111 lines
5.4 KiB
Bash
111 lines
5.4 KiB
Bash
# Title: Software Information - ssh files
|
|
# ID: SI_Ssh
|
|
# Author: Carlos Polop
|
|
# Last Update: 22-08-2023
|
|
# Description: Searching ssl/ssh files
|
|
# License: GNU GPL
|
|
# Version: 1.0
|
|
# Functions Used: print_2title, print_3title
|
|
# Global Variables: $HOME, $HOMESEARCH, $ROOT_FOLDER, $SEARCH_IN_FOLDER, $TIMEOUT, $USER, $wgroups
|
|
# Initial Functions:
|
|
# Generated Global Variables: $certsb4_grep, $hostsallow, $hostsdenied, $sshconfig, $writable_agents, $privatekeyfilesetc, $privatekeyfileshome, $privatekeyfilesroot, $privatekeyfilesmnt,
|
|
# Fat linpeas: 0
|
|
# Small linpeas: 1
|
|
|
|
|
|
print_2title "Searching ssl/ssh files"
|
|
if [ "$PSTORAGE_CERTSB4" ]; then certsb4_grep=$(grep -L "\"\|'\|(" $PSTORAGE_CERTSB4 2>/dev/null); fi
|
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
|
sshconfig="$(ls /etc/ssh/ssh_config 2>/dev/null)"
|
|
hostsdenied="$(ls /etc/hosts.denied 2>/dev/null)"
|
|
hostsallow="$(ls /etc/hosts.allow 2>/dev/null)"
|
|
writable_agents=$(find /tmp /etc /home -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)
|
|
else
|
|
sshconfig="$(ls ${ROOT_FOLDER}etc/ssh/ssh_config 2>/dev/null)"
|
|
hostsdenied="$(ls ${ROOT_FOLDER}etc/hosts.denied 2>/dev/null)"
|
|
hostsallow="$(ls ${ROOT_FOLDER}etc/hosts.allow 2>/dev/null)"
|
|
writable_agents=$(find ${ROOT_FOLDER} -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)
|
|
fi
|
|
|
|
peass{SSH}
|
|
|
|
grep "PermitRootLogin \|ChallengeResponseAuthentication \|PasswordAuthentication \|UsePAM \|Port\|PermitEmptyPasswords\|PubkeyAuthentication\|ListenAddress\|ForwardAgent\|AllowAgentForwarding\|AuthorizedKeysFiles" /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | sed -${E} "s,PermitRootLogin.*es|PermitEmptyPasswords.*es|ChallengeResponseAuthentication.*es|FordwardAgent.*es,${SED_RED},"
|
|
|
|
if ! [ "$SEARCH_IN_FOLDER" ]; then
|
|
if [ "$TIMEOUT" ]; then
|
|
privatekeyfilesetc=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null)
|
|
privatekeyfileshome=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOMESEARCH 2>/dev/null)
|
|
privatekeyfilesroot=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /root 2>/dev/null)
|
|
privatekeyfilesmnt=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /mnt 2>/dev/null)
|
|
else
|
|
privatekeyfilesetc=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null) #If there is tons of files linpeas gets frozen here without a timeout
|
|
privatekeyfileshome=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOME/.ssh 2>/dev/null)
|
|
fi
|
|
else
|
|
# If $SEARCH_IN_FOLDER lets just search for private keys in the whole firmware
|
|
privatekeyfilesetc=$(timeout 120 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' "$ROOT_FOLDER" 2>/dev/null)
|
|
fi
|
|
|
|
if [ "$privatekeyfilesetc" ] || [ "$privatekeyfileshome" ] || [ "$privatekeyfilesroot" ] || [ "$privatekeyfilesmnt" ] ; then
|
|
echo ""
|
|
print_3title "Possible private SSH keys were found!" | sed -${E} "s,private SSH keys,${SED_RED},"
|
|
if [ "$privatekeyfilesetc" ]; then printf "$privatekeyfilesetc\n" | sed -${E} "s,.*,${SED_RED},"; fi
|
|
if [ "$privatekeyfileshome" ]; then printf "$privatekeyfileshome\n" | sed -${E} "s,.*,${SED_RED},"; fi
|
|
if [ "$privatekeyfilesroot" ]; then printf "$privatekeyfilesroot\n" | sed -${E} "s,.*,${SED_RED},"; fi
|
|
if [ "$privatekeyfilesmnt" ]; then printf "$privatekeyfilesmnt\n" | sed -${E} "s,.*,${SED_RED},"; fi
|
|
echo ""
|
|
fi
|
|
if [ "$certsb4_grep" ] || [ "$PSTORAGE_CERTSBIN" ]; then
|
|
print_3title "Some certificates were found (out limited):"
|
|
printf "$certsb4_grep\n" | head -n 20
|
|
printf "$$PSTORAGE_CERTSBIN\n" | head -n 20
|
|
echo ""
|
|
fi
|
|
if [ "$PSTORAGE_CERTSCLIENT" ]; then
|
|
print_3title "Some client certificates were found:"
|
|
printf "$PSTORAGE_CERTSCLIENT\n"
|
|
echo ""
|
|
fi
|
|
if [ "$PSTORAGE_SSH_AGENTS" ]; then
|
|
print_3title "Some SSH Agent files were found:"
|
|
printf "$PSTORAGE_SSH_AGENTS\n"
|
|
echo ""
|
|
fi
|
|
if ssh-add -l 2>/dev/null | grep -qv 'no identities'; then
|
|
print_3title "Listing SSH Agents"
|
|
ssh-add -l
|
|
echo ""
|
|
fi
|
|
if gpg-connect-agent "keyinfo --list" /bye 2>/dev/null | grep "D - - 1"; then
|
|
print_3title "Listing gpg keys cached in gpg-agent"
|
|
gpg-connect-agent "keyinfo --list" /bye
|
|
echo ""
|
|
fi
|
|
if [ "$writable_agents" ]; then
|
|
print_3title "Writable ssh and gpg agents"
|
|
printf "%s\n" "$writable_agents"
|
|
fi
|
|
if [ "$PSTORAGE_SSH_CONFIG" ]; then
|
|
print_3title "Some home ssh config file was found"
|
|
printf "%s\n" "$PSTORAGE_SSH_CONFIG" | while read f; do ls "$f" | sed -${E} "s,$f,${SED_RED},"; cat "$f" 2>/dev/null | grep -Iv "^$" | grep -v "^#" | sed -${E} "s,User|ProxyCommand,${SED_RED},"; done
|
|
echo ""
|
|
fi
|
|
if [ "$hostsdenied" ]; then
|
|
print_3title "/etc/hosts.denied file found, read the rules:"
|
|
printf "$hostsdenied\n"
|
|
cat " ${ROOT_FOLDER}etc/hosts.denied" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_GREEN},"
|
|
echo ""
|
|
fi
|
|
if [ "$hostsallow" ]; then
|
|
print_3title "/etc/hosts.allow file found, trying to read the rules:"
|
|
printf "$hostsallow\n"
|
|
cat " ${ROOT_FOLDER}etc/hosts.allow" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_RED},"
|
|
echo ""
|
|
fi
|
|
if [ "$sshconfig" ]; then
|
|
echo ""
|
|
echo "Searching inside /etc/ssh/ssh_config for interesting info"
|
|
grep -v "^#" ${ROOT_FOLDER}etc/ssh/ssh_config 2>/dev/null | grep -Ev "\W+\#|^#" 2>/dev/null | grep -Iv "^$" | sed -${E} "s,Host|ForwardAgent|User|ProxyCommand,${SED_RED},"
|
|
fi
|
|
echo ""
|