diff --git a/LinEnum.sh b/LinEnum.sh index d8c69f2..369f860 100755 --- a/LinEnum.sh +++ b/LinEnum.sh @@ -4,9 +4,9 @@ version="version 0.982" #@rebootuser #help function -usage () -{ -echo -e "\n\e[00;31m#########################################################\e[00m" +usage () +{ +echo -e "\n\e[00;31m#########################################################\e[00m" echo -e "\e[00;31m#\e[00m" "\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\e[00m" "\e[00;31m#\e[00m" echo -e "\e[00;31m#########################################################\e[00m" echo -e "\e[00;33m# www.rebootuser.com | @rebootuser \e[00m" @@ -18,43 +18,43 @@ echo -e "\e[00;33m# Example: ./LinEnum.sh -k keyword -r report -e /tmp/ -t \e[00 echo "-e Enter export location" echo "-s Supply user password for sudo checks (INSECURE)" echo "-t Include thorough (lengthy) tests" - echo "-r Enter report name" + echo "-r Enter report name" echo "-h Displays this help text" echo -e "\n" echo "Running with no options = limited scans/no output file" - -echo -e "\e[00;31m#########################################################\e[00m" + +echo -e "\e[00;31m#########################################################\e[00m" } header() { -echo -e "\n\e[00;31m#########################################################\e[00m" -echo -e "\e[00;31m#\e[00m" "\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\e[00m" "\e[00;31m#\e[00m" -echo -e "\e[00;31m#########################################################\e[00m" -echo -e "\e[00;33m# www.rebootuser.com\e[00m" -echo -e "\e[00;33m# $version\e[00m\n" +echo -e "\n\e[00;31m#########################################################\e[00m" +echo -e "\e[00;31m#\e[00m" "\e[00;33mLocal Linux Enumeration & Privilege Escalation Script\e[00m" "\e[00;31m#\e[00m" +echo -e "\e[00;31m#########################################################\e[00m" +echo -e "\e[00;33m# www.rebootuser.com\e[00m" +echo -e "\e[00;33m# $version\e[00m\n" } debug_info() { -echo "[-] Debug Info" +echo "[-] Debug Info" -if [ "$keyword" ]; then - echo "[+] Searching for the keyword $keyword in conf, php, ini and log files" +if [ "$keyword" ]; then + echo "[+] Searching for the keyword $keyword in conf, php, ini and log files" fi -if [ "$report" ]; then - echo "[+] Report name = $report" +if [ "$report" ]; then + echo "[+] Report name = $report" fi -if [ "$export" ]; then - echo "[+] Export location = $export" +if [ "$export" ]; then + echo "[+] Export location = $export" fi -if [ "$thorough" ]; then - echo "[+] Thorough tests = Enabled" -else - echo -e "\e[00;33m[+] Thorough tests = Disabled\e[00m" +if [ "$thorough" ]; then + echo "[+] Thorough tests = Enabled" +else + echo -e "\e[00;33m[+] Thorough tests = Disabled\e[00m" fi sleep 2 @@ -65,17 +65,17 @@ if [ "$export" ]; then mkdir $format 2>/dev/null fi -if [ "$sudopass" ]; then +if [ "$sudopass" ]; then echo -e "\e[00;35m[+] Please enter password - INSECURE - really only for CTF use!\e[00m" read -s userpassword - echo + echo fi -who=`whoami` 2>/dev/null -echo -e "\n" +who=`whoami` 2>/dev/null +echo -e "\n" -echo -e "\e[00;33mScan started at:"; date -echo -e "\e[00m\n" +echo -e "\e[00;33mScan started at:"; date +echo -e "\e[00m\n" } # useful binaries (thanks to https://gtfobins.github.io/) @@ -83,58 +83,58 @@ binarylist='aria2c\|arp\|ash\|awk\|base64\|bash\|busybox\|cat\|chmod\|chown\|cp\ system_info() { -echo -e "\e[00;33m### SYSTEM ##############################################\e[00m" +echo -e "\e[00;33m### SYSTEM ##############################################\e[00m" #basic kernel info unameinfo=`uname -a 2>/dev/null` if [ "$unameinfo" ]; then - echo -e "\e[00;31m[-] Kernel information:\e[00m\n$unameinfo" - echo -e "\n" + echo -e "\e[00;31m[-] Kernel information:\e[00m\n$unameinfo" + echo -e "\n" fi procver=`cat /proc/version 2>/dev/null` if [ "$procver" ]; then - echo -e "\e[00;31m[-] Kernel information (continued):\e[00m\n$procver" - echo -e "\n" + echo -e "\e[00;31m[-] Kernel information (continued):\e[00m\n$procver" + echo -e "\n" fi #search all *-release files for version info release=`cat /etc/*-release 2>/dev/null` if [ "$release" ]; then - echo -e "\e[00;31m[-] Specific release information:\e[00m\n$release" - echo -e "\n" + echo -e "\e[00;31m[-] Specific release information:\e[00m\n$release" + echo -e "\n" fi #target hostname info hostnamed=`hostname 2>/dev/null` if [ "$hostnamed" ]; then - echo -e "\e[00;31m[-] Hostname:\e[00m\n$hostnamed" - echo -e "\n" + echo -e "\e[00;31m[-] Hostname:\e[00m\n$hostnamed" + echo -e "\n" fi } user_info() { -echo -e "\e[00;33m### USER/GROUP ##########################################\e[00m" +echo -e "\e[00;33m### USER/GROUP ##########################################\e[00m" #current user details currusr=`id 2>/dev/null` if [ "$currusr" ]; then - echo -e "\e[00;31m[-] Current user/group info:\e[00m\n$currusr" + echo -e "\e[00;31m[-] Current user/group info:\e[00m\n$currusr" echo -e "\n" fi #last logged on user information lastlogedonusrs=`lastlog 2>/dev/null |grep -v "Never" 2>/dev/null` if [ "$lastlogedonusrs" ]; then - echo -e "\e[00;31m[-] Users that have previously logged onto the system:\e[00m\n$lastlogedonusrs" - echo -e "\n" + echo -e "\e[00;31m[-] Users that have previously logged onto the system:\e[00m\n$lastlogedonusrs" + echo -e "\n" fi #who else is logged on loggedonusrs=`w 2>/dev/null` if [ "$loggedonusrs" ]; then - echo -e "\e[00;31m[-] Who else is logged on:\e[00m\n$loggedonusrs" + echo -e "\e[00;31m[-] Who else is logged on:\e[00m\n$loggedonusrs" echo -e "\n" fi @@ -156,14 +156,14 @@ fi #checks to see if any hashes are stored in /etc/passwd (depreciated *nix storage method) hashesinpasswd=`grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null` if [ "$hashesinpasswd" ]; then - echo -e "\e[00;33m[+] It looks like we have password hashes in /etc/passwd!\e[00m\n$hashesinpasswd" + echo -e "\e[00;33m[+] It looks like we have password hashes in /etc/passwd!\e[00m\n$hashesinpasswd" echo -e "\n" fi #contents of /etc/passwd readpasswd=`cat /etc/passwd 2>/dev/null` if [ "$readpasswd" ]; then - echo -e "\e[00;31m[-] Contents of /etc/passwd:\e[00m\n$readpasswd" + echo -e "\e[00;31m[-] Contents of /etc/passwd:\e[00m\n$readpasswd" echo -e "\n" fi @@ -175,7 +175,7 @@ fi #checks to see if the shadow file can be read readshadow=`cat /etc/shadow 2>/dev/null` if [ "$readshadow" ]; then - echo -e "\e[00;33m[+] We can read the shadow file!\e[00m\n$readshadow" + echo -e "\e[00;33m[+] We can read the shadow file!\e[00m\n$readshadow" echo -e "\n" fi @@ -187,7 +187,7 @@ fi #checks to see if /etc/master.passwd can be read - BSD 'shadow' variant readmasterpasswd=`cat /etc/master.passwd 2>/dev/null` if [ "$readmasterpasswd" ]; then - echo -e "\e[00;33m[+] We can read the master.passwd file!\e[00m\n$readmasterpasswd" + echo -e "\e[00;33m[+] We can read the master.passwd file!\e[00m\n$readmasterpasswd" echo -e "\n" fi @@ -218,7 +218,7 @@ fi #can we sudo without supplying a password sudoperms=`echo '' | sudo -S -l -k 2>/dev/null` if [ "$sudoperms" ]; then - echo -e "\e[00;33m[+] We can sudo without supplying a password!\e[00m\n$sudoperms" + echo -e "\e[00;33m[+] We can sudo without supplying a password!\e[00m\n$sudoperms" echo -e "\n" fi @@ -229,7 +229,7 @@ if [ "$sudopass" ]; then else sudoauth=`echo $userpassword | sudo -S -l -k 2>/dev/null` if [ "$sudoauth" ]; then - echo -e "\e[00;33m[+] We can sudo when supplying a password!\e[00m\n$sudoauth" + echo -e "\e[00;33m[+] We can sudo when supplying a password!\e[00m\n$sudoauth" echo -e "\n" fi fi @@ -242,7 +242,7 @@ if [ "$sudopass" ]; then else sudopermscheck=`echo $userpassword | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null|sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null` if [ "$sudopermscheck" ]; then - echo -e "\e[00;33m[-] Possible sudo pwnage!\e[00m\n$sudopermscheck" + echo -e "\e[00;33m[-] Possible sudo pwnage!\e[00m\n$sudopermscheck" echo -e "\n" fi fi @@ -251,28 +251,28 @@ fi #known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values) sudopwnage=`echo '' | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null | sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null` if [ "$sudopwnage" ]; then - echo -e "\e[00;33m[+] Possible sudo pwnage!\e[00m\n$sudopwnage" + echo -e "\e[00;33m[+] Possible sudo pwnage!\e[00m\n$sudopwnage" echo -e "\n" fi #who has sudoed in the past whohasbeensudo=`find /home -name .sudo_as_admin_successful 2>/dev/null` if [ "$whohasbeensudo" ]; then - echo -e "\e[00;31m[-] Accounts that have recently used sudo:\e[00m\n$whohasbeensudo" + echo -e "\e[00;31m[-] Accounts that have recently used sudo:\e[00m\n$whohasbeensudo" echo -e "\n" fi #checks to see if roots home directory is accessible rthmdir=`ls -ahl /root/ 2>/dev/null` if [ "$rthmdir" ]; then - echo -e "\e[00;33m[+] We can read root's home directory!\e[00m\n$rthmdir" + echo -e "\e[00;33m[+] We can read root's home directory!\e[00m\n$rthmdir" echo -e "\n" fi #displays /home directory permissions - check if any are lax homedirperms=`ls -ahl /home/ 2>/dev/null` if [ "$homedirperms" ]; then - echo -e "\e[00;31m[-] Are permissions on /home directories lax:\e[00m\n$homedirperms" + echo -e "\e[00;31m[-] Are permissions on /home directories lax:\e[00m\n$homedirperms" echo -e "\n" fi @@ -280,7 +280,7 @@ fi if [ "$thorough" = "1" ]; then grfilesall=`find / -writable ! -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null` if [ "$grfilesall" ]; then - echo -e "\e[00;31m[-] Files not owned by user but writable by group:\e[00m\n$grfilesall" + echo -e "\e[00;31m[-] Files not owned by user but writable by group:\e[00m\n$grfilesall" echo -e "\n" fi fi @@ -307,7 +307,7 @@ fi if [ "$thorough" = "1" ]; then wrfileshm=`find /home/ -perm -4 -type f -exec ls -al {} \; 2>/dev/null` if [ "$wrfileshm" ]; then - echo -e "\e[00;31m[-] World-readable files within /home:\e[00m\n$wrfileshm" + echo -e "\e[00;31m[-] World-readable files within /home:\e[00m\n$wrfileshm" echo -e "\n" fi fi @@ -323,8 +323,8 @@ fi if [ "$thorough" = "1" ]; then homedircontents=`ls -ahl ~ 2>/dev/null` if [ "$homedircontents" ] ; then - echo -e "\e[00;31m[-] Home directory contents:\e[00m\n$homedircontents" - echo -e "\n" + echo -e "\e[00;31m[-] Home directory contents:\e[00m\n$homedircontents" + echo -e "\n" fi fi @@ -332,7 +332,7 @@ fi if [ "$thorough" = "1" ]; then sshfiles=`find / \( -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} 2>/dev/null \;` if [ "$sshfiles" ]; then - echo -e "\e[00;31m[-] SSH keys/host information found in the following locations:\e[00m\n$sshfiles" + echo -e "\e[00;31m[-] SSH keys/host information found in the following locations:\e[00m\n$sshfiles" echo -e "\n" fi fi @@ -347,19 +347,19 @@ fi #is root permitted to login via ssh sshrootlogin=`grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | awk '{print $2}'` if [ "$sshrootlogin" = "yes" ]; then - echo -e "\e[00;31m[-] Root is allowed to login via SSH:\e[00m" ; grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" + echo -e "\e[00;31m[-] Root is allowed to login via SSH:\e[00m" ; grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" echo -e "\n" fi } environmental_info() { -echo -e "\e[00;33m### ENVIRONMENTAL #######################################\e[00m" +echo -e "\e[00;33m### ENVIRONMENTAL #######################################\e[00m" #env information envinfo=`env 2>/dev/null | grep -v 'LS_COLORS' 2>/dev/null` if [ "$envinfo" ]; then - echo -e "\e[00;31m[-] Environment information:\e[00m\n$envinfo" + echo -e "\e[00;31m[-] Environment information:\e[00m\n$envinfo" echo -e "\n" fi @@ -376,7 +376,7 @@ fi pathinfo=`echo $PATH 2>/dev/null` if [ "$pathinfo" ]; then pathswriteable=`ls -ld $(echo $PATH | tr ":" " ")` - echo -e "\e[00;31m[-] Path information:\e[00m\n$pathinfo" + echo -e "\e[00;31m[-] Path information:\e[00m\n$pathinfo" echo -e "$pathswriteable" echo -e "\n" fi @@ -384,28 +384,28 @@ fi #lists available shells shellinfo=`cat /etc/shells 2>/dev/null` if [ "$shellinfo" ]; then - echo -e "\e[00;31m[-] Available shells:\e[00m\n$shellinfo" + echo -e "\e[00;31m[-] Available shells:\e[00m\n$shellinfo" echo -e "\n" fi #current umask value with both octal and symbolic output umaskvalue=`umask -S 2>/dev/null & umask 2>/dev/null` if [ "$umaskvalue" ]; then - echo -e "\e[00;31m[-] Current umask value:\e[00m\n$umaskvalue" + echo -e "\e[00;31m[-] Current umask value:\e[00m\n$umaskvalue" echo -e "\n" fi #umask value as in /etc/login.defs umaskdef=`grep -i "^UMASK" /etc/login.defs 2>/dev/null` if [ "$umaskdef" ]; then - echo -e "\e[00;31m[-] umask value as specified in /etc/login.defs:\e[00m\n$umaskdef" + echo -e "\e[00;31m[-] umask value as specified in /etc/login.defs:\e[00m\n$umaskdef" echo -e "\n" fi #password policy information as stored in /etc/login.defs logindefs=`grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null` if [ "$logindefs" ]; then - echo -e "\e[00;31m[-] Password and storage information:\e[00m\n$logindefs" + echo -e "\e[00;31m[-] Password and storage information:\e[00m\n$logindefs" echo -e "\n" fi @@ -417,51 +417,51 @@ fi job_info() { -echo -e "\e[00;33m### JOBS/TASKS ##########################################\e[00m" +echo -e "\e[00;33m### JOBS/TASKS ##########################################\e[00m" #are there any cron jobs configured cronjobs=`ls -la /etc/cron* 2>/dev/null` if [ "$cronjobs" ]; then - echo -e "\e[00;31m[-] Cron jobs:\e[00m\n$cronjobs" + echo -e "\e[00;31m[-] Cron jobs:\e[00m\n$cronjobs" echo -e "\n" fi #can we manipulate these jobs in any way cronjobwwperms=`find /etc/cron* -perm -0002 -type f -exec ls -la {} \; -exec cat {} 2>/dev/null \;` if [ "$cronjobwwperms" ]; then - echo -e "\e[00;33m[+] World-writable cron jobs and file contents:\e[00m\n$cronjobwwperms" + echo -e "\e[00;33m[+] World-writable cron jobs and file contents:\e[00m\n$cronjobwwperms" echo -e "\n" fi #contab contents crontabvalue=`cat /etc/crontab 2>/dev/null` if [ "$crontabvalue" ]; then - echo -e "\e[00;31m[-] Crontab contents:\e[00m\n$crontabvalue" + echo -e "\e[00;31m[-] Crontab contents:\e[00m\n$crontabvalue" echo -e "\n" fi crontabvar=`ls -la /var/spool/cron/crontabs 2>/dev/null` if [ "$crontabvar" ]; then - echo -e "\e[00;31m[-] Anything interesting in /var/spool/cron/crontabs:\e[00m\n$crontabvar" + echo -e "\e[00;31m[-] Anything interesting in /var/spool/cron/crontabs:\e[00m\n$crontabvar" echo -e "\n" fi anacronjobs=`ls -la /etc/anacrontab 2>/dev/null; cat /etc/anacrontab 2>/dev/null` if [ "$anacronjobs" ]; then - echo -e "\e[00;31m[-] Anacron jobs and associated file permissions:\e[00m\n$anacronjobs" + echo -e "\e[00;31m[-] Anacron jobs and associated file permissions:\e[00m\n$anacronjobs" echo -e "\n" fi anacrontab=`ls -la /var/spool/anacron 2>/dev/null` if [ "$anacrontab" ]; then - echo -e "\e[00;31m[-] When were jobs last executed (/var/spool/anacron contents):\e[00m\n$anacrontab" + echo -e "\e[00;31m[-] When were jobs last executed (/var/spool/anacron contents):\e[00m\n$anacrontab" echo -e "\n" fi #pull out account names from /etc/passwd and see if any users have associated cronjobs (priv command) cronother=`cut -d ":" -f 1 /etc/passwd | xargs -n1 crontab -l -u 2>/dev/null` if [ "$cronother" ]; then - echo -e "\e[00;31m[-] Jobs held by all users:\e[00m\n$cronother" + echo -e "\e[00;31m[-] Jobs held by all users:\e[00m\n$cronother" echo -e "\n" fi @@ -484,103 +484,103 @@ fi networking_info() { -echo -e "\e[00;33m### NETWORKING ##########################################\e[00m" +echo -e "\e[00;33m### NETWORKING ##########################################\e[00m" #nic information nicinfo=`/sbin/ifconfig -a 2>/dev/null` if [ "$nicinfo" ]; then - echo -e "\e[00;31m[-] Network and IP info:\e[00m\n$nicinfo" + echo -e "\e[00;31m[-] Network and IP info:\e[00m\n$nicinfo" echo -e "\n" fi #nic information (using ip) nicinfoip=`/sbin/ip a 2>/dev/null` if [ ! "$nicinfo" ] && [ "$nicinfoip" ]; then - echo -e "\e[00;31m[-] Network and IP info:\e[00m\n$nicinfoip" + echo -e "\e[00;31m[-] Network and IP info:\e[00m\n$nicinfoip" echo -e "\n" fi arpinfo=`arp -a 2>/dev/null` if [ "$arpinfo" ]; then - echo -e "\e[00;31m[-] ARP history:\e[00m\n$arpinfo" + echo -e "\e[00;31m[-] ARP history:\e[00m\n$arpinfo" echo -e "\n" fi arpinfoip=`ip n 2>/dev/null` if [ ! "$arpinfo" ] && [ "$arpinfoip" ]; then - echo -e "\e[00;31m[-] ARP history:\e[00m\n$arpinfoip" + echo -e "\e[00;31m[-] ARP history:\e[00m\n$arpinfoip" echo -e "\n" fi #dns settings nsinfo=`grep "nameserver" /etc/resolv.conf 2>/dev/null` if [ "$nsinfo" ]; then - echo -e "\e[00;31m[-] Nameserver(s):\e[00m\n$nsinfo" + echo -e "\e[00;31m[-] Nameserver(s):\e[00m\n$nsinfo" echo -e "\n" fi nsinfosysd=`systemd-resolve --status 2>/dev/null` if [ "$nsinfosysd" ]; then - echo -e "\e[00;31m[-] Nameserver(s):\e[00m\n$nsinfosysd" + echo -e "\e[00;31m[-] Nameserver(s):\e[00m\n$nsinfosysd" echo -e "\n" fi #default route configuration defroute=`route 2>/dev/null | grep default` if [ "$defroute" ]; then - echo -e "\e[00;31m[-] Default route:\e[00m\n$defroute" + echo -e "\e[00;31m[-] Default route:\e[00m\n$defroute" echo -e "\n" fi #default route configuration defrouteip=`ip r 2>/dev/null | grep default` if [ ! "$defroute" ] && [ "$defrouteip" ]; then - echo -e "\e[00;31m[-] Default route:\e[00m\n$defrouteip" + echo -e "\e[00;31m[-] Default route:\e[00m\n$defrouteip" echo -e "\n" fi #listening TCP tcpservs=`netstat -ntpl 2>/dev/null` if [ "$tcpservs" ]; then - echo -e "\e[00;31m[-] Listening TCP:\e[00m\n$tcpservs" + echo -e "\e[00;31m[-] Listening TCP:\e[00m\n$tcpservs" echo -e "\n" fi tcpservsip=`ss -t -l -n 2>/dev/null` if [ ! "$tcpservs" ] && [ "$tcpservsip" ]; then - echo -e "\e[00;31m[-] Listening TCP:\e[00m\n$tcpservsip" + echo -e "\e[00;31m[-] Listening TCP:\e[00m\n$tcpservsip" echo -e "\n" fi #listening UDP udpservs=`netstat -nupl 2>/dev/null` if [ "$udpservs" ]; then - echo -e "\e[00;31m[-] Listening UDP:\e[00m\n$udpservs" + echo -e "\e[00;31m[-] Listening UDP:\e[00m\n$udpservs" echo -e "\n" fi udpservsip=`ss -u -l -n 2>/dev/null` if [ ! "$udpservs" ] && [ "$udpservsip" ]; then - echo -e "\e[00;31m[-] Listening UDP:\e[00m\n$udpservsip" + echo -e "\e[00;31m[-] Listening UDP:\e[00m\n$udpservsip" echo -e "\n" fi } services_info() { -echo -e "\e[00;33m### SERVICES #############################################\e[00m" +echo -e "\e[00;33m### SERVICES #############################################\e[00m" #running processes psaux=`ps aux 2>/dev/null` if [ "$psaux" ]; then - echo -e "\e[00;31m[-] Running processes:\e[00m\n$psaux" + echo -e "\e[00;31m[-] Running processes:\e[00m\n$psaux" echo -e "\n" fi #lookup process binary path and permissisons procperm=`ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null` if [ "$procperm" ]; then - echo -e "\e[00;31m[-] Process binaries and associated permissions (from above list):\e[00m\n$procperm" + echo -e "\e[00;31m[-] Process binaries and associated permissions (from above list):\e[00m\n$procperm" echo -e "\n" fi @@ -593,7 +593,7 @@ fi #anything 'useful' in inetd.conf inetdread=`cat /etc/inetd.conf 2>/dev/null` if [ "$inetdread" ]; then - echo -e "\e[00;31m[-] Contents of /etc/inetd.conf:\e[00m\n$inetdread" + echo -e "\e[00;31m[-] Contents of /etc/inetd.conf:\e[00m\n$inetdread" echo -e "\n" fi @@ -605,13 +605,13 @@ fi #very 'rough' command to extract associated binaries from inetd.conf & show permisisons of each inetdbinperms=`awk '{print $7}' /etc/inetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null` if [ "$inetdbinperms" ]; then - echo -e "\e[00;31m[-] The related inetd binary permissions:\e[00m\n$inetdbinperms" + echo -e "\e[00;31m[-] The related inetd binary permissions:\e[00m\n$inetdbinperms" echo -e "\n" fi xinetdread=`cat /etc/xinetd.conf 2>/dev/null` if [ "$xinetdread" ]; then - echo -e "\e[00;31m[-] Contents of /etc/xinetd.conf:\e[00m\n$xinetdread" + echo -e "\e[00;31m[-] Contents of /etc/xinetd.conf:\e[00m\n$xinetdread" echo -e "\n" fi @@ -622,53 +622,53 @@ fi xinetdincd=`grep "/etc/xinetd.d" /etc/xinetd.conf 2>/dev/null` if [ "$xinetdincd" ]; then - echo -e "\e[00;31m[-] /etc/xinetd.d is included in /etc/xinetd.conf - associated binary permissions are listed below:\e[00m"; ls -la /etc/xinetd.d 2>/dev/null + echo -e "\e[00;31m[-] /etc/xinetd.d is included in /etc/xinetd.conf - associated binary permissions are listed below:\e[00m"; ls -la /etc/xinetd.d 2>/dev/null echo -e "\n" fi #very 'rough' command to extract associated binaries from xinetd.conf & show permisisons of each xinetdbinperms=`awk '{print $7}' /etc/xinetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null` if [ "$xinetdbinperms" ]; then - echo -e "\e[00;31m[-] The related xinetd binary permissions:\e[00m\n$xinetdbinperms" + echo -e "\e[00;31m[-] The related xinetd binary permissions:\e[00m\n$xinetdbinperms" echo -e "\n" fi initdread=`ls -la /etc/init.d 2>/dev/null` if [ "$initdread" ]; then - echo -e "\e[00;31m[-] /etc/init.d/ binary permissions:\e[00m\n$initdread" + echo -e "\e[00;31m[-] /etc/init.d/ binary permissions:\e[00m\n$initdread" echo -e "\n" fi #init.d files NOT belonging to root! initdperms=`find /etc/init.d/ \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` if [ "$initdperms" ]; then - echo -e "\e[00;31m[-] /etc/init.d/ files not belonging to root:\e[00m\n$initdperms" + echo -e "\e[00;31m[-] /etc/init.d/ files not belonging to root:\e[00m\n$initdperms" echo -e "\n" fi rcdread=`ls -la /etc/rc.d/init.d 2>/dev/null` if [ "$rcdread" ]; then - echo -e "\e[00;31m[-] /etc/rc.d/init.d binary permissions:\e[00m\n$rcdread" + echo -e "\e[00;31m[-] /etc/rc.d/init.d binary permissions:\e[00m\n$rcdread" echo -e "\n" fi #init.d files NOT belonging to root! rcdperms=`find /etc/rc.d/init.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` if [ "$rcdperms" ]; then - echo -e "\e[00;31m[-] /etc/rc.d/init.d files not belonging to root:\e[00m\n$rcdperms" + echo -e "\e[00;31m[-] /etc/rc.d/init.d files not belonging to root:\e[00m\n$rcdperms" echo -e "\n" fi usrrcdread=`ls -la /usr/local/etc/rc.d 2>/dev/null` if [ "$usrrcdread" ]; then - echo -e "\e[00;31m[-] /usr/local/etc/rc.d binary permissions:\e[00m\n$usrrcdread" + echo -e "\e[00;31m[-] /usr/local/etc/rc.d binary permissions:\e[00m\n$usrrcdread" echo -e "\n" fi #rc.d files NOT belonging to root! usrrcdperms=`find /usr/local/etc/rc.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` if [ "$usrrcdperms" ]; then - echo -e "\e[00;31m[-] /usr/local/etc/rc.d files not belonging to root:\e[00m\n$usrrcdperms" + echo -e "\e[00;31m[-] /usr/local/etc/rc.d files not belonging to root:\e[00m\n$usrrcdperms" echo -e "\n" fi @@ -701,79 +701,93 @@ fi software_configs() { -echo -e "\e[00;33m### SOFTWARE #############################################\e[00m" +echo -e "\e[00;33m### SOFTWARE #############################################\e[00m" #sudo version - check to see if there are any known vulnerabilities with this sudover=`sudo -V 2>/dev/null| grep "Sudo version" 2>/dev/null` if [ "$sudover" ]; then - echo -e "\e[00;31m[-] Sudo version:\e[00m\n$sudover" + echo -e "\e[00;31m[-] Sudo version:\e[00m\n$sudover" + echo -e "\n" +fi + +#redis details +redisver=`redis-server --version 2>/dev/null` +if [ "$redisver" ]; then + echo -e "\e[00;31m[-] Redis version:\e[00m\n$redisver" + echo -e "\n" +fi + +#redis password check +redisanon=`redis-cli "INFO" | grep "NOAUTH" 2>/dev/null` +if ! [ "$redisanon" ]; then + echo -e "\e[00;31m[-] Redis is NOT PASSWORD PROTECTED!" echo -e "\n" fi #mysql details - if installed mysqlver=`mysql --version 2>/dev/null` if [ "$mysqlver" ]; then - echo -e "\e[00;31m[-] MYSQL version:\e[00m\n$mysqlver" + echo -e "\e[00;31m[-] MYSQL version:\e[00m\n$mysqlver" echo -e "\n" fi #checks to see if root/root will get us a connection mysqlconnect=`mysqladmin -uroot -proot version 2>/dev/null` if [ "$mysqlconnect" ]; then - echo -e "\e[00;33m[+] We can connect to the local MYSQL service with default root/root credentials!\e[00m\n$mysqlconnect" + echo -e "\e[00;33m[+] We can connect to the local MYSQL service with default root/root credentials!\e[00m\n$mysqlconnect" echo -e "\n" fi #mysql version details mysqlconnectnopass=`mysqladmin -uroot version 2>/dev/null` if [ "$mysqlconnectnopass" ]; then - echo -e "\e[00;33m[+] We can connect to the local MYSQL service as 'root' and without a password!\e[00m\n$mysqlconnectnopass" + echo -e "\e[00;33m[+] We can connect to the local MYSQL service as 'root' and without a password!\e[00m\n$mysqlconnectnopass" echo -e "\n" fi #postgres details - if installed postgver=`psql -V 2>/dev/null` if [ "$postgver" ]; then - echo -e "\e[00;31m[-] Postgres version:\e[00m\n$postgver" + echo -e "\e[00;31m[-] Postgres version:\e[00m\n$postgver" echo -e "\n" fi #checks to see if any postgres password exists and connects to DB 'template0' - following commands are a variant on this postcon1=`psql -U postgres -w template0 -c 'select version()' 2>/dev/null | grep version` if [ "$postcon1" ]; then - echo -e "\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'postgres' with no password!:\e[00m\n$postcon1" + echo -e "\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'postgres' with no password!:\e[00m\n$postcon1" echo -e "\n" fi postcon11=`psql -U postgres -w template1 -c 'select version()' 2>/dev/null | grep version` if [ "$postcon11" ]; then - echo -e "\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'postgres' with no password!:\e[00m\n$postcon11" + echo -e "\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'postgres' with no password!:\e[00m\n$postcon11" echo -e "\n" fi postcon2=`psql -U pgsql -w template0 -c 'select version()' 2>/dev/null | grep version` if [ "$postcon2" ]; then - echo -e "\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'psql' with no password!:\e[00m\n$postcon2" + echo -e "\e[00;33m[+] We can connect to Postgres DB 'template0' as user 'psql' with no password!:\e[00m\n$postcon2" echo -e "\n" fi postcon22=`psql -U pgsql -w template1 -c 'select version()' 2>/dev/null | grep version` if [ "$postcon22" ]; then - echo -e "\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'psql' with no password!:\e[00m\n$postcon22" + echo -e "\e[00;33m[+] We can connect to Postgres DB 'template1' as user 'psql' with no password!:\e[00m\n$postcon22" echo -e "\n" fi #apache details - if installed apachever=`apache2 -v 2>/dev/null; httpd -v 2>/dev/null` if [ "$apachever" ]; then - echo -e "\e[00;31m[-] Apache version:\e[00m\n$apachever" + echo -e "\e[00;31m[-] Apache version:\e[00m\n$apachever" echo -e "\n" fi #what account is apache running under apacheusr=`grep -i 'user\|group' /etc/apache2/envvars 2>/dev/null |awk '{sub(/.*\export /,"")}1' 2>/dev/null` if [ "$apacheusr" ]; then - echo -e "\e[00;31m[-] Apache user configuration:\e[00m\n$apacheusr" + echo -e "\e[00;31m[-] Apache user configuration:\e[00m\n$apacheusr" echo -e "\n" fi @@ -785,7 +799,7 @@ fi #installed apache modules apachemodules=`apache2ctl -M 2>/dev/null; httpd -M 2>/dev/null` if [ "$apachemodules" ]; then - echo -e "\e[00;31m[-] Installed Apache modules:\e[00m\n$apachemodules" + echo -e "\e[00;31m[-] Installed Apache modules:\e[00m\n$apachemodules" echo -e "\n" fi @@ -800,7 +814,7 @@ fi if [ "$thorough" = "1" ]; then apachehomedirs=`ls -alhR /var/www/ 2>/dev/null; ls -alhR /srv/www/htdocs/ 2>/dev/null; ls -alhR /usr/local/www/apache2/data/ 2>/dev/null; ls -alhR /opt/lampp/htdocs/ 2>/dev/null` if [ "$apachehomedirs" ]; then - echo -e "\e[00;31m[-] www home dir contents:\e[00m\n$apachehomedirs" + echo -e "\e[00;31m[-] www home dir contents:\e[00m\n$apachehomedirs" echo -e "\n" fi fi @@ -809,28 +823,28 @@ fi interesting_files() { -echo -e "\e[00;33m### INTERESTING FILES ####################################\e[00m" +echo -e "\e[00;33m### INTERESTING FILES ####################################\e[00m" #checks to see if various files are installed -echo -e "\e[00;31m[-] Useful file locations:\e[00m" ; which nc 2>/dev/null ; which netcat 2>/dev/null ; which wget 2>/dev/null ; which nmap 2>/dev/null ; which gcc 2>/dev/null; which curl 2>/dev/null -echo -e "\n" +echo -e "\e[00;31m[-] Useful file locations:\e[00m" ; which nc 2>/dev/null ; which netcat 2>/dev/null ; which wget 2>/dev/null ; which nmap 2>/dev/null ; which gcc 2>/dev/null; which curl 2>/dev/null +echo -e "\n" #limited search for installed compilers compiler=`dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc*' 2>/dev/null| grep gcc 2>/dev/null` if [ "$compiler" ]; then - echo -e "\e[00;31m[-] Installed compilers:\e[00m\n$compiler" + echo -e "\e[00;31m[-] Installed compilers:\e[00m\n$compiler" echo -e "\n" fi #manual check - lists out sensitive files, can we read/modify etc. -echo -e "\e[00;31m[-] Can we read/write sensitive files:\e[00m" ; ls -la /etc/passwd 2>/dev/null ; ls -la /etc/group 2>/dev/null ; ls -la /etc/profile 2>/dev/null; ls -la /etc/shadow 2>/dev/null ; ls -la /etc/master.passwd 2>/dev/null -echo -e "\n" +echo -e "\e[00;31m[-] Can we read/write sensitive files:\e[00m" ; ls -la /etc/passwd 2>/dev/null ; ls -la /etc/group 2>/dev/null ; ls -la /etc/profile 2>/dev/null; ls -la /etc/shadow 2>/dev/null ; ls -la /etc/master.passwd 2>/dev/null +echo -e "\n" #search for suid files allsuid=`find / -perm -4000 -type f 2>/dev/null` findsuid=`find $allsuid -perm -4000 -type f -exec ls -la {} 2>/dev/null \;` if [ "$findsuid" ]; then - echo -e "\e[00;31m[-] SUID files:\e[00m\n$findsuid" + echo -e "\e[00;31m[-] SUID files:\e[00m\n$findsuid" echo -e "\n" fi @@ -842,21 +856,21 @@ fi #list of 'interesting' suid files - feel free to make additions intsuid=`find $allsuid -perm -4000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null` if [ "$intsuid" ]; then - echo -e "\e[00;33m[+] Possibly interesting SUID files:\e[00m\n$intsuid" + echo -e "\e[00;33m[+] Possibly interesting SUID files:\e[00m\n$intsuid" echo -e "\n" fi #lists world-writable suid files wwsuid=`find $allsuid -perm -4002 -type f -exec ls -la {} 2>/dev/null \;` if [ "$wwsuid" ]; then - echo -e "\e[00;33m[+] World-writable SUID files:\e[00m\n$wwsuid" + echo -e "\e[00;33m[+] World-writable SUID files:\e[00m\n$wwsuid" echo -e "\n" fi #lists world-writable suid files owned by root wwsuidrt=`find $allsuid -uid 0 -perm -4002 -type f -exec ls -la {} 2>/dev/null \;` if [ "$wwsuidrt" ]; then - echo -e "\e[00;33m[+] World-writable SUID files owned by root:\e[00m\n$wwsuidrt" + echo -e "\e[00;33m[+] World-writable SUID files owned by root:\e[00m\n$wwsuidrt" echo -e "\n" fi @@ -864,7 +878,7 @@ fi allsgid=`find / -perm -2000 -type f 2>/dev/null` findsgid=`find $allsgid -perm -2000 -type f -exec ls -la {} 2>/dev/null \;` if [ "$findsgid" ]; then - echo -e "\e[00;31m[-] SGID files:\e[00m\n$findsgid" + echo -e "\e[00;31m[-] SGID files:\e[00m\n$findsgid" echo -e "\n" fi @@ -876,21 +890,21 @@ fi #list of 'interesting' sgid files intsgid=`find $allsgid -perm -2000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null` if [ "$intsgid" ]; then - echo -e "\e[00;33m[+] Possibly interesting SGID files:\e[00m\n$intsgid" + echo -e "\e[00;33m[+] Possibly interesting SGID files:\e[00m\n$intsgid" echo -e "\n" fi #lists world-writable sgid files wwsgid=`find $allsgid -perm -2002 -type f -exec ls -la {} 2>/dev/null \;` if [ "$wwsgid" ]; then - echo -e "\e[00;33m[+] World-writable SGID files:\e[00m\n$wwsgid" + echo -e "\e[00;33m[+] World-writable SGID files:\e[00m\n$wwsgid" echo -e "\n" fi #lists world-writable sgid files owned by root wwsgidrt=`find $allsgid -uid 0 -perm -2002 -type f -exec ls -la {} 2>/dev/null \;` if [ "$wwsgidrt" ]; then - echo -e "\e[00;33m[+] World-writable SGID files owned by root:\e[00m\n$wwsgidrt" + echo -e "\e[00;33m[+] World-writable SGID files owned by root:\e[00m\n$wwsgidrt" echo -e "\n" fi @@ -971,7 +985,7 @@ fi if [ "$thorough" = "1" ]; then wwfiles=`find / ! -path "*/proc/*" ! -path "/sys/*" -perm -2 -type f -exec ls -la {} 2>/dev/null \;` if [ "$wwfiles" ]; then - echo -e "\e[00;31m[-] World-writable files (excluding /proc and /sys):\e[00m\n$wwfiles" + echo -e "\e[00;31m[-] World-writable files (excluding /proc and /sys):\e[00m\n$wwfiles" echo -e "\n" fi fi @@ -986,7 +1000,7 @@ fi #are any .plan files accessible in /home (could contain useful information) usrplan=`find /home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;` if [ "$usrplan" ]; then - echo -e "\e[00;31m[-] Plan file permissions and contents:\e[00m\n$usrplan" + echo -e "\e[00;31m[-] Plan file permissions and contents:\e[00m\n$usrplan" echo -e "\n" fi @@ -997,7 +1011,7 @@ fi bsdusrplan=`find /usr/home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;` if [ "$bsdusrplan" ]; then - echo -e "\e[00;31m[-] Plan file permissions and contents:\e[00m\n$bsdusrplan" + echo -e "\e[00;31m[-] Plan file permissions and contents:\e[00m\n$bsdusrplan" echo -e "\n" fi @@ -1009,7 +1023,7 @@ fi #are there any .rhosts files accessible - these may allow us to login as another user etc. rhostsusr=`find /home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;` if [ "$rhostsusr" ]; then - echo -e "\e[00;33m[+] rhost config file(s) and file contents:\e[00m\n$rhostsusr" + echo -e "\e[00;33m[+] rhost config file(s) and file contents:\e[00m\n$rhostsusr" echo -e "\n" fi @@ -1020,7 +1034,7 @@ fi bsdrhostsusr=`find /usr/home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;` if [ "$bsdrhostsusr" ]; then - echo -e "\e[00;33m[+] rhost config file(s) and file contents:\e[00m\n$bsdrhostsusr" + echo -e "\e[00;33m[+] rhost config file(s) and file contents:\e[00m\n$bsdrhostsusr" echo -e "\n" fi @@ -1031,7 +1045,13 @@ fi rhostssys=`find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;` if [ "$rhostssys" ]; then - echo -e "\e[00;33m[+] Hosts.equiv file and contents: \e[00m\n$rhostssys" + echo -e "\e[00;33m[+] Hosts.equiv file and contents: \e[00m\n$rhostssys" + echo -e "\n" +fi + +nfsmounts=`cat /proc/mounts | grep nfs 2>/dev/null` +if [ "$nfsmounts" ]; then + echo -e "\e[00;33m[+] Connected NFS Mounts: \e[00m\n$nfsmounts" echo -e "\n" fi @@ -1043,7 +1063,7 @@ fi #list nfs shares/permisisons etc. nfsexports=`ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null` if [ "$nfsexports" ]; then - echo -e "\e[00;31m[-] NFS config details: \e[00m\n$nfsexports" + echo -e "\e[00;31m[-] NFS config details: \e[00m\n$nfsexports" echo -e "\n" fi @@ -1077,7 +1097,7 @@ fi fstabcred=`grep cred /etc/fstab 2>/dev/null |awk '{sub(/.*\credentials=/,"");sub(/\,.*/,"")}1' 2>/dev/null | xargs -I{} sh -c 'ls -la {}; cat {}' 2>/dev/null` if [ "$fstabcred" ]; then - echo -e "\e[00;33m[+] /etc/fstab contains a credentials file!\e[00m\n$fstabcred" + echo -e "\e[00;33m[+] /etc/fstab contains a credentials file!\e[00m\n$fstabcred" echo -e "\n" fi @@ -1088,16 +1108,16 @@ fi #use supplied keyword and cat *.conf files for potential matches - output will show line number within relevant file path where a match has been located if [ "$keyword" = "" ]; then - echo -e "[-] Can't search *.conf files as no keyword was entered\n" + echo -e "[-] Can't search *.conf files as no keyword was entered\n" else confkey=`find / -maxdepth 4 -name *.conf -type f -exec grep -Hn $keyword {} \; 2>/dev/null` if [ "$confkey" ]; then - echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$confkey" - echo -e "\n" - else - echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels):\e[00m" - echo -e "'$keyword' not found in any .conf files" - echo -e "\n" + echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$confkey" + echo -e "\n" + else + echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels):\e[00m" + echo -e "'$keyword' not found in any .conf files" + echo -e "\n" fi fi @@ -1113,16 +1133,16 @@ fi #use supplied keyword and cat *.php files for potential matches - output will show line number within relevant file path where a match has been located if [ "$keyword" = "" ]; then - echo -e "[-] Can't search *.php files as no keyword was entered\n" + echo -e "[-] Can't search *.php files as no keyword was entered\n" else phpkey=`find / -maxdepth 10 -name *.php -type f -exec grep -Hn $keyword {} \; 2>/dev/null` if [ "$phpkey" ]; then - echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels - output format filepath:identified line number where keyword appears):\e[00m\n$phpkey" - echo -e "\n" - else - echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels):\e[00m" - echo -e "'$keyword' not found in any .php files" - echo -e "\n" + echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels - output format filepath:identified line number where keyword appears):\e[00m\n$phpkey" + echo -e "\n" + else + echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels):\e[00m" + echo -e "'$keyword' not found in any .php files" + echo -e "\n" fi fi @@ -1138,16 +1158,16 @@ fi #use supplied keyword and cat *.log files for potential matches - output will show line number within relevant file path where a match has been located if [ "$keyword" = "" ];then - echo -e "[-] Can't search *.log files as no keyword was entered\n" + echo -e "[-] Can't search *.log files as no keyword was entered\n" else logkey=`find / -maxdepth 4 -name *.log -type f -exec grep -Hn $keyword {} \; 2>/dev/null` if [ "$logkey" ]; then - echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$logkey" - echo -e "\n" - else - echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels):\e[00m" + echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$logkey" + echo -e "\n" + else + echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels):\e[00m" echo -e "'$keyword' not found in any .log files" - echo -e "\n" + echo -e "\n" fi fi @@ -1163,15 +1183,15 @@ fi #use supplied keyword and cat *.ini files for potential matches - output will show line number within relevant file path where a match has been located if [ "$keyword" = "" ];then - echo -e "[-] Can't search *.ini files as no keyword was entered\n" + echo -e "[-] Can't search *.ini files as no keyword was entered\n" else inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -Hn $keyword {} \; 2>/dev/null` if [ "$inikey" ]; then - echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$inikey" - echo -e "\n" - else - echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels):\e[00m" - echo -e "'$keyword' not found in any .ini files" + echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$inikey" + echo -e "\n" + else + echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels):\e[00m" + echo -e "'$keyword' not found in any .ini files" echo -e "\n" fi fi @@ -1189,7 +1209,7 @@ fi #quick extract of .conf files from /etc - only 1 level allconf=`find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/null` if [ "$allconf" ]; then - echo -e "\e[00;31m[-] All *.conf files in /etc (recursive 1 level):\e[00m\n$allconf" + echo -e "\e[00;31m[-] All *.conf files in /etc (recursive 1 level):\e[00m\n$allconf" echo -e "\n" fi @@ -1201,7 +1221,7 @@ fi #extract any user history files that are accessible usrhist=`ls -la ~/.*_history 2>/dev/null` if [ "$usrhist" ]; then - echo -e "\e[00;31m[-] Current user's history files:\e[00m\n$usrhist" + echo -e "\e[00;31m[-] Current user's history files:\e[00m\n$usrhist" echo -e "\n" fi @@ -1213,7 +1233,7 @@ fi #can we read roots *_history files - could be passwords stored etc. roothist=`ls -la /root/.*_history 2>/dev/null` if [ "$roothist" ]; then - echo -e "\e[00;33m[+] Root's history files are accessible!\e[00m\n$roothist" + echo -e "\e[00;33m[+] Root's history files are accessible!\e[00m\n$roothist" echo -e "\n" fi @@ -1240,14 +1260,14 @@ fi #is there any mail accessible readmail=`ls -la /var/mail 2>/dev/null` if [ "$readmail" ]; then - echo -e "\e[00;31m[-] Any interesting mail in /var/mail:\e[00m\n$readmail" + echo -e "\e[00;31m[-] Any interesting mail in /var/mail:\e[00m\n$readmail" echo -e "\n" fi #can we read roots mail readmailroot=`head /var/mail/root 2>/dev/null` if [ "$readmailroot" ]; then - echo -e "\e[00;33m[+] We can read /var/mail/root! (snippet below)\e[00m\n$readmailroot" + echo -e "\e[00;33m[+] We can read /var/mail/root! (snippet below)\e[00m\n$readmailroot" echo -e "\n" fi @@ -1263,35 +1283,35 @@ docker_checks() #specific checks - check to see if we're in a docker container dockercontainer=` grep -i docker /proc/self/cgroup 2>/dev/null; find / -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null` if [ "$dockercontainer" ]; then - echo -e "\e[00;33m[+] Looks like we're in a Docker container:\e[00m\n$dockercontainer" + echo -e "\e[00;33m[+] Looks like we're in a Docker container:\e[00m\n$dockercontainer" echo -e "\n" fi #specific checks - check to see if we're a docker host dockerhost=`docker --version 2>/dev/null; docker ps -a 2>/dev/null` if [ "$dockerhost" ]; then - echo -e "\e[00;33m[+] Looks like we're hosting Docker:\e[00m\n$dockerhost" + echo -e "\e[00;33m[+] Looks like we're hosting Docker:\e[00m\n$dockerhost" echo -e "\n" fi #specific checks - are we a member of the docker group dockergrp=`id | grep -i docker 2>/dev/null` if [ "$dockergrp" ]; then - echo -e "\e[00;33m[+] We're a member of the (docker) group - could possibly misuse these rights!\e[00m\n$dockergrp" + echo -e "\e[00;33m[+] We're a member of the (docker) group - could possibly misuse these rights!\e[00m\n$dockergrp" echo -e "\n" fi #specific checks - are there any docker files present dockerfiles=`find / -name Dockerfile -exec ls -l {} 2>/dev/null \;` if [ "$dockerfiles" ]; then - echo -e "\e[00;31m[-] Anything juicy in the Dockerfile:\e[00m\n$dockerfiles" + echo -e "\e[00;31m[-] Anything juicy in the Dockerfile:\e[00m\n$dockerfiles" echo -e "\n" fi #specific checks - are there any docker files present dockeryml=`find / -name docker-compose.yml -exec ls -l {} 2>/dev/null \;` if [ "$dockeryml" ]; then - echo -e "\e[00;31m[-] Anything juicy in docker-compose.yml:\e[00m\n$dockeryml" + echo -e "\e[00;31m[-] Anything juicy in docker-compose.yml:\e[00m\n$dockeryml" echo -e "\n" fi } @@ -1316,7 +1336,7 @@ fi footer() { -echo -e "\e[00;33m### SCAN COMPLETE ####################################\e[00m" +echo -e "\e[00;33m### SCAN COMPLETE ####################################\e[00m" } call_each()