Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/rebootuser/LinEnum
Scripted Local Linux Enumeration & Privilege Escalation Checks
https://github.com/rebootuser/LinEnum
Last synced: about 1 month ago
JSON representation
Scripted Local Linux Enumeration & Privilege Escalation Checks
- Host: GitHub
- URL: https://github.com/rebootuser/LinEnum
- Owner: rebootuser
- License: mit
- Created: 2013-08-20T06:26:58.000Z (over 11 years ago)
- Default Branch: master
- Last Pushed: 2023-09-06T18:02:29.000Z (over 1 year ago)
- Last Synced: 2024-08-01T19:45:23.824Z (4 months ago)
- Language: Shell
- Size: 242 KB
- Stars: 6,854
- Watchers: 196
- Forks: 1,979
- Open Issues: 25
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
Awesome Lists containing this project
- awesome-rainmana - rebootuser/LinEnum - Scripted Local Linux Enumeration & Privilege Escalation Checks (Shell)
- Awesome-Security-Resources - LinEnum
- awesome-hacking-lists - rebootuser/LinEnum - Scripted Local Linux Enumeration & Privilege Escalation Checks (Shell)
- awesome-list - LinEnum - Scripted Local Linux Enumeration & Privilege Escalation Checks. (Hacking 💀 / Apps (Terminal))
README
# LinEnum
For more information visit www.rebootuser.comNote: Export functionality is currently in the experimental stage.
General usage:
version 0.982
* Example: ./LinEnum.sh -s -k keyword -r report -e /tmp/ -t
OPTIONS:
* -k Enter keyword
* -e Enter export location
* -t Include thorough (lengthy) tests
* -s Supply current user password to check sudo perms (INSECURE)
* -r Enter report name
* -h Displays this help textRunning with no options = limited scans/no output file
* -e Requires the user enters an output location i.e. /tmp/export. If this location does not exist, it will be created.
* -r Requires the user to enter a report name. The report (.txt file) will be saved to the current working directory.
* -t Performs thorough (slow) tests. Without this switch default 'quick' scans are performed.
* -s Use the current user with supplied password to check for sudo permissions - note this is insecure and only really for CTF use!
* -k An optional switch for which the user can search for a single keyword within many files (documented below).See CHANGELOG.md for further details
High-level summary of the checks/tasks performed by LinEnum:
* Kernel and distribution release details
* System Information:
* Hostname
* Networking details:
* Current IP
* Default route details
* DNS server information
* User Information:
* Current user details
* Last logged on users
* Shows users logged onto the host
* List all users including uid/gid information
* List root accounts
* Extracts password policies and hash storage method information
* Checks umask value
* Checks if password hashes are stored in /etc/passwd
* Extract full details for ‘default’ uid’s such as 0, 1000, 1001 etc
* Attempt to read restricted files i.e. /etc/shadow
* List current users history files (i.e .bash_history, .nano_history etc.)
* Basic SSH checks
* Privileged access:
* Which users have recently used sudo
* Determine if /etc/sudoers is accessible
* Determine if the current user has Sudo access without a password
* Are known ‘good’ breakout binaries available via Sudo (i.e. nmap, vim etc.)
* Is root’s home directory accessible
* List permissions for /home/
* Environmental:
* Display current $PATH
* Displays env information
* Jobs/Tasks:
* List all cron jobs
* Locate all world-writable cron jobs
* Locate cron jobs owned by other users of the system
* List the active and inactive systemd timers
* Services:
* List network connections (TCP & UDP)
* List running processes
* Lookup and list process binaries and associated permissions
* List inetd.conf/xined.conf contents and associated binary file permissions
* List init.d binary permissions
* Version Information (of the following):
* Sudo
* MYSQL
* Postgres
* Apache
* Checks user config
* Shows enabled modules
* Checks for htpasswd files
* View www directories
* Default/Weak Credentials:
* Checks for default/weak Postgres accounts
* Checks for default/weak MYSQL accounts
* Searches:
* Locate all SUID/GUID files
* Locate all world-writable SUID/GUID files
* Locate all SUID/GUID files owned by root
* Locate ‘interesting’ SUID/GUID files (i.e. nmap, vim etc)
* Locate files with POSIX capabilities
* List all world-writable files
* Find/list all accessible *.plan files and display contents
* Find/list all accessible *.rhosts files and display contents
* Show NFS server details
* Locate *.conf and *.log files containing keyword supplied at script runtime
* List all *.conf files located in /etc
* .bak file search
* Locate mail
* Platform/software specific tests:
* Checks to determine if we're in a Docker container
* Checks to see if the host has Docker installed
* Checks to determine if we're in an LXC container