本文介绍了LinEnum,一个用于Linux系统安全评估的工具,涵盖了内核信息、用户权限、环境变量、服务状态、默认凭证检查和平台测试等内容。它能帮助管理员快速检测潜在的安全隐患。
官方链接:https://github.com/rebootuser/LinEnum
LinEnum
使用帮助
For more information visit www.rebootuser.com
Note: Export functionality is currently in the experimental stage.
General usage:
version 0.982
- Example: ./LinEnum.sh -s -k keyword -r report -e /tmp/ -t
OPTIONS:
- -k Enter keyword
- -e Enter export location
- -t Include thorough (lengthy) tests
- -s Supply current user password to check sudo perms (INSECURE)
- -r Enter report name
- -h Displays this help text
Running with no options = limited scans/no output file
- -e Requires the user enters an output location i.e. /tmp/export. If this location does not exist, it will be created.
- -r Requires the user to enter a report name. The report (.txt file) will be saved to the current working directory.
- -t Performs thorough (slow) tests. Without this switch default ‘quick’ scans are performed.
- -s Use the current user with supplied password to check for sudo permissions - note this is insecure and only really for CTF use!
- -k An optional switch for which the user can search for a single keyword within many files (documented below).
See CHANGELOG.md for further details
英文功能介绍
High-level summary of the checks/tasks performed by LinEnum:
- Kernel and distribution release details
- System Information:
- Hostname
- Networking details:
- Current IP
- Default route details
- DNS server information
- User Information:
- Current user details
- Last logged on users
- Shows users logged onto the host
- List all users including uid/gid information
- List root accounts
- Extracts password policies and hash storage method information
- Checks umask value
- Checks if password hashes are stored in /etc/passwd
- Extract full details for ‘default’ uid’s such as 0, 1000, 1001 etc
- Attempt to read restricted files i.e. /etc/shadow
- List current users history files (i.e .bash_history, .nano_history etc.)
- Basic SSH checks
- Privileged access:
- Which users have recently used sudo
- Determine if /etc/sudoers is accessible
- Determine if the current user has Sudo access without a password
- Are known ‘good’ breakout binaries available via Sudo (i.e. nmap, vim etc.)
- Is root’s home directory accessible
- List permissions for /home/
- Environmental:
- Display current $PATH
- Displays env information
- Jobs/Tasks:
- List all cron jobs
- Locate all world-writable cron jobs
- Locate cron jobs owned by other users of the system
- List the active and inactive systemd timers
- Services:
- List network connections (TCP & UDP)
- List running processes
- Lookup and list process binaries and associated permissions
- List inetd.conf/xined.conf contents and associated binary file permissions
- List init.d binary permissions
- Version Information (of the following):
- Sudo
- MYSQL
- Postgres
- Apache
- Checks user config
- Shows enabled modules
- Checks for htpasswd files
- View www directories
- Default/Weak Credentials:
- Checks for default/weak Postgres accounts
- Checks for default/weak MYSQL accounts
- Searches:
- Locate all SUID/GUID files
- Locate all world-writable SUID/GUID files
- Locate all SUID/GUID files owned by root
- Locate ‘interesting’ SUID/GUID files (i.e. nmap, vim etc)
- Locate files with POSIX capabilities
- List all world-writable files
- Find/list all accessible *.plan files and display contents
- Find/list all accessible *.rhosts files and display contents
- Show NFS server details
- Locate *.conf and *.log files containing keyword supplied at script runtime
- List all *.conf files located in /etc
- .bak file search
- Locate mail
- Platform/software specific tests:
- Checks to determine if we’re in a Docker container
- Checks to see if the host has Docker installed
- Checks to determine if we’re in an LXC container
-
中文功能介绍
LinEnum执行的检查/任务的高级摘要:
内核和发行版发布详细信息
系统信息:
- 主机名
- 网络详情:
- 当前IP
- 默认路线详细信息
- DNS服务器信息
用户信息:
- 当前用户详细信息
- 上次登录的用户
- 显示登录到主机的用户
- 列出所有用户,包括uid/gid信息
- 列出root帐户
- 提取密码策略和哈希存储方法信息
- 检查umask值
- 检查密码哈希是否存储在/etc/passwd中
- 提取“默认”uid(如0、1000、1001等)的完整详细信息
- 尝试读取受限文件,即/etc/shadow
- 列出当前用户的历史文件(如.bash_history, .nano_history等)
- 基本SSH检查
特权访问:
- 哪些用户最近使用过sudo
- 确定是否可以访问/etc/sudoers
- 确定当前用户是否具有无密码的Sudo访问权限
- 是否通过Sudo(即nmap、vim等)提供sudo提权
- 根目录是否可访问
- 列出/home的权限
环境变量:
- 显示当前$PATH
- 显示环境信息
定时任务:
- 列出所有cron定时任务
- 找到所有可写cron定时任务
- 找到系统其他用户拥有的cron定时任务
- 列出激活和未激活的systemd定时任务
服务:
- 列出网络连接(TCP和UDP)
- 列出正在运行的进程
- 查找并列出进程二进制文件和相关权限
- 列出inetd.conf/xined.conf内容和相关的二进制文件权限
- 列出init.d二进制权限
版本信息(以下各项):
- Sudo
- Mysql
- Postgres
- Apache
- 检查用户配置
- 显示已启用的模块
- 检查htpasswd文件
- 查看www目录
默认凭据:
- 检查Postgres帐户弱密码
- 检查MYSQL帐户弱密码
搜索:
-
找到所有SUID/GUID文件
-
找到所有可写的SUID/GUID文件
-
找到root拥有的所有SUID/GUID文件
-
找到可能有用的SUID/GUID文件(即nmap、vim等)
-
查找具有POSIX功能的文件
-
列出所有可写的文件
-
查找/列出所有可访问的*.plan文件并显示内容
-
查找/列出所有可访问的*.rhosts文件并显示内容
-
显示NFS服务器详细信息
-
找到包含脚本运行时提供的关键字的*.conf和*.log文件
-
列出位于/etc中的所有*.conf文件
.bak文件搜索
- 本地邮件
平台/软件特定测试:
- 检查以确定我们是否在Docker容器中
- 检查主机是否安装了Docker
bak文件搜索 - 本地邮件
平台/软件特定测试:
- 检查以确定我们是否在Docker容器中
- 检查主机是否安装了Docker
- 检查以确定我们是否在LXC容器中
undefined
扫一扫
1105
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
