Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

thorough check: reduced if/then to [ && #51

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

thorough check: reduced if/then to [ && #51

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0301255
reduced 'if thorough=1;then ..' to [ && ..
jsav0 Apr 27, 2020
2a370a8
fixed missing || or bracket
jsav0 Apr 27, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 35 additions & 36 deletions LinEnum.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,11 +51,10 @@ if [ "$export" ]; then
echo "[+] Export location = $export"
fi

if [ "$thorough" ]; then
[ "$thorough" ] && {
echo "[+] Thorough tests = Enabled"
else
echo -e "\e[00;33m[+] Thorough tests = Disabled\e[00m"
fi
}

sleep 2

Expand Down Expand Up @@ -277,72 +276,72 @@ if [ "$homedirperms" ]; then
fi

#looks for files we can write to that don't belong to us
if [ "$thorough" = "1" ]; then
[ "$thorough" ] && {
grfilesall=`find / -writable ! -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null`
if [ "$grfilesall" ]; then
echo -e "\e[00;31m[-] Files not owned by user but writable by group:\e[00m\n$grfilesall"
echo -e "\n"
fi
fi
}

#looks for files that belong to us
if [ "$thorough" = "1" ]; then
[ "$thorough" ] && {
ourfilesall=`find / -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null`
if [ "$ourfilesall" ]; then
echo -e "\e[00;31m[-] Files owned by our user:\e[00m\n$ourfilesall"
echo -e "\n"
fi
fi
}

#looks for hidden files
if [ "$thorough" = "1" ]; then
[ "$thorough" ] && {
hiddenfiles=`find / -name ".*" -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null`
if [ "$hiddenfiles" ]; then
echo -e "\e[00;31m[-] Hidden files:\e[00m\n$hiddenfiles"
echo -e "\n"
fi
fi
}

#looks for world-reabable files within /home - depending on number of /home dirs & files, this can take some time so is only 'activated' with thorough scanning switch
if [ "$thorough" = "1" ]; then
[ "$thorough" ] && {
wrfileshm=`find /home/ -perm -4 -type f -exec ls -al {} \; 2>/dev/null`
if [ "$wrfileshm" ]; then
echo -e "\e[00;31m[-] World-readable files within /home:\e[00m\n$wrfileshm"
echo -e "\n"
fi
fi
}

if [ "$thorough" = "1" ]; then
[ "$thorough" ] && {
if [ "$export" ] && [ "$wrfileshm" ]; then
mkdir $format/wr-files/ 2>/dev/null
for i in $wrfileshm; do cp --parents $i $format/wr-files/ ; done 2>/dev/null
fi
fi
}

#lists current user's home directory contents
if [ "$thorough" = "1" ]; then
[ "$thorough" ] && {
homedircontents=`ls -ahl ~ 2>/dev/null`
if [ "$homedircontents" ] ; then
echo -e "\e[00;31m[-] Home directory contents:\e[00m\n$homedircontents"
echo -e "\n"
fi
fi
}

#checks for if various ssh files are accessible - this can take some time so is only 'activated' with thorough scanning switch
if [ "$thorough" = "1" ]; then
[ "$thorough" ] && {
sshfiles=`find / \( -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} 2>/dev/null \;`
if [ "$sshfiles" ]; then
echo -e "\e[00;31m[-] SSH keys/host information found in the following locations:\e[00m\n$sshfiles"
echo -e "\n"
fi
fi
}

if [ "$thorough" = "1" ]; then
[ "$thorough" ] && {
if [ "$export" ] && [ "$sshfiles" ]; then
mkdir $format/ssh-files/ 2>/dev/null
for i in $sshfiles; do cp --parents $i $format/ssh-files/; done 2>/dev/null
fi
fi
}

#is root permitted to login via ssh
sshrootlogin=`grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | awk '{print $2}'`
Expand Down Expand Up @@ -466,15 +465,15 @@ if [ "$cronother" ]; then
fi

# list systemd timers
if [ "$thorough" = "1" ]; then
[ "$thorough" ] && {
# include inactive timers in thorough mode
systemdtimers="$(systemctl list-timers --all 2>/dev/null)"
info=""
else
} || {
systemdtimers="$(systemctl list-timers 2>/dev/null |head -n -1 2>/dev/null)"
# replace the info in the output with a hint towards thorough mode
info="\e[2mEnable thorough tests to see inactive timers\e[00m"
fi
}
if [ "$systemdtimers" ]; then
echo -e "\e[00;31m[-] Systemd timers:\e[00m\n$systemdtimers\n$info"
echo -e "\n"
Expand Down Expand Up @@ -797,13 +796,13 @@ if [ "$htpasswd" ]; then
fi

#anything in the default http home dirs (a thorough only check as output can be large)
if [ "$thorough" = "1" ]; then
[ "$thorough" ] && {
apachehomedirs=`ls -alhR /var/www/ 2>/dev/null; ls -alhR /srv/www/htdocs/ 2>/dev/null; ls -alhR /usr/local/www/apache2/data/ 2>/dev/null; ls -alhR /opt/lampp/htdocs/ 2>/dev/null`
if [ "$apachehomedirs" ]; then
echo -e "\e[00;31m[-] www home dir contents:\e[00m\n$apachehomedirs"
echo -e "\n"
fi
fi
}

}

Expand Down Expand Up @@ -941,47 +940,47 @@ matchedcaps=`echo -e "$userswithcaps" | grep \`whoami\` | awk '{print $1}' 2>/de
fi

#look for private keys - thanks djhohnstein
if [ "$thorough" = "1" ]; then
[ "$thorough" ] && {
privatekeyfiles=`grep -rl "PRIVATE KEY-----" /home 2>/dev/null`
if [ "$privatekeyfiles" ]; then
echo -e "\e[00;33m[+] Private SSH keys found!:\e[00m\n$privatekeyfiles"
echo -e "\n"
fi
fi
}

#look for AWS keys - thanks djhohnstein
if [ "$thorough" = "1" ]; then
[ "$thorough" ] && {
awskeyfiles=`grep -rli "aws_secret_access_key" /home 2>/dev/null`
if [ "$awskeyfiles" ]; then
echo -e "\e[00;33m[+] AWS secret keys found!:\e[00m\n$awskeyfiles"
echo -e "\n"
fi
fi
}

#look for git credential files - thanks djhohnstein
if [ "$thorough" = "1" ]; then
[ "$thorough" ] && {
gitcredfiles=`find / -name ".git-credentials" 2>/dev/null`
if [ "$gitcredfiles" ]; then
echo -e "\e[00;33m[+] Git credentials saved on the machine!:\e[00m\n$gitcredfiles"
echo -e "\n"
fi
fi
}

#list all world-writable files excluding /proc and /sys
if [ "$thorough" = "1" ]; then
[ "$thorough" ] && {
wwfiles=`find / ! -path "*/proc/*" ! -path "/sys/*" -perm -2 -type f -exec ls -la {} 2>/dev/null \;`
if [ "$wwfiles" ]; then
echo -e "\e[00;31m[-] World-writable files (excluding /proc and /sys):\e[00m\n$wwfiles"
echo -e "\n"
fi
fi
}

if [ "$thorough" = "1" ]; then
[ "$thorough" ] && {
if [ "$export" ] && [ "$wwfiles" ]; then
mkdir $format/ww-files/ 2>/dev/null
for i in $wwfiles; do cp --parents $i $format/ww-files/; done 2>/dev/null
fi
fi
}

#are any .plan files accessible in /home (could contain useful information)
usrplan=`find /home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;`
Expand Down Expand Up @@ -1052,7 +1051,7 @@ if [ "$export" ] && [ "$nfsexports" ]; then
cp /etc/exports $format/etc-export/exports 2>/dev/null
fi

if [ "$thorough" = "1" ]; then
[ "$thorough" ] && {
#phackt
#displaying /etc/fstab
fstab=`cat /etc/fstab 2>/dev/null`
Expand All @@ -1061,7 +1060,7 @@ if [ "$thorough" = "1" ]; then
echo -e "$fstab"
echo -e "\n"
fi
fi
}

#looking for credentials in /etc/fstab
fstab=`grep username /etc/fstab 2>/dev/null |awk '{sub(/.*\username=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo username: 2>/dev/null; grep password /etc/fstab 2>/dev/null |awk '{sub(/.*\password=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo password: 2>/dev/null; grep domain /etc/fstab 2>/dev/null |awk '{sub(/.*\domain=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo domain: 2>/dev/null`
Expand Down