diego-treitos / linux-smart-enumeration Goto Github PK
View Code? Open in Web Editor NEWLinux enumeration tool for pentesting and CTFs with verbosity levels
License: GNU General Public License v3.0
Linux enumeration tool for pentesting and CTFs with verbosity levels
License: GNU General Public License v3.0
viewuser SUID was not showing in the Irked machine
Hi there,
as I wanted to test you script, I am unable to launch it. The error is:
lse.sh: 87: lse.sh: Syntax error: "(" unexpected
I have looked into the code but as I am not as good as others in Bash I saw nothing bad there. Can you please look for a fix in the lse.sh
script? Thank you.
When running lse on Debian 10 without -i
option, the following error occurs:
[!] sud030 Can we list sudo commands with a password?......................lse.sh: line 402: lse_sudo_commands: readonly variable
nope
While it continues when running under bash, it aborts completely when running with /bin/sh
.
https://github.com/diego-treitos/linux-smart-enumeration/blob/master/screenshots/lse.gif
I was wondering what terminal you are using to show case your tool, it looks very nice and clean. I was going to use it to show case one of my tools with it too. Awesome tool and much love.
Are we using this ?
ps aux | grep root
As it stands, the check for NFS shares is at level 2 - Which is current reserved for information checks more so than critical ones.
linux-smart-enumeration/lse.sh
Lines 816 to 819 in c795112
The thing is that NFS can easily be misconfigured
https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe
I suggest that either this be elevated to level 1, or an additional level 1 / level 0 check be added for cases where the NFS share specifically contains the no_root_squash
permission.
linux-smart-enumeration/lse.sh
Line 152 in 6fe3157
Presumably the purpose of the common setuid check is so that time is not wasted chasing down exploits in "default" and usually secure binaries. However I'm not aware that exim is installed by default on many systems, and even if it is, exim has a number of privilege escalation exploits. Might be worth removing it so it gets flagged on a default run.
Alternatively a list of setuid binaries with known exploits could be maintained and used as an additional check.
I am not sure if others would find this useful, but some users might want to save the output of this script somewhere. I consider this script to have two outputs: The text printed to the terminal and the output of the commands that are run. Using the -l2 shows both of these outputs, but if there was a way to print -l0 or -l1 information to the terminal but store the -l2 output (output of commands) to a file, then the user could have clean output that is fast to analyze and all the information they might need to reference is also available.
But this might take more effort than it is worth, depending on how useful others would find this.
Hi ,
I was trying this script on " Hostname: kioptrix.level2, Linux: 2.6.9-55.EL ,Distribution: CentOS release 4.5 (Final) " and I got the below error:
bash-3.00$ ./lse.sh
./lse.sh: line 166: syntax error near unexpected token newline' ./lse.sh: line 166:
lse_common_setuid+=('
bash-3.00$
After commenting line number 166 to 169 , the scripts executes but no fruitful result - see error-log.txt attached . Quick help is really appreciated.
error-log.txt
I encountered issues with the SSH files in home directories test. There are several ways to fix it, but I'm not sure about the best solution. So I open an issue instead of a PR and you can decide what's best.
First, I noticed the test returns duplicate entries, listing the same file several times. This is annoying and unnecessary so I wanted to fix that.
The reason this happens is because the test iterates over cut -d: -f6 /etc/passwd
. There are system accounts having /
as a home directory. So the test repeatedly scans the same directories (actually the whole file system). Furthermore, there are other accounts having something like /sbin
as home, and so on.
This produces not only duplicate results, it is also unnecessarily slow because it scans the same directories multiple times.
A possible way to reduce duplicates and speed this up is to sort -u
the cut -d: -f6 /etc/passwd
first. But since some "home" can be a parent directory of another "home" (think of /
again), this would still produce duplicates. Duplicates could be filtered by sort -u
the end result again.
However, this solution still involves unnecessarily scanning the same directories. Maybe we want to exclude /
if it is in the list. On the other hand, it is perfectly possible that some SSH key lies somewhere on the file system, not within a home. So this check can be handy. Alternatively the test could be changed from "in home directories" to "on the file system" and scan /
and just /
.
Having a similar issue with the color as (#32) while running lse without explicitly running with bash on an older device. A screenshot with some details, not sure if it's enough information for you?
The machine i was trying it on was an old Fedora 4 (Linux 2.6.11-1369_FC4)
On real (non-CTF) systems, lse.sh can be extremely slow, especially when the host's filesystem contains a huge amount of data.
To skip tasks that seem to hang for hours, currently one needs to specify all remaining tasks via -s
. This is a bit cumbersome for such scenarios. I would like to propose an exclude flag, that allows to define which tasks to skip.
But looking at the list of tasks, this would still require a large amount of tasks to exclude manually. So alternatively (or better additionally?), an option like --skip-long-running-tasks
(or --fast
) could be useful. Such an option would skip a predefined list of tasks that take too long when the filesystem is large. (I guess basically everything that does find / ...
)
What do you think?
Hello @diego-treitos ,
First thank you for this tool.
I was wondering if it would be a good addition to list running process per user instead of all running processes. Or maybe users with a shell.
I think this would help identify interesting running processes quicker.
Let me know if you would be interested by something like this and I'll see what I can do.
You currently check for various default MySQL and PostgreSQL authentications. I suggest a check to see if you can authenticate to a local MongoDB instance anonymously.
Great work so far! I think It would be cool if after running a default scan, you could expand or re-run a particular section or sections with a deeper verbose level. For example,
$ ./lse.sh --section 'sudo,security,file system' -l 2
For sud000
(Can we sudo without a password?), you currently check
sudo -nS id
Which only checks if the user can sudo without a password on the current host.
If the user has read-access to their own sudoers file, you can also go
cat "/etc/sudoers.d/$(whoami)"
Which displays commands that the user can sudo on any host by specifying the -h
flag on sudo
checking if /etc/passwd is writable?
Hi!
great work with this project!
as additional oneliners I would suggest you the followings:
bash <(wget -q -O - https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh) -l2 -i
bash <(curl -s https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh) -l2 -i
keep up the good work!
Investigate ptrace_scope
and its impact on security and privesc.
Also requested in the past for LinEnum: rebootuser/LinEnum#35
I recently came across a box that had the data of the su
command (The users password) in the audit log which lse missed.
A simple grep -R 'comm="su"' /var/log/audit/audit.log* 2>/dev/null
would have picked this up.
Might want to add this, and look for other commonly used log files that could also contain sensitive data in the future :)
I suppose this tool is explicitly built for Linux, not Unix/macOS, but for some reason there's a UI element that renders as text rather than what it's supposed to render to.
All of the \e[### characters just show up as the raw text.
I'm using macOS 10.14.5 on a 2016 Macbook Pro with v 2.9.5 of Terminal.app
It would be great if you can add more info about the linux version
eg:- Ubunt 16.014.1 LTS
This info is missing
And A line about if it is dirty cowable would be nice
$ sh lse.sh
lse.sh: 87: lse.sh: Syntax error: "(" unexpected
Thank you for the great script! Not sure if there's alternative for declare, but I'm getting these errors in older machines.
$ bash --version
GNU bash, version 3.1.17(1)-release (i486-pc-linux-gnu)
$ declare -g
bash: line 13: declare: -g: invalid option
declare: usage: declare [-afFirtx] [-p] [name[=value] ...]
===================================================================( sudo )=====
[!] sud000 Can we sudo without a password?................................. nope
[!] sud010 Can we list sudo commands without a password?..................../lse.sh: line 328: declare: -g: invalid option
declare: usage: declare [-afFirtx] [-p] [name[=value] ...]
nope
[] sud040 Can we read /etc/sudoers?....................................... nope
[] sud050 Do we know if any other users used sudo?........................ nope
============================================================( file system )=====
[] fst000 Writable files outside user's home.............................../lse.sh: line 328: declare: -g: invalid option
declare: usage: declare [-afFirtx] [-p] [name[=value] ...]
nope
[] fst010 Binaries with setuid bit........................................./lse.sh: line 328: declare: -g: invalid option
declare: usage: declare [-afFirtx] [-p] [name[=value] ...]
Since the script was made compatible with /bin/sh
instead of relying on bash (which I think was a good step), I noticed some weird behaviour on some targets.
Specifically, the color escape sequences are not interpreted but remain in the output when /bin/sh
is a not so recent version of dash.
Even more disturbing, passing -c
to lse to suppress colors completely does not have any effect here.
Running explicitly with bash is no problem.
The issue occurs for example on Ubuntu 16.04 with dash 0.5.8-2.1ubuntu2 (and older).
The issue does no longer occur since Ubuntu 18.04 with dash 0.5.8-2.10.
This can most easily be verified in a Docker/Podman container:
podman run --rm -it ubuntu:16.04
apt update && apt install wget
wget "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" -O lse.sh
chmod 700 lse.sh
./lse.sh
Hi diego,
Their seems to be a problem in "Uncommon setuid binaries" check if the uncommon suid binary names matches to that of in ${lse_common_setuid}
e.g.
┌──(kali㉿kali)-[/tmp]
└─$ cat test.sh
#!/bin/sh
setuidbin=sys
for cs in ping ping6;
do
setuidbin=printf "$setuidbin\n" | grep -Ev "$cs"
;
done;
printf "$setuidbin\n"
┌──(kali㉿kali)-[/tmp]
└─$ ./test.sh
sys <=========================== OK
= = = =
┌──(kali㉿kali)-[/tmp]
└─$ cat test.sh
#!/bin/sh
setuidbin=pingsys
for cs in ping ping6;
do
setuidbin=printf "$setuidbin\n" | grep -Ev "$cs"
;
done;
printf "$setuidbin\n"
┌──(kali㉿kali)-[/tmp]
└─$ ./test.sh
<=========================== NOT OK, was expecting pingsys
Was doing a room on THM where we have to do privesc using an uncommon suid binary named "pingsys" and to my surprise it was not picked up by lse in Uncommon setuid binaries.
Please have a look.
lse finds lots of useful info but, it can some times be a bit hard to analyze when the reports big and there's lots their.
Having an option to create an html report with hyperlinks and cullers as well as minimizing or expanding sections, would make it easier to analyze the output.
Thanks
I noticed that even if -c
is given, the output of the process monitor contains color codes.
Under "fst100 Useful binaries" you show Netcat as one of the options (nc)
There are several versions of Netcat - Not all of them with -e support (Inbound program to execute) which is quite a major factor when doing CTFs, specifically with reverse shells.
I suggest that if Netcat appears under the Useful binaries section, you add a display showing if the -e parameter is supported
The ticket you opened here showed up in my notification box. I took a moment to read what you had written there, and had a quick look at your source code. It's looking pretty neat so far.
Now the reason i wanted to open this ticket and get in touch is because i wrote a tool a while ago that automatically downloads and deploys several enumeration, privilege-escalation and other useful tools for when an initial compromise is made. The focus of my script is to make it as convenient as possible to deploy the best tooling for the job of getting root. My tool is called RootHelper and if you're interested you can find it in it's repo here.
Would i be correct in thinking that your project outclasses LinEnum in terms of sophistication and capabilities? Do you have any plans to further expand on the functionality of the tool?
Either way, i was thinking i might drop LinEnum as a downloadable asset from my RootHelper tool and replace it with your modernized and in many ways improved version. If and when i do you will be accredited for your work of course. Thoughts?
If I stopped the execution using ctrl c my shell retains the colora and other profiles of the script
Tried to use the serve "-S" option and it gets a netcat error nc: invalid option -- 'q'
Netcat version 7.92
I fixed my version of script on line 505
lse_procmon
calls ps -ewwwo start_time,pid,user:50,args
but this seems to be procps-ng compatible only.
The busybox implementation of ps
has no -w
and also lacks the output columns start_time
and user:50
.
So when running lse on a somewhat restricted system, it explodes with ps
errors all over the screen.
Maybe there is no trivial fix for compatibility because lse_proc_print
also makes assumptions about taking exactly this format. So perhaps just check whether ps -V
is procps-ng and skip this task otherwise?
Hi Diego,
would be cool if you can add the feature that your script checks for unencrypted ssh-keys in memory (ssh-agent) by calling "ssh-add -l" and check if there are entries present or not.
Greets,
Barneee
Kindly check whether repositories like git or svn is present ?
find / -name .git
.svn
something like that
that would be awesome
too many /snap/core/ when scan for "Uncommon setuid binaries":
/snap/core/10958/bin/mount
/snap/core/10958/bin/ping
/snap/core/10958/bin/ping6
/snap/core/10958/bin/su
/snap/core/10958/bin/umount
/snap/core/10958/usr/bin/chfn
/snap/core/10958/usr/bin/chsh
/snap/core/10958/usr/bin/gpasswd
/snap/core/10958/usr/bin/newgrp
/snap/core/10958/usr/bin/passwd
/snap/core/10958/usr/bin/sudo
/snap/core/10958/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/10958/usr/lib/openssh/ssh-keysign
/snap/core/10958/usr/lib/snapd/snap-confine
/snap/core/10958/usr/sbin/pppd
/snap/core/8689/bin/mount
/snap/core/8689/bin/ping
/snap/core/8689/bin/ping6
/snap/core/8689/bin/su
/snap/core/8689/bin/umount
/snap/core/8689/usr/bin/chfn
/snap/core/8689/usr/bin/chsh
/snap/core/8689/usr/bin/gpasswd
/snap/core/8689/usr/bin/newgrp
/snap/core/8689/usr/bin/passwd
/snap/core/8689/usr/bin/sudo
/snap/core/8689/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/8689/usr/lib/openssh/ssh-keysign
I think /usr/bin/fusermount3
should be added to the list of common setuid binaries. I have that on my Fedora 35 system and I also saw it on a Debian- or Ubuntu-like box.
$ ls -lh $(which fusermount3)
-rwsr-xr-x. 1 root root 36K 16. Sep 17:59 /usr/bin/fusermount3
If you log onto an active user and tmux is installed, they might have tmux sessions available that you are initially unable to see which might be useful if they had sensitive information available in one of them (Such as having switched users).
A tmux list-sessions
would display any existing sessions and the number of windows in each session.
https://book.hacktricks.xyz/linux-unix/privilege-escalation#doas
Paths:
Hello,
I think a nice addition would be to list non-default directories in the root path.
I ran into this situation in a CTF where the interesting files were in /backup
.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.