Checklist & Scripts - Linux
Running list of checks across scripts:
COMMON CHECKS
Host
Kernel
bash
uname -arms # kernel
/proc/version # kernel
/etc/*-release # operating system
/etc/issue # operating system
Network
bash
ifconfig -a # interfaces
route # routing information
netstat -antup | grep -v 'TIME_WAIT' # Netstat
cat /etc/network/interfaces # network interfaces
cat /etc/sysconfig/network # network configuration
cat /etc/resolv.conf # DNS settings
cat /etc/networks # network settings
dnsdomainname # DNS domain name
IPTables
User
- check for super users and other users in
/etc/passwd - Check for other interesting info
bash
whoami # current user id # current user id /etc/group # group information w # who is logged on last # pulls from /var/log/wtmp which deals with more than just user logins. Virtually any change to the system-wide state is recorded there lastlog # pulls from /var/log/lastlog which is only concerned with previous logins env # environment variables echo $PATH # path
User stuff
- User home directories: writable?
- User home directories: Readable and executable?
bash
user .*_history files # user history /etc/profile # user profile /etc/bashrc # user bashrc ~/.bash_profile # user bash_profile ~/.bashrc # user bashrc ~/.bash_logout # user bash_logout ~/.bash_history # user bash_history ~/.nano_history # user nano_history ~/.aftp_history # user aftp_history ~/.mysql_history # user mysql_history ~/.php_history # user php_history
SSH
- Check system for readable or encrypted ssh keys
- Check for ssh agents
- Check ssh config
- Check for
authorized_hostsbashcat ~/.ssh/authorized_keys cat ~/.ssh/identity.pub cat ~/.ssh/identity cat ~/.ssh/id_rsa.pub cat ~/.ssh/id_rsa cat ~/.ssh/id_dsa.pub cat ~/.ssh/id_dsa cat /etc/ssh/ssh_config cat /etc/ssh/sshd_config cat /etc/ssh/ssh_host_dsa_key.pub cat /etc/ssh/ssh_host_dsa_key cat /etc/ssh/ssh_host_rsa_key.pub cat /etc/ssh/ssh_host_rsa_key cat /etc/ssh/ssh_host_key.pub cat /etc/ssh/ssh_host_key
Processes
bash
ps aux | awk '{print $1,$2,$9,$10,$11}' # current processes
ps -ef | /bin/grep root # processes running as root
top # top processes
cat /etc/services # services
Mount
FILES
Password Related
- hashes in
/etc/passwd? - users with no password in
/etc/passwd - read
/etc/shadow? - read
lib/misc/shadow?
SUDO(ERS)
bash
sudo --version # sudo version
cat /etc/sudoers # sudoers
echo '' | sudo -S -l # sudo without password
File/Folder permissions: world
- files with sticky bit (+sS)
- world writable folders
bash
find / -writable -type d 2>/dev/null # world-writeable folders find / -perm -222 -type d 2>/dev/null # world-writeable folders find / -perm -o w -type d 2>/dev/null # world-writeable folders find / -perm -o x -type d 2>/dev/null # world-executable folders find / \( -perm -o w -perm -o x \) -type d 2>/dev/null # world-writeable & executable folders - world writable files
bash
find / -writable -type f 2>/dev/null # world-writeable files find / -perm -222 -type f 2>/dev/null # world-writeable files find / -perm -o w -type f 2>/dev/null # world-writeable files find / -perm -o x -type f 2>/dev/null # world-executable files find / \( -perm -o w -perm -o x \) -type f 2>/dev/null # world-writeable & executable files - list potentially sensitive files
File/Folder permissions: own/group
- files owned by current user
bash
find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it. find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search) - list group-writable files
BINARIES
- check for dev tools (awk/perl/python/nc/etc)
- list installed packages
EXTRA CHECK
Network
bash
arp -a # ARP information (with -a flag: all)
arp -e # ARP information (with -e flag: extended)
/etc/resolv.conf | grep "nameserver" # DNS settings
lsof -i # list open files
lsof -i :80 # list open files on port 80
grep 80 /etc/services # services running on port 80
netstat -antup # netstat listening TCP (with -antup flag: all, numeric, TCP, UDP, program)
netstat -antpx # netstat listening TCP (with -antpx flag: all, numeric, TCP, program, extended)
netstat -tulpn # netstat listening TCP (with -tulpn flag: TCP, UDP, listening, program, numeric)
chkconfig --list # services that start at boot
chkconfig --list | grep 3:on # RHEL/CentOS services that start at boot
route # routing information
/sbin/route -nee # routing information (with -nee flag: no hostnames, no interfaces, no networks, no ports)
Printer
Files
password
bash
/etc/shadow # check read /etc/shadow
/etc/master.passwd # check read /etc/master.passwd (BSD 'shadow' variant)
/etc/security/passwd # check read /etc/security/passwd (BSD 'shadow' variant)
config
- search for all
*.conffiles - other
.conffiles:
system
bash
/etc/init
/etc/rc
/etc/inetd
/etc/xinetd
/etc/bash.bashrc
/etc/profile
/etc/hosts.equiv
/etc/shosts.equiv
all
- world readable folders:
- world readable files:
- list all jar files:
var
bash
ls -lah /var/log
ls -lah /var/mail
ls -lah /var/spool
ls -lah /var/spool/lpd
ls -lah /var/lib/pgsql
ls -lah /var/lib/mysql
cat /var/lib/dhcp3/dhclient.lease
www
bash
ls -lahR /var/www/
ls -lahR /srv/www/htdocs/
ls -lahR /usr/local/www/apache22/data/
ls -lahR /opt/lampp/htdocs/
ls -lahR /var/www/html/
Cron
bash
ls -la /etc/cron* 2>/dev/null # scheduled cron jobs
ls -laR /etc/cron* 2>/dev/null | awk '$1 ~ /w.$/' 2>/dev/null # writable cron directories
ls -la /etc/anacrontab 2>/dev/null; cat /etc/anacrontab 2>/dev/null # anacrontab
crontab -l # crontab for current user
ls -lah /var/spool/cron # cron jobs
ls -la /etc/ | grep cron # cron directories
ls -la /etc/cron* # cron directories
cat /etc/cron* # cron directories
cat /etc/at.allow # at.allow
cat /etc/at.deny # at.deny
cat /etc/cron.allow # cron.allow
cat /etc/cron.deny # cron.deny
cat /etc/crontab # crontab
cat /etc/anacrontab # anacrontab
cat /var/spool/cron/crontabs/root # root crontab
Apache
bash
apache --version # check version
apache invokee # check invokee
apache modules # check modules
cat /etc/apache2/apache2.conf # check apache config
cat /etc/httpd/conf/httpd.conf # check apache config
Postgres
bash
postgres --version # check version
postgres default login # check default login
trust relationships # check trust relationships
verify trust relationships # check trust relationships
check permissions of postgres config file # check permissions
MySQL
bash
mysql --version # check version
mysql root:root # default login
mysql -u root -e 'show databases;' # show databases
mysql -u root -e 'show databases;' 2>/dev/null | grep test # check for test database
mysql -u root -e 'show databases;' 2>/dev/null | grep information_schema # check for information_schema database
mysql -u root -e 'show databases;' 2>/dev/null | grep mysql # check for mysql database
mysql -u root -e 'show databases;' 2>/dev/null | grep Database # check for other databases
mysqldump --all-databases > /tmp/mysql.txt # dump database
mysqldump -u root -p --all-databases > /tmp/mysql.txt # dump database
UNCOMMON CHECKS
Security
bash
SELinux 'enforce' # SELinux is a set of extra security restrictions on top of the normal Linux security tools. It gives the systems administrator a finer grain of control than what the kernel typically provides.
NX bit # NX bit / logging (if kernel_nx or SunOS)
mmap to 0 # mmap allows mapping to zero
ASLR # ASLR is a computer security technique which involves randomly arranging the address space of an executable program
gpg-agent # Check if the gpg-agent is running
Docker
bash
cat /proc/1/cgroup | grep docker # check if in a docker container
cat /proc/1/cgroup | grep host # check if in a docker host
cat /etc/group | grep docker # check if in a docker group
find / -name "*.yml" -type f 2>/dev/null # check for docker files
Authentication
bash
ypcat passwd 2>/dev/null # check if NIS used
ldapsearch -x -b "dc=mydomain,dc=com" 2>/dev/null # check if LDAP used
Files
bash
grep -i -I -r 'password\|username' /etc/ 2>/dev/null # find files with 'username' and/or 'password'
find / -name .rhosts 2>/dev/null # check for .rhosts
find /home -name .plan 2>/dev/null # check for .plan files
find / -name hosts.equiv 2>/dev/null # check for /etc/hosts.equiv
bash
ls -lah /var/mail # check for user mail
cat /var/mail/root # check for root mail
cat /var/spool/mail/root # check for root mail
TCP Listen to traffic
Logs
bash
cat /etc/httpd/logs/access_log # apache access log
cat /etc/httpd/logs/access.log # apache access log
cat /etc/httpd/logs/error_log # apache error log
cat /etc/httpd/logs/error.log # apache error log
cat /var/log/apache2/access_log # apache access log
cat /var/log/apache2/access.log # apache access log
cat /var/log/apache2/error_log # apache error log
cat /var/log/apache2/error.log # apache error log
cat /var/log/apache/access_log # apache access log
cat /var/log/apache/access.log # apache access log
cat /var/log/auth.log # auth log
cat /var/log/chttp.log # chhttp log
cat /var/log/cups/error_log # cups error log
cat /var/log/dpkg.log # dpkg log
cat /var/log/faillog # fail log
cat /var/log/httpd/access_log # apache access log
cat /var/log/httpd/access.log # apache access log
cat /var/log/httpd/error_log # apache error log
cat /var/log/httpd/error.log # apache error log
cat /var/log/lastlog # last log
cat /var/log/lighttpd/access.log # lighttpd access log
cat /var/log/lighttpd/error.log # lighttpd error log
cat /var/log/lighttpd/lighttpd.access.log # lighttpd access log
cat /var/log/lighttpd/lighttpd.error.log # lighttpd error log
cat /var/log/messages # messages log
cat /var/log/secure # secure log
cat /var/log/syslog # syslog
cat /var/log/wtmp # wtmp log
cat /var/log/xferlog # xfer log
cat /var/log/yum.log # yum log
cat /var/run/utmp # utmp log
cat /var/webmin/miniserv.log # webmin log
cat /var/www/logs/access_log # apache access log
cat /var/www/logs/access.log # apache access log
ls -alh /var/lib/dhcp3/ # dhcp3 log
ls -alh /var/log/postgresql/ # postgresql log
ls -alh /var/log/proftpd/ # proftpd log
ls -alh /var/log/samba/ # samba log
LYNIS CHECKS
Auth
- multiple uses with UID 0
Boot
- Check for Linux boot services (systemd and chkconfig)
- Check for Linux boot services (Debian style)
- Check world writable startup scripts
Database
- Check empty MySQL root password
- Check MongoDB status
- Check empty MongoDB authorization
- Check if Oracle is being used
- Check Oracle home paths from oratab
- Checks if a DB2 instance is currently running
- Determine if Redis is running
- Determine Redis configuration
Firewall
- Check iptables kernel module
- Check iptables chain policies
- Check iptables for empty ruleset (should have at least 10 or more rules)
- Check iptables for unused rules
- Checking status of pf firewall components
- Check for CSF (ConfigServer Security & Firewall)
- Check ipf (Solaris)
- Check IPFW (FreeBSD)
- Check Application Firewall in macOS
- Check nftables kernel module
- Check nftables configuration
- Check if at least one firewall if active
Hardening
- Check for installed compilers
- Check for permissions of installed compilers
- Check Exim process status
- Check Postfix process
- Check Postfix configuration
- Check Postfix configuration for error
php
- Check Possible locations of php.ini
- Check php disable functions option
Shell
- Check all console TTYs in which root user can enter single user mode without password
- which shells are available according
/etc/shells
snmp
- Check for a running SNMP daemon
- Determine SNMP daemon configuration file location
- Determine SNMP communities
ssh
- Determine SSH daemon configuration file location
- Check SSH specific defined options
- Check if only a specific amount of users/groups can log in to the system
Nfs Storage
- Check rpcinfo
- Check nfs versions in rpcinfo
- Check nfs protocols (TCP/UDP) and port in rpcinfo
- Check for running NFS daemons
- Check NFS exports
- Check for empty exports file while NFS is running
- Check client access to nfs share
Tooling
- Check if automation tools are found (ansible, cfagent, chef, puppet, etc)
- Check for Fail2ban
- Check for Fail2ban enabled tests
- Check for Snort
- Check for an IDS/IPS tool
Virtualization
- Check if in a VMWare VM
Web
- Test for Apache installation
- Testing main Apache configuration file
- Testing other Apache configuration files
- Search for available Apache modules
- Search for special Apache modules: evasive, QoS, security
- Search for nginx process
- Search for nginx configuration file
- Search for includes within nginx configuration file
- Check discovered nginx configuration settings for further hardening
- Check SSL configuration of nginx
LIN ENUM
Kernel information
bash
uname -a 2>/dev/null # kernel version
cat /prov/version 2>/dev/null # kernel version
cat /etc/*-release 2>/dev/null # operating system
hostname 2>/dev/null # hostname
id 2>/dev/null # current user information
lastlog 2>/dev/null |grep -v "Never" 2>/dev/null # last logged on user
w 2>/dev/null # who else is logged on
User Information
bash
whoami # current user
grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null # check for hashes being stored in /etc/passwd
for i in $(cat /etc/passwd 2>/dev/null| cut -d ":" -f1 2>/dev/null); do id $i; done 2>/dev/null # list all user id's and respective groups
Locate custom user accounts with 'known default' UIDs
bash
grep -v "^#" /etc/passwd | awk -F: '$3 == 0 || $3 == 500 || $3 == 501 || $3 == 502 || $3 == 1000 || $3 == 1001 || $3 == 1002 || $3 == 2000 || $3 == 2001 || $3 == 2002 { print }'
User Information
bash
cat /etc/shadow 2>/dev/null # check read /etc/shadow
cat /etc/master.passwd 2>/dev/null # check read /etc/master.passwd (BSD 'shadow' variant)
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1 }' # check for user with UID 0
Pull out vital sudoers info (if readable)
bash
cat /etc/sudoers 2>/dev/null | grep -v -e '^$' 2>/dev/null | grep -v "#" 2>/dev/null # check sudoers file
echo '' | sudo -S -l 2>/dev/null # check sudo without password
Print known 'good' breakout binaries
bash
echo '' | sudo -S -l 2>/dev/null | grep -w 'nmap\|perl\|'awk'\|'find'\|'bash'\|'sh'\|'man'\|'more'\|'less'\|'vi'\|'emacs'\|'vim'\|'nc'\|'netcat'\|python\|ruby\|lua\|irb' | xargs -r ls -la 2>/dev/null # check for known binaries
Check if home directories are accessible
bash
ls -lah /root/ 2>/dev/null # check root home accessible
ls -lah /home/ 2>/dev/null # check /home directory accessible
Find world writable files
bash
ls -lah ~ 2>/dev/null # list /home directories contents
find /home/ -perm -4 -type f -exec ls -al {} \; 2>/dev/null # find world readable files in /home
find / -writable -not -user \`whoami\` -type f -not -path "/proc/*" -exec ls -al {} \; 2>/dev/null # find world writable files
Check for various ssh files
bash
find / \( -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} 2>/dev/null \; # check for ssh files
Check root login via SSH (/etc/ssh/sshd_config)
bash
grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | awk '{print $2}' # check root login via SSH
bash
env 2>/dev/null | grep -v 'LS_COLORS' 2>/dev/null # print $env information
echo $PATH 2>/dev/null # print $PATH information
cat /etc/shells 2>/dev/null # list available shells
umask -S 2>/dev/null & umask 2>/dev/null # umask value with octal and symbolic output
Umask value as in /etc/login.defs
bash
cat /etc/login.defs 2>/dev/null | grep -i UMASK 2>/dev/null |grep -v "#" 2>/dev/null # check umask value
Password policy information as stored in /etc/login.defs
bash
cat /etc/login.defs 2>/dev/null | grep "PASS_MAX_DAYS\|PASS_MIN_DAYS\|PASS_WARN_AGE\|ENCRYPT_METHOD" 2>/dev/null | grep -v "#" 2>/dev/null # check password policy
Check cron jobs
Check permissions on cron jobs
bash
cat /etc/crontab 2>/dev/null # print crontab contents
ls -la /var/spool/cron/crontabs 2>/dev/null # print crontab contents
ls -la /var/spool/anacron 2>/dev/null # print anacron contents
Check anacron
(priv) Check account name associated cronjobs
bash
cat /etc/passwd | cut -d ":" -f 1 | xargs -n1 crontab -l -u 2>/dev/null # check account name associated cronjobs
bash
/sbin/ifconfig -a 2>/dev/null # NIC information
arp -a 2>/dev/null # arp information
cat /etc/resolv.conf 2>/dev/null | grep "nameserver" # DNS settings
route 2>/dev/null | grep default # default route configuration
netstat -antp 2>/dev/null # netstat listening TCP
netstat -anup 2>/dev/null # netstat listening UDP
ps aux 2>/dev/null # running processes
Lookup process binary path and permissions
bash
ps aux 2>/dev/null | awk '{print $11}' | xargs -r ls -la 2>/dev/null | awk '!x[$0]++' 2>/dev/null # check process binary path and permissions
- check xinetd.conf, try to show permissions of binaries
- check init.d files NOT belonging to root
- check rc.d files NOT belonging to root
- sudo version
- mysql --version
- mysql root:root default login
- postgres --version
- postgres default login
- apache --version
- apache invokee
- apache modules
- any readable in /home directories
- check for binaries (wget, nc, gcc, etc)
- world readable files
- world writable files
- suid files (+sS)
- world writable suid files
- world writable suid files owned by root
- guid files
- world writable guid files owned by root
- .plan files accessible in home (seen when 'finger' command is used)
- check for .rhosts (rlogin)
- check for /etc/hosts.equiv (rlogin)
- check nfs shares/permissions
- check for creds in /etc/fstab
- check for .conf files
- check for .ini files
- check for user .*_history files
- check for root .*_history files
- check for user mail
- check roots mail
- checks to detect if in a docker container
- checks to detect if in a docker host
- checks to detect if in a docker group
- check for any docker files (docker / *.yml)
MISC
privesc-check-master (from lib/misc/kernel, stealthy checks?) These are checks in lib/checks....there are more in lib/misc...OS specific, enhancements?
include files in bash or sh with . or source
Spawn a tty shell
This will spawn a tty shell. This is useful if you have a shell with limited capabilities.
Other ways to spawn a tty shell in case the above doesn't work:
Check all world writeable files
bash
world_writable_main () {
file_show_non_symlink_perms "^........w. " | while read filename permissions userid groupid
do
case "${permissions}" in
????????w?)
if [ "`permission_is_world_writable_sticky_bit \"${permissions}\"`" -eq 1 ]; then
stdio_message_warn "world_writable" "${filename} is owned by user ${userid} (group ${groupid}) and is world-writable with sticky bit (${permissions})"
else
stdio_message_warn "world_writable" "${filename} is owned by user ${userid} (group ${groupid}) and is world-writable (${permissions})"
fi
;;
esac
done
}
check SELinux 'enforce'
- SELinux is a set of extra security restrictions on top of the normal Linux security tools.
- It gives the systems administrator a finer grain of control than what the kernel typically provides.
bash
selinuxenabled && echo enabled || echo disabled # SELinux enabled quick test
getenforce # SELinux status quick test
sestatus # SELinux status quick test
sestatus -v # SELinux show security contexts
sestatus -b | grep on$ # SELinux show booleans
setenforce 0 # Temporarily disable SELinux
bash
system_selinux_main () {
if [ "`kernel_selinux_enforce`" -eq 0 ] # check if SELinux is enforcing
then # if not enforcing
stdio_message_warn "system_selinux" "SELinux does not enforce system-wide" # print warning
else # if enforcing
stdio_message_debug "system_selinux" "SELinux enforces system-wide" # print debug
fi
}
check NX bit / logging 'if kernel_nx or SunOS'
bash
system_nx_main () {
if [ "`kernel_nx`" -eq 0 ] # check if NX bit is supported
then # if not supported
stdio_message_warn "system_nx" "The CPU does not support NX" # print warning
else # if supported
stdio_message_debug "system_nx" "The CPU supports NX" # print debug
fi
}
check mmap (memory map) allows mapping to zero
bash
system_mmap_main () {
if [ "`kernel_mmap_zero_allowed`" -eq 1 ] # check if mmap allows map to 0
then # if allowed
stdio_message_warn "system_mmap" "mmap allows map to 0" # print warning
else # if not allowed
stdio_message_debug "system_mmap" "mmap does not allow map to 0" # print debug
fi
}
Extensive file permissions checker.
Looks for the following:
"permission_is_world_writable_sticky_bit \"${permissions}\"" -eq 1 (${systemfilename}) ${filename} is owned by user ${userid} (group ${groupid}) and is world-writable (${permissions})"
"group_is_in_group_name \"${groupid}\"" -eq 1 (${systemfilename}) ${filename} is owned by user ${userid} (group ${groupid}: YOU) and is group-writable (${permissions})"
"user_is_root \"${userid}\"" -ne 1 -a "user_show_user_name" = "${userid}" (${systemfilename}) ${filename} is owned by user ${userid} (YOU) (group ${groupid}), non-root user (${permissions})"
Check sensitive files:
bash
sensitive_config_files="
/etc/passwd
/etc/shadow
/etc/master.passwd
/etc/security/passwd
/etc/group
/etc/cron
/etc/fstab
/etc/init
/etc/rc
/etc/inetd
/etc/xinetd
/etc/bash.bashrc
/etc/profile
/etc/sudoers
/etc/hosts.equiv
/etc/shosts.equiv"
check ASLR
bash
system_aslr_main () {
if [ "`kernel_aslr`" -eq 0 ]
then
if [ "`kernel_aslr_pax`" -eq 0 ]
then
stdio_message_warn "system_aslr" "ASLR is not supported system-wide"
else
stdio_message_debug "system_aslr" "PAX ASLR is supported system-wide"
fi
elif [ "`kernel_aslr`" -eq 1 ]
then
stdio_message_log "system_aslr" "Conservative ASLR is supported system-wide (heap addresses are not randomized)"
else
stdio_message_debug "system_aslr" "ASLR is supported system-wide"
fi
}
- check
/etc/sudoersand list permissions/groups - check for readable and or encrypted ssh keys
- check for running ssh agents and try to identify the key in use
- check lib/misc/shadow and if readable check for users with no password
- find files with setuid bit set (runs as root)
- find files with the setgid bit set (runs as group)
- Check PostgreSQL trust relationships
- Verify PostgreSQL trust relationships by connecting to localhost with common usernames and no password
- Check permissions of PostgreSQL configuration file
pg_hba.conf - List users with no password set or password in
/etc/passwd(also checked insystem_configuration) - Check if NIS is used for authentication
- Check if LDAP is used for authentication
- List potentially sensitive files (world readable etc)
- List all jar files
- Check for writable permission on home directories
- Check for readable and executable permissions on home directories
- List all
.*_historyfiles - List group-writable files
- Check if the
gpg-agentis running - Check for world-readable and world-writable permissions on devices files
- Check for weak options on devices files
- Check for read permissions on sensitive files
- (priv) List group-writable and world-writable privileged files (their parent directories too) and processes
- (priv) Check if privileged files call temporary files handling functions. Based on ideas found at http://people.redhat.com/sgrubb/security/
- (priv) Check for stack canary (SSP) support
- (priv) List group-writable and world-writable privileged files (their parent directories too) and processes that trust other filepaths (with RPATH variable)
- (priv) Check if privileged files call random() or strand() functions
- (priv) Check for PIE (ASLR-compliant executable) support Based on ideas found at http://people.redhat.com/sgrubb/security/
- (priv) Check if privileged files set PATH variable Based on ideas found at http://people.redhat.com/sgrubb/security/
- (priv) Check for NX (NoExecute) support (privileged vs unprivileged check above)
- (priv) Check if textual privileged files (like bash scripts) use environment variables
- (priv) Check for write permissions over privileged files and processes' linked libraries
- (priv) Check if privileged files calling chroot() function call also chdir() function Based on ideas found at http://people.redhat.com/sgrubb/security/
- (priv) Check if privileged files drop their privileges Based on ideas found at http://people.redhat.com/sgrubb/security/
- (priv) Check if privileged files call banned (and potentially dangerous) functions Based on Microsoft's banned API list as parsed by ../../tools/generate_banned.sh update script?
- (priv) Check if textual privileged files (like bash scripts) accept user-provided arguments
SCRIPTS
Linux-local-enum.sh
bash
#!/bin/bash
################################################################################################################
# Linux-local-enum.sh v1.0
# This script is used to gather local system information and perform system enumeration.
# It includes commands to check files, running services, disk space, and user information for security audits or system assessments.
################################################################################################################
# Cat files:
# These files provide important system and user configuration details.
cat /etc/issue # OS information
cat /etc/*-release # Distribution-specific info (e.g., Ubuntu, CentOS)
cat /etc/sysconfig/network # Network configuration (for specific distros like RHEL/CentOS)
cat /etc/resolv.conf # DNS resolver configuration
cat /etc/fstab # File system table (mounted file systems)
cat /etc/passwd # User account information
cat /etc/shadow # Password and account aging info (requires root)
cat /etc/group # Group information
cat /etc/sudoers # Sudo configuration (requires root)
# Run system commands:
uname -ar # Kernel version, architecture, and system information
df -h # Disk space usage in human-readable format
mount | column -t # Show mounted file systems in a formatted manner
ls -ahlR /home/ # List files in /home directory with detailed info
ls -ahlR /root/ # List files in /root directory with detailed info
w # Who is logged in and what they're doing
last # Last logged-in users
ps -ef | /bin/grep root # List processes running as root
dpkg -l # List installed packages for Debian-based systems (Ubuntu, etc.)
rpm -qa # List installed packages for RHEL-based systems (CentOS, Fedora)
chkconfig --list | grep $(runlevel | awk '{ print $2 }'):on # Services that start at boot (RHEL/CentOS)
ls /etc/init.d/ # List system initialization scripts
# Find files with specific permissions or ownership:
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null # Sticky Bit or SetUID/SetGID files
find / -perm -222 -type d 2>/dev/null # World-writable directories
find / -type f -perm 0777 2>/dev/null # World-writable files
find / -user $(whoami) 2>/dev/null # Files owned by the current user
################################################################################################################
# This script gathers system information useful for:
# - Security Audits
# - System Configuration and Inventory
# - Penetration Testing
# - Identifying Weak Permissions and Vulnerabilities
################################################################################################################
linuxprivchecker.py
bash
#!/bin/bash
###############################################################################################################
# linuxprivchecker.py v1.0
# This script is used for system enumeration and local privilege escalation checks.
# It checks various system configuration files, runs commands to gather information about users, groups,
# mounted filesystems, cron jobs, processes, and identifies possible security issues.
###############################################################################################################
# Cat files (System configuration and important files):
cat /etc/issue # Operating system information
cat /proc/version # Kernel version
cat /etc/fstab 2>/dev/null # fstab entries (file system table)
cat /etc/passwd # User entries (user details)
cat /etc/shadow 2>/dev/null # Shadow file (passwords) (privileged access required)
cat /etc/apache2/apache2.conf 2>/dev/null # Apache configuration file (if present)
# Run commands (Various system status and information):
hostname # Show the hostname of the system
ifconfig -a # Display network interfaces
route # Show routing table
netstat -antup | grep -v 'TIME_WAIT' # Show active network connections
mount # Display mounted file systems
ls -la /etc/cron* 2>/dev/null # List scheduled cron jobs
ls -aRl /etc/cron* 2>/dev/null | awk '$1 ~ /w.$/' 2>/dev/null # List writable cron directories
whoami # Display the current logged-in user
id # Show user ID and group ID
grep -v -E '^#' /etc/passwd | awk -F: '$3 == 0{print $1}' # List superusers from /etc/passwd
ls -la ~/.*_history; ls -la /root/.*_history 2>/dev/null # Show user and root command history (privileges dependent)
env 2>/dev/null | grep -v 'LS_COLORS' # Show environment variables
cat /etc/sudoers 2>/dev/null | grep -v '#' 2>/dev/null # Display sudoers file entries (privileged access required)
w 2>/dev/null # Show who is logged in and what they are doing
dpkg -l | awk '{$1=$4=""; print $0}' # List installed packages (Debian systems)
rpm -qa | sort -u # List installed packages (RedHat systems)
ps aux | awk '{print $1,$2,$9,$10,$11}' # List current processes
sudo -V | grep version 2>/dev/null # Check sudo version (check for known exploits)
apache2 -v; apache2ctl -M; httpd -v; apachectl -l 2>/dev/null # Apache version and enabled modules
which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null # Check available development tools
# Find world-writable directories for specific users:
# World-writable directories for the 'root' user:
find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep root
# World-writable directories for users other than 'root':
find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root
# World-writable files:
find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null
# SUID/SGID Files and directories with sticky bits:
find / \( -perm -2000 -o -perm -4000 \) -exec ls -ld {} \; 2>/dev/null
# Check if root's home folder is accessible:
ls -ahlR /root 2>/dev/null
# Find logs containing the keyword 'password':
find /var/log -name '*.log' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null
# Search for configuration files ending with '*.c*' and containing the keyword 'password':
find /etc -name '*.c*' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null
# Function for identifying processes and packages running as root or another superuser:
# Check for popular shell escape sequences that could potentially be used for privilege escalation:
# vi: :!bash, :set shell=/bin/bash
# awk: awk 'BEGIN {system("/bin/bash")}'
# perl: perl -e 'exec "/bin/bash";'
# find: find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \;
# nmap: --interactive
# Enumerate hard-coded exploits based on kernel/OS version (customizable for specific versions):
# This part of the script should be updated with specific checks for known exploits depending on kernel and OS versions.
###############################################################################################################
# Purpose:
# This script helps with system enumeration and local privilege escalation checks for security assessments,
# vulnerability analysis, and penetration testing.
###############################################################################################################
- Now check for relevant exploits (note: this list should be updated over time; source: Exploit-DB)
- sploit format =
sploit name : {minversion, maxversion, exploitdb#, language, {keywords for applicability}} -- current keywords are 'kernel', 'proc', 'pkg' (unused), and 'os'
Python
sploits= { "2.2.x-2.4.x ptrace kmod local exploit":{"minver":"2.2", "maxver":"2.4.99", "exploitdb":"3", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"< 2.4.20 Module Loader Local Root Exploit":{"minver":"0", "maxver":"2.4.20", "exploitdb":"12", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.4.22 "'do_brk()'" local Root Exploit (PoC)":{"minver":"2.4.22", "maxver":"2.4.22", "exploitdb":"129", "lang":"asm", "keywords":{"loc":["kernel"], "val":"kernel"}},
"<= 2.4.22 (do_brk) Local Root Exploit (working)":{"minver":"0", "maxver":"2.4.22", "exploitdb":"131", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.4.x mremap() bound checking Root Exploit":{"minver":"2.4", "maxver":"2.4.99", "exploitdb":"145", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"<= 2.4.29-rc2 uselib() Privilege Elevation":{"minver":"0", "maxver":"2.4.29", "exploitdb":"744", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.4 uselib() Privilege Elevation Exploit":{"minver":"2.4", "maxver":"2.4", "exploitdb":"778", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.4.x / 2.6.x uselib() Local Privilege Escalation Exploit":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"895", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.4/2.6 bluez Local Root Privilege Escalation Exploit (update)":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"926", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"bluez"}},
"<= 2.6.11 (CPL 0) Local Root Exploit (k-rad3.c)":{"minver":"0", "maxver":"2.6.11", "exploitdb":"1397", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit":{"minver":"0", "maxver":"99", "exploitdb":"1518", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"mysql"}},
"2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2004", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (2)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2005", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (3)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2006", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (4)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2011", "lang":"sh", "keywords":{"loc":["kernel"], "val":"kernel"}},
"<= 2.6.17.4 (proc) Local Root Exploit":{"minver":"0", "maxver":"2.6.17.4", "exploitdb":"2013", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.6.13 <= 2.6.17.4 prctl() Local Root Exploit (logrotate)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2031", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"Ubuntu/Debian Apache 1.3.33/1.3.34 (CGI TTY) Local Root Exploit":{"minver":"4.10", "maxver":"7.04", "exploitdb":"3384", "lang":"c", "keywords":{"loc":["os"], "val":"debian"}},
"Linux/Kernel 2.4/2.6 x86-64 System Call Emulation Exploit":{"minver":"2.4", "maxver":"2.6", "exploitdb":"4460", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"< 2.6.11.5 BLUETOOTH Stack Local Root Exploit":{"minver":"0", "maxver":"2.6.11.5", "exploitdb":"4756", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"bluetooth"}},
"2.6.17 - 2.6.24.1 vmsplice Local Root Exploit":{"minver":"2.6.17", "maxver":"2.6.24.1", "exploitdb":"5092", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.6.23 - 2.6.24 vmsplice Local Root Exploit":{"minver":"2.6.23", "maxver":"2.6.24", "exploitdb":"5093", "lang":"c", "keywords":{"loc":["os"], "val":"debian"}},
"Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit":{"minver":"0", "maxver":"99", "exploitdb":"5720", "lang":"python", "keywords":{"loc":["os"], "val":"debian"}},
"Linux Kernel < 2.6.22 ftruncate()/open() Local Exploit":{"minver":"0", "maxver":"2.6.22", "exploitdb":"6851", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"< 2.6.29 exit_notify() Local Privilege Escalation Exploit":{"minver":"0", "maxver":"2.6.29", "exploitdb":"8369", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.6 UDEV Local Privilege Escalation Exploit":{"minver":"2.6", "maxver":"2.6.99", "exploitdb":"8478", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"udev"}},
"2.6 UDEV < 141 Local Privilege Escalation Exploit":{"minver":"2.6", "maxver":"2.6.99", "exploitdb":"8572", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"udev"}},
"2.6.x ptrace_attach Local Privilege Escalation Exploit":{"minver":"2.6", "maxver":"2.6.99", "exploitdb":"8673", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.6.29 ptrace_attach() Local Root Race Condition Exploit":{"minver":"2.6.29", "maxver":"2.6.29", "exploitdb":"8678", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"Linux Kernel <=2.6.28.3 set_selection() UTF-8 Off By One Local Exploit":{"minver":"0", "maxver":"2.6.28.3", "exploitdb":"9083", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"Test Kernel Local Root Exploit 0day":{"minver":"2.6.18", "maxver":"2.6.30", "exploitdb":"9191", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"PulseAudio (setuid) Priv. Escalation Exploit (ubu/9.04)(slack/12.2.0)":{"minver":"2.6.9", "maxver":"2.6.30", "exploitdb":"9208", "lang":"c", "keywords":{"loc":["pkg"], "val":"pulse"}},
"2.x sock_sendpage() Local Ring0 Root Exploit":{"minver":"2", "maxver":"2.99", "exploitdb":"9435", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.x sock_sendpage() Local Root Exploit 2":{"minver":"2", "maxver":"2.99", "exploitdb":"9436", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.4/2.6 sock_sendpage() ring0 Root Exploit (simple ver)":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9479", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.6 < 2.6.19 (32bit) ip_append_data() ring0 Root Exploit":{"minver":"2.6", "maxver":"2.6.19", "exploitdb":"9542", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.4/2.6 sock_sendpage() Local Root Exploit (ppc)":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9545", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"< 2.6.19 udp_sendmsg Local Root Exploit (x86/x64)":{"minver":"0", "maxver":"2.6.19", "exploitdb":"9574", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"< 2.6.19 udp_sendmsg Local Root Exploit":{"minver":"0", "maxver":"2.6.19", "exploitdb":"9575", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.4/2.6 sock_sendpage() Local Root Exploit [2]":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9598", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.4/2.6 sock_sendpage() Local Root Exploit [3]":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9641", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 Pipe.c Privelege Escalation":{"minver":"2.4.1", "maxver":"2.6.32", "exploitdb":"9844", "lang":"python", "keywords":{"loc":["kernel"], "val":"kernel"}},
"'pipe.c' Local Privilege Escalation Vulnerability":{"minver":"2.4.1", "maxver":"2.6.32", "exploitdb":"10018", "lang":"sh", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.6.18-20 2009 Local Root Exploit":{"minver":"2.6.18", "maxver":"2.6.20", "exploitdb":"10613", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"Apache Spamassassin Milter Plugin Remote Root Command Execution":{"minver":"0", "maxver":"99", "exploitdb":"11662", "lang":"sh", "keywords":{"loc":["proc"], "val":"spamass-milter"}},
"<= 2.6.34-rc3 ReiserFS xattr Privilege Escalation":{"minver":"0", "maxver":"2.6.34", "exploitdb":"12130", "lang":"python", "keywords":{"loc":["mnt"], "val":"reiser"}},
"Ubuntu PAM MOTD local root":{"minver":"7", "maxver":"10.04", "exploitdb":"14339", "lang":"sh", "keywords":{"loc":["os"], "val":"ubuntu"}},
"< 2.6.36-rc1 CAN BCM Privilege Escalation Exploit":{"minver":"0", "maxver":"2.6.36", "exploitdb":"14814", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"Kernel ia32syscall Emulation Privilege Escalation":{"minver":"0", "maxver":"99", "exploitdb":"15023", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"Linux RDS Protocol Local Privilege Escalation":{"minver":"0", "maxver":"2.6.36", "exploitdb":"15285", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"<= 2.6.37 Local Privilege Escalation":{"minver":"0", "maxver":"2.6.37", "exploitdb":"15704", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"< 2.6.37-rc2 ACPI custom_method Privilege Escalation":{"minver":"0", "maxver":"2.6.37", "exploitdb":"15774", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"CAP_SYS_ADMIN to root Exploit":{"minver":"0", "maxver":"99", "exploitdb":"15916", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit)":{"minver":"0", "maxver":"99", "exploitdb":"15944", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"< 2.6.36.2 Econet Privilege Escalation Exploit":{"minver":"0", "maxver":"2.6.36.2", "exploitdb":"17787", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"Sendpage Local Privilege Escalation":{"minver":"0", "maxver":"99", "exploitdb":"19933", "lang":"ruby", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.4.18/19 Privileged File Descriptor Resource Exhaustion Vulnerability":{"minver":"2.4.18", "maxver":"2.4.19", "exploitdb":"21598", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.2.x/2.4.x Privileged Process Hijacking Vulnerability (1)":{"minver":"2.2", "maxver":"2.4.99", "exploitdb":"22362", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.2.x/2.4.x Privileged Process Hijacking Vulnerability (2)":{"minver":"2.2", "maxver":"2.4.99", "exploitdb":"22363", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"Samba 2.2.8 Share Local Privilege Elevation Vulnerability":{"minver":"2.2.8", "maxver":"2.2.8", "exploitdb":"23674", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"samba"}},
"open-time Capability file_ns_capable() - Privilege Escalation Vulnerability":{"minver":"0", "maxver":"99", "exploitdb":"25307", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"open-time Capability file_ns_capable() Privilege Escalation":{"minver":"0", "maxver":"99", "exploitdb":"25450", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
}