabbix
value:
config:
auto_check: True
files:
- name: "zabbix_server.conf"
value:
bad_regex: "DBName|DBUser|DBPassword"
remove_regex: '^#'
remove_empty_lines: True
type: f
search_in:
- common
- name: "zabbix_agentd.conf"
value:
bad_regex: "TLSPSKFile|psk"
remove_regex: '^#'
remove_empty_lines: True
type: f
search_in:
- common
- name: "zabbix"
value:
files:
- name: "*.psk"
value:
bad_regex: ".*"
remove_empty_lines: True
type: d
search_in:
- common
- name: Github
value:
config:
auto_check: True
files:
- name: ".github"
value:
just_list_file: True
type: f
search_in:
- common
- name: ".gitconfig"
value:
just_list_file: True
type: f
search_in:
- common
- name: ".git-credentials"
value:
just_list_file: True
type: f
search_in:
- common
- name: ".git"
value:
just_list_file: True
type: f
search_in:
- common
- name: Svn
value:
config:
auto_check: True
files:
- name: ".svn"
value:
just_list_file: True
type: d
search_in:
- common
- name: Keepass
value:
config:
auto_check: True
files:
- name: "*.kdbx"
value:
just_list_file: True
type: f
search_in:
- common
- name: "KeePass.config*"
value:
just_list_file: True
type: f
search_in:
- common
- name: "KeePass.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "KeePass.enforced*"
value:
just_list_file: True
type: f
search_in:
- common
- name: Pass Store Directories
value:
config:
auto_check: True
files:
- name: ".password-store"
value:
just_list_file: True
type: d
search_in:
- common
- name: FTP
value:
config:
auto_check: True
files:
- name: "*.ftpconfig"
value:
just_list_file: True
type: f
search_in:
- common
- name: "ffftp.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "ftp.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "ftp.config"
value:
just_list_file: True
type: f
search_in:
- common
- name: "sites.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "wcx_ftp.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "winscp.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "ws_ftp.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: Bind
value:
config:
auto_check: True
files:
- name: "bind"
value:
files:
- name: "*"
value:
just_list_file: True
- name: "*.key"
value:
bad_regex: ".*"
remove_empty_lines: True
remove_regex: '^#'
type: d
search_in:
- /etc #False possitives in home
- /var
- /usr
- name: SeedDMS
value:
config:
auto_check: True
files:
- name: "seeddms*"
value:
files:
- name: "settings.xml"
value:
bad_regex: "[pP][aA][sS][sS]"
line_grep: '"="'
type: d
search_in:
- common
- name: Ddclient
value:
config:
auto_check: True
files:
- name: "ddclient.conf"
value:
bad_regex: ".*password.*"
type: f
search_in:
- common
- name: kcpassword
value:
config:
auto_check: False
files:
- name: "kcpassword"
value:
just_list_file: True
type: f
search_in:
- common
- name: Sentry
value:
config:
auto_check: True
files:
- name: "sentry"
value:
files:
- name: "config.yml"
value:
bad_regex: "*key*"
remove_empty_lines: True
remove_regex: '^#'
type: d
search_in:
- common
- name: "sentry.conf.py"
value:
bad_regex: "[pP][aA][sS][sS].*|[uU][sS][eE][rR].*"
remove_empty_lines: True
remove_regex: '^#'
type: f
search_in:
- common
- name: Strapi
value:
config:
auto_check: True
files:
- name: "environments"
value:
files:
- name: "custom.json"
value:
bad_regex: "username.*|[pP][aA][sS][sS].*|secret.*"
remove_empty_lines: True
- name: "database.json"
value:
bad_regex: "username.*|[pP][aA][sS][sS].*|secret.*"
remove_empty_lines: True
- name: "request.json"
value:
bad_regex: "username.*|[pP][aA][sS][sS].*|secret.*"
remove_empty_lines: True
- name: "response.json"
value:
bad_regex: "username.*|[pP][aA][sS][sS].*|secret.*"
remove_empty_lines: True
- name: "security.json"
value:
bad_regex: "username.*|[pP][aA][sS][sS].*|secret.*"
remove_empty_lines: True
- name: "server.json"
value:
bad_regex: "username.*|[pP][aA][sS][sS].*|secret.*"
remove_empty_lines: True
type: d
search_in:
- common
- name: Cacti
value:
config:
auto_check: True
files:
- name: "cacti"
value:
files:
- name: "config.php"
value:
bad_regex: "database_pw.*|database_user.*|database_pass.*"
line_grep: '"database_pw|database_user|database_pass|database_type|database_default|detabase_hostname|database_port|database_ssl"'
- name: "config.php.dist"
value:
bad_regex: "database_pw.*|database_user.*|database_pass.*"
line_grep: '"database_pw|database_user|database_pass|database_type|database_default|detabase_hostname|database_port|database_ssl"'
- name: "installer.php"
value:
bad_regex: "database_pw.*|database_user.*|database_pass.*"
line_grep: '"database_pw|database_user|database_pass|database_type|database_default|detabase_hostname|database_port|database_ssl"'
- name: "check_all_pages"
value:
bad_regex: "database_pw.*|database_user.*|database_pass.*"
line_grep: '"database_pw|database_user|database_pass|database_type|database_default|detabase_hostname|database_port|database_ssl"'
type: d
search_in:
- common
- name: Roundcube
value:
config:
auto_check: True
files:
- name: "roundcube"
value:
files:
- name: "config.inc.php"
value:
bad_regex: "db_dsnw"
line_grep: '"config\["'
type: d
search_in:
- common
- name: Passbolt
value:
config:
auto_check: True
files:
- name: "passbolt.php"
value:
bad_regex: "[pP][aA][sS][sS].*|[uU][sS][eE][rR].*"
line_grep: '"host|port|username|password|database"'
remove_empty_lines: True
remove_regex: '^#'
type: f
search_in:
- common
- name: Jetty
value:
config:
auto_check: True
files:
- name: "jetty-realm.properties"
value:
bad_regex: ".*"
remove_empty_lines: True
remove_regex: '^#'
type: f
search_in:
- common
- name: Wget
value:
config:
auto_check: True
files:
- name: ".wgetrc"
value:
bad_regex: "[pP][aA][sS][sS].*|[uU][sS][eE][rR].*"
remove_empty_lines: True
remove_regex: '^#'
type: f
search_in:
- common
- name: Interesting logs
value:
config:
auto_check: True
files:
- name: "access.log"
value:
just_list_file: True
type: f
search_in:
- common
- name: "error.log"
value:
just_list_file: True
type: f
search_in:
- common
- name: Other Interesting Files
value:
config:
auto_check: True
files:
- name: ".bashrc"
value:
just_list_file: True
type: f
search_in:
- common
- name: ".google_authenticator"
value:
just_list_file: True
type: f
search_in:
- common
- name: "hosts.equiv"
value:
just_list_file: True
type: f
search_in:
- common
- name: ".lesshst"
value:
just_list_file: True
type: f
search_in:
- common
- name: ".plan"
value:
just_list_file: True
type: f
search_in:
- common
- name: ".profile"
value:
just_list_file: True
type: f
search_in:
- common
- name: ".recently-used.xbel"
value:
just_list_file: True
type: f
search_in:
- common
- name: ".rhosts"
value:
just_list_file: True
type: f
search_in:
- common
- name: ".sudo_as_admin_successful"
value:
just_list_file: True
type: f
search_in:
- common
- name: Windows Files
value:
config:
auto_check: True
files:
- name: "unattend.inf"
value:
just_list_file: True
type: f
search_in:
- common
- name: "*.rdg"
value:
just_list_file: True
type: f
search_in:
- common
- name: "AppEvent.Evt"
value:
just_list_file: True
type: f
search_in:
- common
- name: "ConsoleHost_history.txt"
value:
just_list_file: True
type: f
search_in:
- common
- name: "FreeSSHDservice.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "NetSetup.log"
value:
just_list_file: True
type: f
search_in:
- common
- name: "Ntds.dit"
value:
just_list_file: True
type: f
search_in:
- common
- name: "protecteduserkey.bin"
value:
just_list_file: True
type: f
search_in:
- common
- name: "RDCMan.settings"
value:
just_list_file: True
type: f
search_in:
- common
- name: "SAM"
value:
just_list_file: True
type: f
search_in:
- common
- name: "SYSTEM"
value:
just_list_file: True
type: f
search_in:
- common
- name: "SecEvent.Evt"
value:
just_list_file: True
type: f
search_in:
- common
- name: "appcmd.exe"
value:
just_list_file: True
type: f
search_in:
- common
- name: "bash.exe"
value:
just_list_file: True
type: f
search_in:
- common
- name: "datasources.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "default.sav"
value:
just_list_file: True
type: f
search_in:
- common
- name: "drives.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "groups.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "https-xampp.conf"
value:
just_list_file: True
type: f
search_in:
- common
- name: "https.conf"
value:
just_list_file: True
type: f
search_in:
- common
- name: "iis6.log"
value:
just_list_file: True
type: f
search_in:
- common
- name: "index.dat"
value:
just_list_file: True
type: f
search_in:
- common
- name: "my.cnf"
value:
just_list_file: True
type: f
search_in:
- common
- name: "my.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "ntuser.dat"
value:
just_list_file: True
type: f
search_in:
- common
- name: "pagefile.sys"
value:
just_list_file: True
type: f
search_in:
- common
- name: "printers.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "recentservers.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "scclient.exe"
value:
just_list_file: True
type: f
search_in:
- common
- name: "scheduledtasks.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "security.sav"
value:
just_list_file: True
type: f
search_in:
- common
- name: "server.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "setupinfo"
value:
just_list_file: True
type: f
search_in:
- common
- name: "setupinfo.bak"
value:
just_list_file: True
type: f
search_in:
- common
- name: "sitemanager.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "sites.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "software"
value:
just_list_file: True
type: f
search_in:
- common
- name: "software.sav"
value:
just_list_file: True
type: f
search_in:
- common
- name: "sysprep.inf"
value:
just_list_file: True
type: f
search_in:
- common
- name: "sysprep.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "system.sav"
value:
just_list_file: True
type: f
search_in:
- common
- name: "unattend.txt"
value:
just_list_file: True
type: f
search_in:
- common
- name: "unattend.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "unattended.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "wcx_ftp.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "ws_ftp.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "web*.config"
value:
just_list_file: True
type: f
search_in:
- common
- name: "winscp.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "wsl.exe"
value:
just_list_file: True
type: f
search_in:
- common
- name: Other Windows Files
value:
config:
auto_check: True
disable:
- linpeas
files:
- name: "security"
value:
just_list_file: True
type: f
search_in:
- common
- name: "services.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "system"
value:
just_list_file: True
type: f
search_in:
- common
# Final section
- name: Database
value:
config:
auto_check: False
files:
- name: "*.db"
value:
remove_path: "/man/|/usr/|/var/cache/"
type: f
search_in:
- common
- name: "*.sqlite"
value:
remove_path: "/man/|/usr/|/var/cache/"
type: f
search_in:
- common
- name: "*.sqlite3"
value:
remove_path: "/man/|/usr/|/var/cache/"
type: f
search_in:
- common
- name: Backups
value:
config:
auto_check: False
files:
- name: "backup"
value:
type: f
search_in:
- common
- name: "backups"
value:
type: f
search_in:
- common
- name: Password Files
value:
config:
auto_check: False
files:
- name: "*password*"
value:
just_list_file: True
type: f
search_in:
- common
- name: "*credential*"
value:
just_list_file: True
type: f
search_in:
- common
- name: "creds*"
value:
just_list_file: True
type: f
search_in:
- common
- name: "*.key"
value:
just_list_file: True
type: f
search_in:
- common
Reference in New Issue View Git Blame Copy Permalink