├── README.md
└── lpe-scan.sh


/README.md:
--------------------------------------------------------------------------------
 1 | # Linux-Privilege-Escalation
 2 | A script designed to help identify vulnerabilities and misconfigurations on a Linux system
 3 | 
 4 |  It is a useful tool for performing a quick security assessment of a system, but it is important to note that it is not a comprehensive security tool and should not be used as a replacement for a more thorough security assessment.
 5 | 
 6 | ## Script helps you to find 
 7 | - world-writable directories
 8 | - SUID executables
 9 | - SGID executables
10 | - unauthorized SUID/SGID files
11 | - .bash_history files
12 | - .ssh directory
13 | - known hosts file
14 | - authorized_keys file
15 | - password files
16 | - ssh configuration files
17 | - open ports
18 | - kernel modules
19 | - cron jobs
20 | - logged in users
21 | - running processes
22 | - listening processes
23 | - file descriptors
24 | 
25 | ## How to run it 
26 | ```bash
27 | chmod +x lpe-scan.sh
28 | ./lpe-scan.sh
29 | # To Save results as txt file 
30 | ./lpe-scan.sh > scan-results.txt
31 | ```
32 | 


--------------------------------------------------------------------------------
/lpe-scan.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | # Check for world-writable directories
  4 | echo -e "\033[1;34m-----------------------------------------------------"
  5 | echo -e "Checking for world-writable directories..."
  6 | echo -e "-----------------------------------------------------\033[0m"
  7 | echo "World-writable directories are directories that can be written to by any user on the system. This can be a security risk if sensitive files are stored in these directories."
  8 | find / -type d -perm -2 ! -path "/sys*" -exec ls -ld {} \; 2>/dev/null
  9 | echo -e "\033[1;34m-----------------------------------------------------\033[0m"
 10 | 
 11 | # Check for SUID executables
 12 | echo -e "\033[1;34m-----------------------------------------------------"
 13 | echo -e "Checking for SUID executables..."
 14 | echo -e "-----------------------------------------------------\033[0m"
 15 | echo "SUID (Set User ID) is a permission that allows a user to execute a file with the permissions of the file's owner."
 16 | echo "This can be a security risk if the file is owned by root or if it is a program that allows users to execute arbitrary commands."
 17 | find / -type f -perm -4000 -exec ls -ld {} \; 2>/dev/null
 18 | echo -e "\033[1;34m-----------------------------------------------------\033[0m"
 19 | 
 20 | # Check for SGID executables
 21 | echo -e "\033[1;34m-----------------------------------------------------"
 22 | echo -e "Checking for SGID executables..."
 23 | echo -e "-----------------------------------------------------\033[0m"
 24 | echo "SGID (Set Group ID) is a permission that allows a user to execute a file with the permissions of the file's group."
 25 | echo "This can be a security risk if the file is owned by a group with excessive permissions or if it is a program that allows users to execute arbitrary commands."
 26 | find / -type f -perm -2000 -exec ls -ld {} \; 2>/dev/null
 27 | echo -e "\033[1;34m-----------------------------------------------------\033[0m"
 28 | 
 29 | # Check for unauthorized SUID/SGID files
 30 | echo -e "\033[1;34m-----------------------------------------------------"
 31 | echo -e "Checking for unauthorized SUID/SGID files..."
 32 | echo -e "-----------------------------------------------------\033[0m"
 33 | echo "SUID/SGID permissions should only be set on trusted executables. If they are set on an untrusted or unknown file, it may indicate a security risk."
 34 | find / -perm /6000 -exec ls -ld {} \; 2>/dev/null
 35 | echo -e "\033[1;34m-----------------------------------------------------\033[0m"
 36 | 
 37 | # Check for .bash_history files
 38 | echo -e "\033[1;34m-----------------------------------------------------"
 39 | echo -e "Checking for .bash_history files..."
 40 | echo -e "-----------------------------------------------------\033[0m"
 41 | echo ".bash_history files contain a record of all the commands that have been entered into the bash shell. These files should be protected to prevent unauthorized access to potentially sensitive information."
 42 | find / -name .bash_history -exec ls -ld {} \; 2>/dev
 43 | 
 44 | # Check for .ssh directory
 45 | echo -e "\033[1;34m-----------------------------------------------------"
 46 | echo -e "Checking for .ssh directory..."
 47 | echo -e "-----------------------------------------------------\033[0m"
 48 | echo ".ssh directories contain files related to secure shell (SSH) access to the system. These files should be protected to prevent unauthorized access."
 49 | find / -name .ssh -exec ls -ld {} \; 2>/dev/null
 50 | echo -e "\033[1;34m-----------------------------------------------------\033[0m"
 51 | 
 52 | # Check for known hosts file
 53 | echo -e "\033[1;34m-----------------------------------------------------"
 54 | echo -e "Checking for known_hosts file..."
 55 | echo -e "-----------------------------------------------------\033[0m"
 56 | echo "The known_hosts file contains a list of all the SSH servers that the system has connected to in the past. It is used to prevent man-in-the-middle attacks."
 57 | find / -name known_hosts -exec ls -ld {} \; 2>/dev/null
 58 | echo -e "\033[1;34m-----------------------------------------------------\033[0m"
 59 | 
 60 | # Check for authorized_keys file
 61 | echo -e "\033[1;34m-----------------------------------------------------"
 62 | echo -e "Checking for authorized_keys file..."
 63 | echo -e "-----------------------------------------------------\033[0m"
 64 | echo "The authorized_keys file contains a list of public keys that are authorized to access the system via SSH. It should be protected to prevent unauthorized access."
 65 | find / -name authorized_keys -exec ls -ld {} \; 2>/dev/null
 66 | echo -e "\033[1;34m-----------------------------------------------------\033[0m"
 67 | 
 68 | # Check for password files
 69 | echo -e "\033[1;34m-----------------------------------------------------"
 70 | echo -e "Checking for password files..."
 71 | echo -e "-----------------------------------------------------\033[0m"
 72 | echo "Password files, such as /etc/shadow, contain encrypted passwords for all users on the system. These files should be protected to prevent unauthorized access and password cracking."
 73 | find / -name "*shadow*" -exec ls -ld {} \; 2>/dev/null
 74 | echo -e "\033[1;34m-----------------------------------------------------\033[0m"
 75 | 
 76 | # Check for ssh configuration files
 77 | echo -e "\033[1;34m-----------------------------------------------------"
 78 | echo -e "Checking for ssh configuration files..."
 79 | echo -e "-----------------------------------------------------\033[0m"
 80 | echo "SSH configuration files, such as /etc/ssh/sshd_config, contain settings for the SSH server. These files should be configured securely to prevent unauthorized access."
 81 | find / -name "sshd_config" -exec ls -ld {} \; 2>/dev/null
 82 | echo -e "\033[1;34m-----------------------------------------------------\033[0m"
 83 | 
 84 | # Check for open ports
 85 | echo -e "\033[1;34m-----------------------------------------------------"
 86 | echo -e "Checking for open ports..."
 87 | echo -e "-----------------------------------------------------\033[0m"
 88 | echo "Open ports are network ports that have an active listening service. These ports should be secured to prevent unauthorized access."
 89 | netstat -tulpn
 90 | echo -e "\033[1;34m-----------------------------------------------------\033[0m"
 91 | 
 92 | # Check for kernel modules
 93 | echo -e "\033[1;34m-----------------------------------------------------"
 94 | echo -e "Checking for kernel modules..."
 95 | echo -e "-----------------------------------------------------\033[0m"
 96 | echo "Kernel modules are pieces of code that can be loaded into the kernel at runtime to extend the kernel's functionality. These modules should be monitored to prevent the loading of malicious or unauthorized modules."
 97 | lsmod
 98 | echo -e "\033[1;34m-----------------------------------------------------\033[0m"
 99 | 
100 | # Check for cron jobs
101 | echo -e "\033[1;34m-----------------------------------------------------"
102 | echo -e "Checking for cron jobs..."
103 | echo -e "-----------------------------------------------------\033[0m"
104 | echo "Cron is a daemon that runs scheduled tasks. These tasks, called cron jobs, should be monitored to prevent the execution of malicious or unauthorized tasks."
105 | crontab -l
106 | echo -e "\033[1;34m-----------------------------------------------------\033[0m"
107 | 
108 | # Check for logged in users
109 | echo -e "\033[1;34m-----------------------------------------------------"
110 | echo -e "Checking for logged in users..."
111 | echo -e "-----------------------------------------------------\033[0m"
112 | echo "Logged in users may have access to sensitive system resources. It is important to monitor and control access to these resources."
113 | who
114 | echo -e "\033[1;34m-----------------------------------------------------\033[0m"
115 | 
116 | # Check for running processes
117 | echo -e "\033[1;34m-----------------------------------------------------"
118 | echo -e "Checking for running processes..."
119 | echo -e "-----------------------------------------------------\033[0m"
120 | echo "Running processes may be using system resources or have the ability to access sensitive data. It is important to monitor and control these processes."
121 | ps aux
122 | echo -e "\033[1;34m-----------------------------------------------------\033[0m"
123 | 
124 | # Check for listening processes
125 | echo -e "\033[1;34m-----------------------------------------------------"
126 | echo -e "Checking for listening processes..."
127 | echo -e "-----------------------------------------------------\033[0m"
128 | echo "Listening processes are processes that are waiting for incoming connections. These processes should be monitored to prevent unauthorized access."
129 | lsof -i -P -n
130 | echo -e "\033[1;34m-----------------------------------------------------\033[0m"
131 | 
132 | # Check for open file descriptors
133 | echo -e "\033[1;34m-----------------------------------------------------"
134 | echo -e "Checking for open file descriptors..."
135 | echo -e "-----------------------------------------------------\033[0m"
136 | echo "File descriptors are references to open files. They can be used to access sensitive data or to manipulate system resources. It is important to monitor and control access to these descriptors."
137 | lsof -nP +c 15
138 | echo -e "\033[1;34m-----------------------------------------------------\033[0m"
139 | 
140 | echo -e "\033[1;32mlpe-scan complete!\033[0m"
141 | 


--------------------------------------------------------------------------------