https://github.com/rebootuser/linenum

Scripted Local Linux Enumeration & Privilege Escalation Checks
https://github.com/rebootuser/linenum

Last synced: about 2 months ago
JSON representation

Scripted Local Linux Enumeration & Privilege Escalation Checks

• Host: GitHub
• URL: https://github.com/rebootuser/linenum
• Owner: rebootuser
• License: mit
• Created: 2013-08-20T06:26:58.000Z (about 11 years ago)
• Default Branch: master
• Last Pushed: 2023-09-06T18:02:29.000Z (about 1 year ago)
• Last Synced: 2024-07-31T19:10:53.198Z (about 2 months ago)
• Language: Shell
• Size: 242 KB
• Stars: 6,851
• Watchers: 196
• Forks: 1,978
• Open Issues: 25
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# LinEnum

For more information visit www.rebootuser.com

Note: Export functionality is currently in the experimental stage.

General usage:

version 0.982

* Example: ./LinEnum.sh -s -k keyword -r report -e /tmp/ -t 

OPTIONS:

* -k	Enter keyword

* -e	Enter export location

* -t	Include thorough (lengthy) tests

* -s	Supply current user password to check sudo perms (INSECURE)

* -r	Enter report name

* -h	Displays this help text

Running with no options = limited scans/no output file

* -e Requires the user enters an output location i.e. /tmp/export. If this location does not exist, it will be created.

* -r Requires the user to enter a report name. The report (.txt file) will be saved to the current working directory.

* -t Performs thorough (slow) tests. Without this switch default 'quick' scans are performed.

* -s Use the current user with supplied password to check for sudo permissions - note this is insecure and only really for CTF use!

* -k An optional switch for which the user can search for a single keyword within many files (documented below).

See CHANGELOG.md for further details

High-level summary of the checks/tasks performed by LinEnum:

* Kernel and distribution release details

* System Information:

  * Hostname

  * Networking details:

  * Current IP

  * Default route details

  * DNS server information

* User Information:

  * Current user details

  * Last logged on users

  * Shows users logged onto the host

  * List all users including uid/gid information

  * List root accounts

  * Extracts password policies and hash storage method information

  * Checks umask value

  * Checks if password hashes are stored in /etc/passwd

  * Extract full details for ‘default’ uid’s such as 0, 1000, 1001 etc

  * Attempt to read restricted files i.e. /etc/shadow

  * List current users history files (i.e .bash_history, .nano_history etc.)

  * Basic SSH checks

* Privileged access:

  * Which users have recently used sudo

  * Determine if /etc/sudoers is accessible

  * Determine if the current user has Sudo access without a password

  * Are known ‘good’ breakout binaries available via Sudo (i.e. nmap, vim etc.)

  * Is root’s home directory accessible

  * List permissions for /home/

* Environmental:

  * Display current $PATH

  * Displays env information

* Jobs/Tasks:

  * List all cron jobs

  * Locate all world-writable cron jobs

  * Locate cron jobs owned by other users of the system

  * List the active and inactive systemd timers

* Services:

  * List network connections (TCP & UDP)

  * List running processes

  * Lookup and list process binaries and associated permissions

  * List inetd.conf/xined.conf contents and associated binary file permissions

  * List init.d binary permissions

* Version Information (of the following):

  * Sudo

  * MYSQL

  * Postgres

  * Apache

    * Checks user config

    * Shows enabled modules

    * Checks for htpasswd files

    * View www directories

* Default/Weak Credentials:

  * Checks for default/weak Postgres accounts

  * Checks for default/weak MYSQL accounts

* Searches:

  * Locate all SUID/GUID files

  * Locate all world-writable SUID/GUID files

  * Locate all SUID/GUID files owned by root

  * Locate ‘interesting’ SUID/GUID files (i.e. nmap, vim etc)

  * Locate files with POSIX capabilities

  * List all world-writable files

  * Find/list all accessible *.plan files and display contents

  * Find/list all accessible *.rhosts files and display contents

  * Show NFS server details

  * Locate *.conf and *.log files containing keyword supplied at script runtime

  * List all *.conf files located in /etc

  * .bak file search

  * Locate mail

* Platform/software specific tests:

  * Checks to determine if we're in a Docker container

  * Checks to see if the host has Docker installed

  * Checks to determine if we're in an LXC container