├── LICENSE ├── PXEnum.sh └── README.md /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 Shawn Duong 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /PXEnum.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # PXEnum 4 | 5 | echo "--[ PXEnum ]--" 6 | echo "* Version : v2.0.1 (2020.11.17)" 7 | echo "* Source : https://github.com/shawnduong/PXEnum" 8 | echo "----------------------------------------------" 9 | echo 10 | 11 | # Basic Information 12 | 13 | user=`whoami` 2> /dev/null # Current user 14 | host=`uname -n` 2> /dev/null # Network node hostname 15 | home=`echo $HOME` 2> /dev/null # User home directory 16 | usid=`id -u` 2> /dev/null # User ID 17 | gpid=`id -g` 2> /dev/null # Group ID 18 | grps=`groups` 2> /dev/null # List all groups 19 | knam=`uname -s` 2> /dev/null # Kernel name 20 | krel=`uname -r` 2> /dev/null # Kernel release 21 | kver=`uname -v` 2> /dev/null # Kernel version 22 | arch=`uname -m` 2> /dev/null # Architecture 23 | osys=`uname -o` 2> /dev/null # Operating System 24 | 25 | echo "--[ Basic Information ]--" 26 | echo "==> ABOUT THE USER" 27 | echo "* Username : $user" 28 | echo "* Hostname : $host" 29 | echo "* Home Path : $home" 30 | echo "* EUID : $usid" 31 | echo "* EGID : $gpid" 32 | echo "* Groups : $grps" 33 | echo "==> ABOUT THE SYSTEM" 34 | echo "* Kernel Name : $knam" 35 | echo "* Kernel Release : $krel" 36 | echo "* kernel Version : $kver" 37 | echo "* Architecture : $arch" 38 | echo "* OS Name : $osys" 39 | echo "----------------------------------------------" 40 | echo 41 | 42 | # Hardware Information 43 | 44 | prdfmly=`cat /sys/class/dmi/id/product_family` 2> /dev/null # Product family 45 | prdname=`cat /sys/class/dmi/id/product_name` 2> /dev/null # Product name 46 | prdvers=`cat /sys/class/dmi/id/product_version` 2> /dev/null # Product Version 47 | 48 | # CPUs and bugs 49 | cpubugs=` 50 | grep "model name\|bugs" /proc/cpuinfo | 51 | awk -F ':' '{print "*",substr($2,2)}' 52 | ` 2> /dev/null 53 | 54 | meminfo=`grep "Mem" /proc/meminfo` 2> /dev/null # Memory information 55 | 56 | # Total memory in kB 57 | memtotl=` 58 | echo "$meminfo" | 59 | grep "MemTotal:" | 60 | awk -F ' ' '{print $(NF-1)}' 61 | ` 2> /dev/null 62 | 63 | # Available memory in kB 64 | memavbl=` 65 | echo "$meminfo" | 66 | grep "MemAvailable" | 67 | awk -F ' ' '{print $(NF-1)}' 68 | ` 2> /dev/null 69 | 70 | # Free memory in kB 71 | memfree=` 72 | echo "$meminfo" | 73 | grep "MemFree:" | 74 | awk -F ' ' '{print $(NF-1)}' 75 | ` 2> /dev/null 76 | 77 | echo "--[ Hardware Information ]--" 78 | echo "==> Product" 79 | echo "* Product Family : $prdfmly" 80 | echo "* Product Name : $prdname" 81 | echo "* Product Version : $prdvers" 82 | echo "==> CPUs and Bugs" 83 | echo "$cpubugs" 84 | echo "==> Memory" 85 | echo "* RAM Total : $memtotl kB" 86 | echo "* RAM Available : $memavbl kB" 87 | echo "* RAM Free : $memfree kB" 88 | echo "----------------------------------------------" 89 | echo 90 | 91 | # BIOS Information 92 | 93 | biosvend=`cat /sys/class/dmi/id/bios_vendor` 2> /dev/null # Vendor 94 | biosdate=`cat /sys/class/dmi/id/bios_date` 2> /dev/null # Date 95 | biosvers=`cat /sys/class/dmi/id/bios_version` 2> /dev/null # Version 96 | 97 | echo "--[ BIOS Information ]--" 98 | echo "* BIOS Vendor : $biosvend" 99 | echo "* BIOS Date : $biosdate" 100 | echo "* BIOS Version : $biosvers" 101 | echo "----------------------------------------------" 102 | echo 103 | 104 | # Users and Groups 105 | 106 | # Sorted list of all users 107 | auser=` 108 | printf "* %-24s %8s %8s %s\n" "(Shell)" "(GID)" "(UID)" "(User)" ; 109 | awk -F ':' '{printf "* %-24s %8s %8s %s\n", $NF, $3, $4, $1}' /etc/passwd | 110 | sort 111 | ` 2> /dev/null 112 | 113 | # Sorted list of users with shells 114 | suser=` 115 | printf "* %-24s %s\n" "(Shell)" "(User)" ; 116 | grep -v "/usr/bin/nologin" /etc/passwd | 117 | awk -F ':' '{printf "* %-24s %s\n", $NF, $1}' | 118 | sort 119 | ` 2> /dev/null 120 | 121 | # Sorted list of users with home directories 122 | huser=` 123 | printf "* %-24s %s\n" "(Home Directory)" "User" ; 124 | grep -v ":/:" /etc/passwd | 125 | awk -F ':' '{printf "* %-24s %s\n", $(NF-1), $1}' | 126 | sort 127 | ` 2> /dev/null 128 | 129 | # Sorted list of groups 130 | grups=` 131 | printf "* %-8s %s\n" "(GID)" "(Group)" ; 132 | awk -F ':' '{printf "* %-8s %s\n", $3, $1}' /etc/group | 133 | sort -V 134 | ` 2> /dev/null 135 | 136 | echo "--[ Users and Groups ]--" 137 | echo "==> Users" 138 | echo "$auser" 139 | echo "==> Users with login shells" 140 | echo "$suser" 141 | echo "==> Users with home directories" 142 | echo "$huser" 143 | echo "==> Groups" 144 | echo "$grups" 145 | echo "----------------------------------------------" 146 | echo 147 | 148 | # Network Information 149 | 150 | ipdata=`ip -o link show` # IP data. 151 | 152 | # Interfaces 153 | ifaces=` 154 | printf "* %-16s %s\n" "(Interface)" "(Flags)" ; 155 | echo "$ipdata" | 156 | awk -F ' ' '{printf "* %-16s %s\n", \ 157 | substr($2,1,length($2)-1), $3}' | 158 | sort 159 | ` 2> /dev/null 160 | 161 | # MAC addresses 162 | maddrs=` 163 | printf "* %-16s %s\n" "(Interface)" "(MAC Address)" ; 164 | echo "$ipdata" | 165 | awk -F ' ' '{printf "* %-16s %s\n", \ 166 | substr($2,1,length($2)-1), $(NF-2)}' | 167 | sort 168 | ` 2> /dev/null 169 | 170 | # IP addresses 171 | iaddrs=` 172 | printf "* %-16s %s\n" "(Interface)" "(IP Address)" ; 173 | ip address | 174 | grep "inet " | 175 | awk -F ' ' '{printf "* %-16s %s\n", $NF, $2}' ; 176 | printf "* %-16s %s\n" "(Public)" "(IP Address)" ; 177 | printf "* %-16s " "Public" ; 178 | dig +short myip.opendns.com @resolver1.opendns.com ; 179 | ` 2> /dev/null 180 | 181 | # Open ports 182 | oports=` 183 | printf "* %-8s %-24s %s\n" "(Type)" "(Address)" "(PID/Program)" ; 184 | netstat -tulpn 2> /dev/null | 185 | grep "LISTEN" | 186 | awk -F ' ' '{printf "* %-8s %-24s %s\n", $1, $4, $NF}' 187 | ` 2> /dev/null 188 | 189 | echo "--[ Network Information ]--" 190 | echo "==> Interfaces" 191 | echo "$ifaces" 192 | echo "==> MAC Addresses" 193 | echo "$maddrs" 194 | echo "==> IP Addresses" 195 | echo "$iaddrs" 196 | echo "==> Open Ports" 197 | echo "$oports" 198 | echo "----------------------------------------------" 199 | echo 200 | 201 | # Activity 202 | 203 | # Current users 204 | currusers=` 205 | printf "* %-12s %-6s %-16s %-8s %-8s %s\n" \ 206 | "(Username)" "(Term)" "(IP Address)" "(Login)" "(Idle)" "(Current Activity)" ; 207 | w -i | 208 | tail +3 | 209 | awk -F ' ' '{printf "* %-12s %-6s %-16s %-8s %-8s %s\n", \ 210 | $1, $2, $3, $4, $5, $NF}' | 211 | sort 212 | ` 2> /dev/null 213 | 214 | # Current processes 215 | currprocs=` 216 | printf "* %-12s %-8s %s\n" "(Username)" "(PID)" "(Process)" ; 217 | ps -aux | 218 | tail +2 | 219 | awk -F ' ' '{printf "* %-12s %-8s %s\n", $1, $2, $11}' | 220 | sort -V 221 | ` 2> /dev/null 222 | 223 | # Active services 224 | srvactive=` 225 | systemctl --type=service --state=active | 226 | grep "service.*active" | 227 | awk -F ' ' '{print "*",$1}' | 228 | sort 229 | ` 2> /dev/null 230 | 231 | # Running services 232 | srvrunnin=` 233 | systemctl --type=service --state=running | 234 | grep "service.*running" | 235 | awk -F ' ' '{print "*",$1}' | 236 | sort 237 | ` 2> /dev/null 238 | 239 | echo "--[ Activity ]--" 240 | echo "==> Currently Online Users" 241 | echo "$currusers" 242 | echo "==> Currently Running Processes" 243 | echo "$currprocs" 244 | echo "==> Active Services" 245 | echo "$srvactive" 246 | echo "==> Running Services" 247 | echo "$srvrunnin" 248 | echo "----------------------------------------------" 249 | echo 250 | 251 | # Timers 252 | 253 | # Sorted list of timers 254 | timers=` 255 | printf "* %-32s %s\n" "(Timer)" "(Service)" ; 256 | systemctl list-timers | 257 | grep ".*\.timer" | 258 | awk -F ' ' '{printf "* %-32s %s\n", $(NF-1), $NF}' | 259 | sort 260 | ` 2> /dev/null 261 | 262 | echo "--[ Timers ]--" 263 | echo "$timers" 264 | echo "----------------------------------------------" 265 | echo 266 | 267 | # /etc/shadow Permissions 268 | 269 | shadow=`ls -l /etc/shadow` 2> /dev/null # Shadow dump 270 | permis=`echo "$shadow" | awk -F ' ' '{print $1}'` 2> /dev/null # Permissions 271 | sowner=`echo "$shadow" | awk -F ' ' '{print $3}'` 2> /dev/null # Owner 272 | sgroup=`echo "$shadow" | awk -F ' ' '{print $4}'` 2> /dev/null # Group 273 | 274 | echo "--[ /etc/shadow Permissions ]--" 275 | echo "* Access : $permis" 276 | echo "* Owner : $sowner" 277 | echo "* Group : $sgroup" 278 | echo "----------------------------------------------" 279 | echo 280 | 281 | # /etc/sudoers Permissions 282 | 283 | sudoers=`ls -l /etc/sudoers` 2> /dev/null # Sudoers dump 284 | superms=`echo "$sudoers" | awk -F ' ' '{print $1}'` 2> /dev/null # Permissions 285 | suowner=`echo "$sudoers" | awk -F ' ' '{print $3}'` 2> /dev/null # Owner 286 | sugroup=`echo "$sudoers" | awk -F ' ' '{print $4}'` 2> /dev/null # Group 287 | 288 | echo "--[ /etc/sudoers Permissions ]--" 289 | echo "* Access : $superms" 290 | echo "* Owner : $suowner" 291 | echo "* Group : $sugroup" 292 | echo "----------------------------------------------" 293 | echo 294 | 295 | # Possible SUIDs 296 | 297 | # SUID files 298 | suids=` 299 | find / -perm /6000 2> /dev/null | 300 | awk '{print "*",$0}' 301 | ` 2> /dev/null 302 | 303 | echo "--[ Possible SUIDs ]--" 304 | echo "$suids" 305 | echo "----------------------------------------------" 306 | echo 307 | 308 | # sudo History 309 | 310 | # Read sudo history from bash history 311 | shist=` 312 | grep "sudo " ~/.bash_history 2> /dev/null | 313 | awk '{print "*",$0}' 314 | ` 2> /dev/null 315 | 316 | echo "--[ sudo History ]--" 317 | echo "$shist" 318 | echo "----------------------------------------------" 319 | echo 320 | 321 | # SSH Keys 322 | 323 | # Find SSH keys in home directories 324 | sshkeys=` 325 | ls /home/*/.ssh/*.rsa /home/*/.ssh/*.pub \ 326 | /root/.ssh/*.rsa /root/.ssh/*.pub 2> /dev/null | 327 | awk '{print "*",$0}' 328 | ` 2> /dev/null 329 | 330 | echo "--[ SSH Keys ]--" 331 | echo "$sshkeys" 332 | echo "----------------------------------------------" 333 | echo 334 | 335 | # Versions 336 | 337 | # Bash 338 | vbash=` 339 | bash --version | 340 | head -1 | 341 | awk -F ' ' '{printf $4}' 342 | ` 2> /dev/null 343 | 344 | # sudo 345 | vsudo=` 346 | sudo --version | 347 | head -1 | 348 | awk -F ' ' '{printf $3}' 349 | ` 2> /dev/null 350 | 351 | # GCC 352 | vrgcc=` 353 | gcc --version | 354 | head -1 | 355 | awk -F ' ' '{printf $NF}' 356 | ` 2> /dev/null 357 | 358 | # Python 2 359 | vpyt2=` 360 | python2 --version 2>&1 | 361 | awk -F ' ' '{print $2}' 362 | ` 2> /dev/null 363 | 364 | # Python3 365 | vpyt3=` 366 | python3 --version | 367 | awk -F ' ' '{print $2}' 368 | ` 2> /dev/null 369 | 370 | # Java 371 | vjava=` 372 | java --version | 373 | head -1 | 374 | awk -F ' ' '{print $2}' 375 | ` 2> /dev/null 376 | 377 | # cURL 378 | vcurl=` 379 | curl --version | 380 | head -1 | 381 | awk -F ' ' '{print $2}' 382 | ` 2> /dev/null 383 | 384 | # wget 385 | vwget=` 386 | wget --version | 387 | head -1 | 388 | awk -F ' ' '{print $3}' 389 | ` 2> /dev/null 390 | 391 | # Ruby 392 | vruby=` 393 | ruby --version | 394 | awk -F ' ' '{print $2}' 395 | ` 2> /dev/null 396 | 397 | echo "--[ Versions ]--" 398 | echo "* Bash : $vbash" 399 | echo "* sudo : $vsudo" 400 | echo "* GCC : $vrgcc" 401 | echo "* Python 2 : $vpyt2" 402 | echo "* Python 3 : $vpyt3" 403 | echo "* Java : $vjava" 404 | echo "* cURL : $vcurl" 405 | echo "* wget : $vwget" 406 | echo "* Ruby : $vruby" 407 | echo "----------------------------------------------" 408 | echo 409 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # PXEnum (Post Exploitation Enumeration) 2 | 3 | ## Overview 4 | 5 | A shell script that automatically performs a series of \*NIX enumeration tasks. 6 | 7 | ## Installation 8 | 9 | You can install PXEnum directly by cloning the repository with Git, or you can fetch the source code directly with a tool such as wget if Git is unavailable. 10 | 11 | __Cloning with Git__ 12 | 13 | ``` 14 | $ git clone https://github.com/shawnduong/PXEnum 15 | ``` 16 | 17 | __Downloading with wget__ 18 | 19 | ``` 20 | $ wget https://raw.githubusercontent.com/shawnduong/PXEnum/master/PXEnum.sh 21 | ``` 22 | 23 | ## Usage 24 | 25 | You can add executability to the shell script and then run it, or you can pass it through the shell interpreter directly. 26 | 27 | __Method 1: Adding executability and running__ 28 | 29 | ``` 30 | $ chmod +x PXEnum.sh 31 | $ ./PXEnum.sh 32 | ``` 33 | 34 | __Method 2: Passing it through the shell interpreter__ 35 | 36 | ``` 37 | $ sh PXEnum.sh 38 | ``` 39 | 40 | ## v2.0.2 (2021.04.18) Changelog 41 | 42 | * Fixed a bug occurring in the outputting of active/running services. 43 | 44 | ## v2.0.1 (2020.11.17) Changelog 45 | 46 | * Fixed a bug occurring in the default shells of some systems related to unexpected redirections. 47 | 48 | ## v2.0 (2020.3.27) Changelog 49 | 50 | * The source code has been completely revamped to improve readability. 51 | * Got rid of colored text output as it was not universal among shells or terminals. All output is now standard without any colorful gimmicks. 52 | * All checks belonging to a section are now done all at once before being displayed together. 53 | * Moved away from using utilities such as lcpci, lscpu, dmidecode, and they've become less universal and sometimes require elevated privileges. Instead, reading from `/proc` or `/sys` files has been implemented. 54 | * printf alignment has been implemented wherever applicable for easier reading. 55 | * Moved away from cron in favor of systemd timers. 56 | * Moved away from services in favor of systemd services. 57 | * Checks have been revamped. A full list of checks can be found later on in this README. 58 | 59 | ## Testing, Compatibility, and Contributing 60 | 61 | This script was tested on a custom Arch Linux system. Further testing on a multitude of operating systems is needed to ensure compatibility. Please open up an issue if you find bugs. 62 | 63 | Contributions are highly welcomed. Please refer to this guide if you are new to Git and/or need some guidance when it comes to making contributions: https://akrabat.com/the-beginners-guide-to-contributing-to-a-github-project/ 64 | 65 | ## Checks 66 | 67 | The following is a full list of checks done by PXEnum. 68 | 69 | __Basic Information__ 70 | * Username 71 | * Hostname 72 | * Home Path 73 | * EUID 74 | * EGID 75 | * Groups 76 | * Kernel Name 77 | * Kernel Release 78 | * Kernel Version 79 | * Architecture 80 | * OS Name 81 | 82 | __Hardware Information__ 83 | * Product Family 84 | * Product Name 85 | * Product Version 86 | * CPUs and CPU bugs 87 | * RAM Total 88 | * RAM Available 89 | * RAM Free 90 | 91 | __BIOS Information__ 92 | * BIOS Vendor 93 | * BIOS Date 94 | * BIOS Version 95 | 96 | __Users and Groups__ 97 | * Users 98 | * Users with login shells 99 | * Users with home directories 100 | * Groups 101 | 102 | __Network Information__ 103 | * Interfaces 104 | * MAC Addresses 105 | * IP Addresses 106 | * Open Ports 107 | 108 | __Activity__ 109 | * Currently Online Users 110 | * Currently Running Processes 111 | * Active Services 112 | * Running Services 113 | 114 | __Timers__ 115 | * Timers 116 | 117 | __/etc/shadow Permissions__ 118 | * Access 119 | * Owner 120 | * Group 121 | 122 | __/etc/sudoers Permissions__ 123 | * Access 124 | * Owner 125 | * Group 126 | 127 | __Possible SUIDs__ 128 | * SUIDs 129 | 130 | __sudo History__ 131 | * sudo History 132 | 133 | __SSH Keys__ 134 | * SSH Keys 135 | 136 | __Software Versions__ 137 | * Bash 138 | * sudo 139 | * GCC 140 | * Python 2 141 | * Python 3 142 | * Java 143 | * cURL 144 | * wget 145 | * Ruby 146 | --------------------------------------------------------------------------------