{"id":13839626,"url":"https://github.com/luke-goddard/enumy","last_synced_at":"2025-07-11T06:30:49.344Z","repository":{"id":182345189,"uuid":"261287930","full_name":"luke-goddard/enumy","owner":"luke-goddard","description":"Linux post exploitation privilege escalation enumeration ","archived":false,"fork":false,"pushed_at":"2020-08-20T07:13:18.000Z","size":479,"stargazers_count":253,"open_issues_count":9,"forks_count":33,"subscribers_count":13,"default_branch":"master","last_synced_at":"2024-08-05T17:23:57.865Z","etag":null,"topics":["automation","linux-enumeration","oscp","oscp-tools","post-exploitation","privilage-escalation","vulnerability-scanners"],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/luke-goddard.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2020-05-04T20:25:12.000Z","updated_at":"2024-08-01T05:35:11.000Z","dependencies_parsed_at":"2023-07-19T17:05:26.747Z","dependency_job_id":null,"html_url":"https://github.com/luke-goddard/enumy","commit_stats":null,"previous_names":["luke-goddard/enumy"],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/luke-goddard%2Fenumy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/luke-goddard%2Fenumy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/luke-goddard%2Fenumy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/luke-goddard%2Fenumy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/luke-goddard","download_url":"https://codeload.github.com/luke-goddard/enumy/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225699944,"owners_count":17510431,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["automation","linux-enumeration","oscp","oscp-tools","post-exploitation","privilage-escalation","vulnerability-scanners"],"created_at":"2024-08-04T17:00:31.595Z","updated_at":"2024-11-21T08:31:18.823Z","avatar_url":"https://github.com/luke-goddard.png","language":"C","funding_links":[],"categories":["C","C (286)"],"sub_categories":[],"readme":"\u003ca href=\"https://scan.coverity.com/projects/luke-goddard-enumy\"\u003e\u003cimg alt=\"Coverity Scan Build Status\" src=\"https://scan.coverity.com/projects/20962/badge.svg\"/\u003e\u003c/a\u003e\n[![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg)](https://github.com/luke-goddard/enumy/graphs/commit-activity)\n[![GitHub license](https://img.shields.io/github/license/Naereen/StrapDown.js.svg)](https://github.com/Naereen/StrapDown.js/blob/master/LICENSE)\n[![Total alerts](https://img.shields.io/lgtm/alerts/g/luke-goddard/enumy.svg?logo=lgtm\u0026logoWidth=18)](https://lgtm.com/projects/g/luke-goddard/enumy/alerts/)\n[![Help Wanted](https://img.shields.io/github/issues/luke-goddard/enumy/help%20wanted?color=green)](https://github.com/luke-goddard/enumy/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22)\n[![Language grade: C/C++](https://img.shields.io/lgtm/grade/cpp/g/luke-goddard/enumy.svg?logo=lgtm\u0026logoWidth=18)](https://lgtm.com/projects/g/luke-goddard/enumy/context:cpp)\n\n# Enumy\n\n\u003cimg src=\"https://i.imgur.com/luC3mTu.png\" align=\"right\" width=\"300\" height=\"200\"/\u003e\n\nEnumy is an __ultra fast portable executable__ that you drop on target Linux machine during a pentest or CTF in the post exploitation phase. Running enumy will enumerate the box for __common security vulnerabilities__.\n\n## Installation\n\nYou can download the final binary from the release x86 or x64 tab. _Statically linked to musl_\nTransfer the final enumy binary to the target machine.\n\n- [latest release](https://github.com/luke-goddard/enumy/releases)\n\n```shell\n./enumy\n```\n\n## Who Should Use Enumy\n\n- Pentester can run on a target machine raisable issues for their reports.\n- CTF players can use it identify things that they might have missed.\n- People who are curious to know how many isues enumy finds on their local machine?\n\n## Options\n\n```shell\n$ ./enumy64 -h\n ▄█▀─▄▄▄▄▄▄▄─▀█▄ _____ \n ▀█████████████▀ | __|___ _ _ _____ _ _ \n █▄███▄█ | __| | | | | | |\n █████ |_____|_|_|___|_|_|_|_ |\n █▀█▀█ |___|\n\n https://github.com/luke-goddard/enumy\n\n Enumy - Used to enumerate the target the target environment \u0026 look for\n common security vulnerabilities and hostspots\n ----------------------------------------------------------------------\n\n Output\n -o \u003cloc\u003e OUTPUT results to location (default enumy.json)\n\n Walking Filesystem\n -i \u003cloc\u003e IGNORE files in this directory (usefull for network shares)\n -w \u003cloc\u003e Only WALK files in this directory (usefull for devlopment)\n\n Scan Options\n -f run FULL scans (CPU intensive scan's enabled)\n -t \u003cnum\u003e THREADS (default 4)\n\n Printing Options\n -a Print all security AUDIT issues to screen (probably won't help duing a CTF)\n Issues are ALWAYS logged in result files regardless of this flag being set.\n -d \u003c1|2\u003e Print DEBUG mode (1 low, 2 high) to enable error being printed to screen.\n -g \u003cH|M|L\u003e print to screen values GREATER than or equal to high, medium \u0026 low\n -p \u003cH|M|L|I\u003e do not PRINT to screen high, medium, low \u0026 info issues (see below for example)\n -m 1-100 MAXIMUM number of issues with same name to print to screen default (unlimited)\n ```\n\n## Compilation\n\nTo compile during _devlopment_, make and libcap libary is all that is required.\n\n```shell\nsudo apt-get install libcap-dev\nmake\n```\n\nTo remove the glibc dependency and statically link all libaries/compile with musl do the following. _Note to do this you will have to have docker installed to create the apline build environment._\n\n```shells\n./build.sh 64bit\n./build.sh 32bit\n./build.sh all\ncd output\n```\n\n## Scan Times\n\n![enumy benchmarks](benchmark.png?raw=true)\n\n## Scans That've Been Implemented\n\nBelow is the ever growing list of scans that have been implemented.\n\n| Scan Type | Quick Scan | Full Scan | Implemented | Printed To Screen | Save In Log |\n| ------------------------------------------------------------ | ------------------ | ------------------ | ------------------ | ----------------- | ------------------ |\n| [Kernel Exploit Surgestor](#kernel-exploit-surgestor) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |\n| [SUID/GUID Scan](#suid-guid-scan) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |\n| [File Capabilities Scan](#file-capabilities-scan) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: |\n| [Intresting Files Scan](#intresting-files-scan) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |\n| [Coredump Scan](#coredump-scan) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |\n| [Breakout Binaries Scan](#breakout-binary-scan) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |\n| [SSHD Configuration Scan](#ssh-misconfiguration-scan) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: |\n| [Sysctl Scan](#sysctl-parameter-hardening) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |\n| [Living Off The Land Scan](#living-off-the-land-scan) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |\n| [Current User Scan](#current-user-scan) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |\n| [*.so Injection Scan](#dynamic-shared-object-injection-scan) | :x: | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: |\n| [Permissions Scan](#permissions-scan) | :x: | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: |\n| [File System Scan](#file-system-scan) | :x: | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: |\n| Docker Scan | :heavy_check_mark: | :heavy_check_mark: | :x: | | :heavy_check_mark: |\n| Environment Scan | :heavy_check_mark: | :heavy_check_mark: | :x: | | :heavy_check_mark: |\n| Privilaged Access Scan | :heavy_check_mark: | :heavy_check_mark: | :x: | | :heavy_check_mark: |\n| Networking Scan | :heavy_check_mark: | :heavy_check_mark: | :x: | | :heavy_check_mark: |\n| System Info Scan | :heavy_check_mark: | :heavy_check_mark: | :x: | | :heavy_check_mark: |\n| Version Information Scan | :heavy_check_mark: | :heavy_check_mark: | :x: | | :heavy_check_mark: |\n| Default Weak Credentials Scan | :heavy_check_mark: | :heavy_check_mark: | :x: | | :heavy_check_mark: |\n| Weak Crypto Scan | :x: | :heavy_check_mark: | :x: | | :heavy_check_mark: |\n\nNote to print results marked as :x:, enable audit mode with the `-a` flag.\n\n## How To Contribute\n\n- If you can think of a scan idea that has not been implemented, raise it as an issue.\n- If you know how to program, make a pull request :)\n- All contributions are welcome\n\n### Scan types\n\n#### Kernel Exploit Surgestor\n\nThis scan will check the kernel versions to see if it matches any kernel versions with known exploits.\n\n#### SUID GUID Scan\n\nThe idea of this scan is enumerate the system looking for [SUID](https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/)/GUID binaries that are abnormal, or have weak permissions that can be exploited.\n\n#### File Capabilities Scan\n\nRecently the Linux kernel supports [capablities](https://www.man7.org/linux/man-pages/man7/capabilities.7.html), this is the prefered way to give a file a subset of root's powers to mitigate risk. Although this is a much safer way of doing things, if you're lucky enough to find abnormal capabilities set on a file then it's quite possible that you can exploit the executable to gain higher access. Enumy will check the capabilties set on all executable files on the system.\n\n#### Interesting Files Scan\n\nThis is more of a generic scan that will try and categorize a file based off it's contents, file extension and file name. Enumy will look for files such as private keys, passwords and backup files.\n\n#### Coredump Scan\n\nCoredump files are a type of ELF file that contains a process's address space when the program terminates unexpectedly. Now imagine if this process's memory was readable and contained sensative information. Or even more exciting, this coredump could be for an internally developed tool that seg faulted, allowing you to develop a zero day.\n\n#### Breakout Binary Scan\n\nSome file should never have SUID bit set, it quite common for a lazy sys admin to give a file like docker, ionice, hexdump SUID make a bash script work or there life easier. This scan tries to find some known bad SUID binaries.\n\n#### Sysctl Parameter Hardening\n\n[Sysctl](https://linux.die.net/man/8/sysctl) is used to modify kernel parameters at runtime. It's also possible to query these kernel parameters and check to see if important secutiry measures like ASLR are enabled.\n\n#### Living Off The Land scan\n\nLiving off the land is a technique used where attackers weponize what's allready on the system. They do this to remain stealthy amongst other reasons. This scan would enumerate the files that an attacker would be looking for.\n\n#### Dynamic Shared Object Injection Scan\n\nThis scan will parse ELF files for their dependencies. If we have write access to any of these dependencies or write access to any DT_RPATH and DT_RUNPATH values then we can create our own malicious shared object into that executable potentiall compromizing the system.\n\n#### SSH Misconfiguration Scan\n\nSSH is one of one of the most common services that you will find in the real world. It's also quite easy to misconfigure it. This scan will check to see if it can be hardened in anyway.\n\n#### Current User Scan\n\nThe current user scan just parses /etc/passwd. With this information we find root accounts, unprotected and missing home directories etc.\n\n#### Permisionss Scan\n\nThis scan is going to find file that are globaly writable files, uneven permissions and unowned files. See [here](http://infosecisland.com/blogview/8494-Keeping-Linux-File-Systems-Clean-and-Secure.html) for inspiration of the scan.\n\n#### File System Scan\n\nThis scan would be useful for people trying to harden their Linux machine. It will highlight issues such as unencrypted drives and insecure mounting configurations.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fluke-goddard%2Fenumy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fluke-goddard%2Fenumy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fluke-goddard%2Fenumy/lists"}