LinEnum - Local Linux Enumeration & Privilege Escalation Checks

LinEnum will automate many of the checks that I’ve documented in the Local Linux Enumeration & Privilege Escalation Cheatsheet. It’s a very basic shell script that performs over 65 checks, getting anything from kernel information to locating possible escalation points such as potentially useful SUID/GUID files and Sudo/rhost mis-configurations and more.

An additional ‘extra’ feature is that the script will also use a provided keyword to search through *.conf and *.log files. Any matches will be displayed along with the full file path and line number on which the keyword was identified.

After the scan has completed (please be aware that it make take some time) you’ll be presented with (possibly quite extensive) output, to which any key findings will be highlighted in yellow with everything else documented under the relevant headings.

Below is a high-level summary of the checks/tasks performed by LinEnum:

• Kernel and distribution release details
• System Information:
  • Hostname
  • Networking details:
    • Current IP
    • Default route details
    • DNS server information
• User Information:
  • Current user details
  • Last logged on users
  • Llist all users including uid/gid information
  • List root accounts
  • Extract full details for ‘default’ uid’s such as 0, 1000, 1001 etc
  • Attempt to read restricted files i.e. /etc/shadow
  • List current users history files (i.e .bash_history, .nano_history etc.)
• Privileged access:
  • Determine if /etc/sudoers is accessible
  • Determine if the current user has Sudo access without a password
  • Are known ‘good’ breakout binaries available via Sudo (i.e. nmap, vim etc.)
  • Is root’s home directory accessible
  • List permissions for /home/
• Environmental:
  • Display current $PATH
• Jobs/Tasks:
  • List all cron jobs
  • Locate all world-writable cron jobs
  • Locate cron jobs owned by other users of the system
• Services:
  • List network connections (TCP & UDP)
  • List running processes
  • Lookup and list process binaries and associated permissions
  • List inetd.conf/xined.conf contents and associated binary file permissions
  • List init.d binary permissions
• Version Information (of the following):
  • Sudo
  • MYSQL
  • Postgres
  • Apache
• Default/Weak Credentials:
  • Checks for default/weak Postgres accounts
  • Checks for default root/root access to local MYSQL services
• Searches:
  • Locate all SUID/GUID files
  • Locate all world-writable SUID/GUID files
  • Locate all SUID/GUID files owned by root
  • Locate ‘interesting’ SUID/GUID files (i.e. nmap, vim etc)
  • List all world-writable files
  • Find/list all accessible *.plan files and display contents
  • Find/list all accesible *.rhosts files and display contents
  • Show NFS server details
  • Locate *.conf and *.log files containing keyword supplied at script runtime
  • List all *.conf files located in /etc
  • Locate mail

Some of the above commands are privileged/and or the related task may be nonexistent and will therefore most likely fail. The user shouldn’t be alerted to failed results, just the output from successful commands should be displayed.

Download LinEnum

Read More

Host-Extract - Enumerate All IP/Host Patterns In A Web Page

This little ruby script tries to extract all IP/Host patterns in page response of a given URL and JavaScript/CSS files of that URL.

With it, you can quickly identify internal IPs/Hostnames, development IPs/ports, cdn, load balancers, additional attack entries related to your target that are revealed in inline js, css, html comment areas and js/css files.

This is unlike web crawler which looks for new links only in anchor tags (<a) or the like.

(you might miss many additional targets if you ever use such web crawler or other GUI-based tools that shows you your main target and its relationship with its linked sub/off-site domains)

In some cases, host-extract may give you false positives when there are some words like - main-site_ver_10.2.1.3.swf.

With -v option, you can ask the tool to output html view-source snippets for each IP/Domain extracted. This will shorten your manual analysis time.

USAGE:

ruby host-extract.rb URL [option]

Usage: host-extract [options]
        -a               find all ip/host patterns
        -j               scan all js files
        -c               scan all css files
        -v               append view-source html snippet for manual verification

Download Host-Extract

Read More

[DNSRecon v0.8.6] DNS Enumeration Script

Just updated DNSRecon to check if it can pull the Bind Version by doing a query for the TXT Record version.bind and it will now check if the RA Flag is set in responses from each of the NS servers it detects. If the server has recursion enabled it could be used for DDoS attacks and for performing Cache Snooping.

Example of a run where it is able to pull the Bind Version:

infidel02:dnsrecon carlos$ ./dnsrecon.py -d zonetransfer.me -x zt.xml
[*] Performing General Enumeration of Domain: zonetransfer.me
[-] DNSSEC is not configured for zonetransfer.me
[*]SOA ns16.zoneedit.com 69.64.68.41
[*]NS ns12.zoneedit.com 209.62.64.46
[*]Bind Version for 209.62.64.46 8.4.X
[*]NS ns16.zoneedit.com 69.64.68.41
[*]Bind Version for 69.64.68.41 8.4.X
[*]MX ASPMX2.GOOGLEMAIL.COM 173.194.75.27
[*]MX ASPMX3.GOOGLEMAIL.COM 173.194.66.27
[*]MX ASPMX4.GOOGLEMAIL.COM 173.194.65.26
[*]MX ASPMX5.GOOGLEMAIL.COM 173.194.70.26
[*]MX ASPMX.L.GOOGLE.COM 74.125.140.27
[*]MX ALT1.ASPMX.L.GOOGLE.COM 173.194.75.26
[*]MX ALT2.ASPMX.L.GOOGLE.COM 173.194.66.27
[*]MX ASPMX2.GOOGLEMAIL.COM 2607:f8b0:400c:c03::1a
[*]MX ASPMX3.GOOGLEMAIL.COM 2a00:1450:400c:c03::1b
[*]MX ASPMX4.GOOGLEMAIL.COM 2a00:1450:4013:c01::1b
[*]MX ASPMX5.GOOGLEMAIL.COM 2a00:1450:4001:c02::1a
[*]MX ASPMX.L.GOOGLE.COM 2607:f8b0:4002:c01::1a
[*]MX ALT1.ASPMX.L.GOOGLE.COM 2607:f8b0:400c:c01::1b
[*]MX ALT2.ASPMX.L.GOOGLE.COM 2a00:1450:400c:c03::1a
[*]A zonetransfer.me 217.147.180.162
[*]TXT zonetransfer.me Remember to call or email Pippa on +44 123 4567890 or pippa@zonetransfer.me when making DNS changes
[*]TXT zonetransfer.me google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA
[*] Enumerating SRV Records
[*]SRV _sip._tcp.zonetransfer.me www.zonetransfer.me 217.147.180.162 5060 0
[*] 1 Records Found
[*] Saving records to XML file: zt.xml

The information on version and recursion are also saved in the XML as you can see:

infidel02:dnsrecon carlos$ cat zt.xml

<?xml version="1.0" ?> <records> <record address="69.64.68.41" mname="ns16.zoneedit.com" type="SOA"/> <record Recursive="False" Version="8.4.X" address="209.62.64.46" target="ns12.zoneedit.com" type="NS"/> <record Recursive="False" Version="8.4.X" address="69.64.68.41" target="ns16.zoneedit.com" type="NS"/> <record address="173.194.75.27" exchange="ASPMX2.GOOGLEMAIL.COM" type="MX"/> <record address="173.194.66.27" exchange="ASPMX3.GOOGLEMAIL.COM" type="MX"/> <record address="173.194.65.26" exchange="ASPMX4.GOOGLEMAIL.COM" type="MX"/> <record address="173.194.70.26" exchange="ASPMX5.GOOGLEMAIL.COM" type="MX"/> <record address="74.125.140.27" exchange="ASPMX.L.GOOGLE.COM" type="MX"/> <record address="173.194.75.26" exchange="ALT1.ASPMX.L.GOOGLE.COM" type="MX"/> <record address="173.194.66.27" exchange="ALT2.ASPMX.L.GOOGLE.COM" type="MX"/> <record address="2607:f8b0:400c:c03::1a" exchange="ASPMX2.GOOGLEMAIL.COM" type="MX"/> <record address="2a00:1450:400c:c03::1b" exchange="ASPMX3.GOOGLEMAIL.COM" type="MX"/> <record address="2a00:1450:4013:c01::1b" exchange="ASPMX4.GOOGLEMAIL.COM" type="MX"/> <record address="2a00:1450:4001:c02::1a" exchange="ASPMX5.GOOGLEMAIL.COM" type="MX"/> <record address="2607:f8b0:4002:c01::1a" exchange="ASPMX.L.GOOGLE.COM" type="MX"/> <record address="2607:f8b0:400c:c01::1b" exchange="ALT1.ASPMX.L.GOOGLE.COM" type="MX"/> <record address="2a00:1450:400c:c03::1a" exchange="ALT2.ASPMX.L.GOOGLE.COM" type="MX"/> <record address="217.147.180.162" name="zonetransfer.me" type="A"/> <record name="zonetransfer.me" strings="Remember to call or email Pippa on +44 123 4567890 or pippa@zonetransfer.me when making DNS changes" type="TXT"/> <record name="zonetransfer.me" strings="google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA" type="TXT"/> <record address="217.147.180.162" name="_sip._tcp.zonetransfer.me" port="5060" target="www.zonetransfer.me" type="SRV"/> <scaninfo arguments="./dnsrecon.py -d zonetransfer.me -x zt.xml" time="2013-05-29 11:36:06.550073"/> <domain domain_name="zonetransfer.me"/> </records>

Here is an example where recursion is enabled, you will see that the message is shown differently since this information is crucial during an engagement:

infidel02:dnsrecon carlos$ ./dnsrecon.py -d acmelab.com -n 192.168.1.80
[*] Performing General Enumeration of Domain: acmelab.com
[*] DNSSEC is configured for acmelab.com
[*] DNSKEYs:
[*] NSEC KSk RSASHA256 ...
[*] NSEC ZSK RSASHA256 ...
[*] NSEC ZSK RSASHA256 ...
[*] NSEC KSk RSASHA256 ...
[*]SOA labns1.acmelab.com 192.168.1.80
[*]NS labns1.acmelab.com 192.168.1.80
[-]Recursion enabled on NS Server 192.168.1.80
[*]MX mail1.acmelab.com 192.168.1.4
[*]A acmelab.com 192.168.1.2
[*]TXT acmelab.com v=spf1 192.168.1.0/24
[*]TXT _domainkey.acmelab.com o=~; r=postmaster@acmelab.com
[*] Enumerating SRV Records
[*]SRV _finger._tcp.acmelab.com web1.acmelab.com 192.168.1.2 79 0
[*]SRV _http._tcp.acmelab.com web2.acmelab.com 192.168.1.3 80 0
[*]SRV _http._tcp.acmelab.com web1.acmelab.com 192.168.1.2 80 0
[*]SRV _sip._tls.acmelab.com chat.acmelab.com 192.168.1.5 443 0
[*]SRV _sipinternaltls._tcp.acmelab.com chat.acmelab.com 192.168.1.5 5061 0
[*]SRV _https._tcp.acmelab.com web1.acmelab.com 192.168.1.2 443 0
[*]SRV _https._tcp.acmelab.com web2.acmelab.com 192.168.1.3 443 0
[*] 7 Records Found

Download DNSRecon v0.8.6

Read More

[Pinpoint] Enumerates WebPage Components to help identify the Infected Files

Pinpoint works like wget/curl in that it just fetches a webpage without rendering any script. Pinpoint will then try to determine which links are used to make up the webpage such as Javascript, CSS, frames, and iframes and downloads those files too (some Javascript content will produce incorrect links). The list of links it finds shows up in the document tree on the main window.

At the same time, a log file is created which shows the links and in which file the link resided in. It will also download the file and calculate the “entropy”; the higher the value, the more rubbish characters it found which may help identify obfuscated Javascript.

You can of course spoof the user-agent string and referer values to ilicit a malicious response from the website. There’s also a function to clear your cookies (see Options menu item) since many exploit packs check for the presence of cookies on repeated visits. Use Tor to get another IP address since it’ll get banned usually after the first visit.

Download Pinpoint

Read More

[Kacak] Enumerate Users in Subnets

Kacak is a tool that can enumerate users specified in the configuration file for windows based networks. It uses metasploit smb_enumusers_domain module in order to achieve this via msfrpcd service. If you are wondering what the msfrpcd service is, please look at the https://github.com/rapid7/metasploit-framework/blob/master/documentation/msfrpc.txt . It also parse mimikatz results.

Download KACAK

Read More

[SSLSmart] Smart SSL Cipher Enumeration

SSLSmart is a highly flexible and interactive tool aimed at improving efficiency and reducing false positives during SSL testing. A number of tools allow users to test for supported SSL ciphers suites, but most only provide testers with a fixed set of cipher suites. Further testing is performed by initiating an SSL socket connection with one cipher suite at a time, an inefficient approach that leads to false positives and often does not provide a clear picture of the true vulnerability of the server. SSLSmart is designed to combat these shortcomings.

SSLSmart has been tested to work on the following platforms and versions of Ruby:

Windows: Ruby 1.8.6 with wxruby6 (2.0.0) and builder7 (2.1.2).

Linux: Ruby 1.8.7/1.9.1 with wxruby (2.0.0) and builder (2.1.2).

Download SSLSmart

Read More

[ipset_list] ipset set listing wrapper script

Features:

• Calculate sum of set members (and match on that count).
• List only members of a specified set.
• Choose a delimiter character for separating members.
• Show only sets containing a specific (glob matching) header.
• Arithmetic comparison on headers with an integer value.
• Match members using a globbing or regex pattern.
• Suppress listing of (glob matching) sets.
• Suppress listing of (glob matching) headers.
• Suppress listing of members matching a glob or regex pattern.
• Suppress listing of members options.
• Calculate the total size in memory of all matching sets.
• Calculate the amount of matching, excluded and traversed sets.
• Colorize the output.
• Operate on a single, selected, or all sets.
• Programmable completion is included to make usage easier and faster.

Download ipset_list

Read More

[LinEnum] Scripted Local Linux Enumeration & Privilege Escalation Checks

High-level summary of the checks/tasks performed by LinEnum:

• Kernel and distribution release details
• System Information:
  • Hostname
  • Networking details:
  • Current IP
  • Default route details
  • DNS server information
• User Information:
  • Current user details
  • Last logged on users
  • List all users including uid/gid information
  • List root accounts
  • Extract full details for ‘default’ uid’s such as 0, 1000, 1001 etc
  • Attempt to read restricted files i.e. /etc/shadow
  • List current users history files (i.e .bash_history, .nano_history etc.)
• Privileged access:
  • Determine if /etc/sudoers is accessible
  • Determine if the current user has Sudo access without a password
  • Are known ‘good’ breakout binaries available via Sudo (i.e. nmap, vim etc.)
  • Is root’s home directory accessible
  • List permissions for /home/
• Environmental:
  • Display current $PATH
• Jobs/Tasks:
  • List all cron jobs
  • Locate all world-writable cron jobs
  • Locate cron jobs owned by other users of the system
• Services:
  • List network connections (TCP & UDP)
  • List running processes
  • Lookup and list process binaries and associated permissions
  • List inetd.conf/xined.conf contents and associated binary file permissions
  • List init.d binary permissions
• Version Information (of the following):
  • Sudo
  • MYSQL
  • Postgres
  • Apache
• Default/Weak Credentials:
  • Checks for default/weak Postgres accounts
  • Checks for default root/root access to local MYSQL services
• Searches:
• Locate all SUID/GUID files
• Locate all world-writable SUID/GUID files
• Locate all SUID/GUID files owned by root
• Locate ‘interesting’ SUID/GUID files (i.e. nmap, vim etc)
• List all world-writable files
• Find/list all accessible *.plan files and display contents
• Find/list all accesible *.rhosts files and display contents
• Show NFS server details
• Locate *.conf and *.log files containing keyword supplied at script runtime
• List all *.conf files located in /etc
• Locate mail

Download LinEnum

Read More