当前位置: 首页 > 工具软件 > LinEnum > 使用案例 >

LinEnum(Linux文件枚举及权限提升检查工具)

孟俊发
2023-12-01

官方链接:https://github.com/rebootuser/LinEnum

LinEnum

使用帮助

For more information visit www.rebootuser.com
Note: Export functionality is currently in the experimental stage.
General usage:
version 0.982

  • Example: ./LinEnum.sh -s -k keyword -r report -e /tmp/ -t

OPTIONS:

  • -k Enter keyword
  • -e Enter export location
  • -t Include thorough (lengthy) tests
  • -s Supply current user password to check sudo perms (INSECURE)
  • -r Enter report name
  • -h Displays this help text

Running with no options = limited scans/no output file

  • -e Requires the user enters an output location i.e. /tmp/export. If this location does not exist, it will be created.
  • -r Requires the user to enter a report name. The report (.txt file) will be saved to the current working directory.
  • -t Performs thorough (slow) tests. Without this switch default ‘quick’ scans are performed.
  • -s Use the current user with supplied password to check for sudo permissions - note this is insecure and only really for CTF use!
  • -k An optional switch for which the user can search for a single keyword within many files (documented below).

See CHANGELOG.md for further details

英文功能介绍

High-level summary of the checks/tasks performed by LinEnum:

  • Kernel and distribution release details
  • System Information:
    • Hostname
    • Networking details:
    • Current IP
    • Default route details
    • DNS server information
  • User Information:
    • Current user details
    • Last logged on users
    • Shows users logged onto the host
    • List all users including uid/gid information
    • List root accounts
    • Extracts password policies and hash storage method information
    • Checks umask value
    • Checks if password hashes are stored in /etc/passwd
    • Extract full details for ‘default’ uid’s such as 0, 1000, 1001 etc
    • Attempt to read restricted files i.e. /etc/shadow
    • List current users history files (i.e .bash_history, .nano_history etc.)
    • Basic SSH checks
  • Privileged access:
    • Which users have recently used sudo
    • Determine if /etc/sudoers is accessible
    • Determine if the current user has Sudo access without a password
    • Are known ‘good’ breakout binaries available via Sudo (i.e. nmap, vim etc.)
    • Is root’s home directory accessible
    • List permissions for /home/
  • Environmental:
    • Display current $PATH
    • Displays env information
  • Jobs/Tasks:
    • List all cron jobs
    • Locate all world-writable cron jobs
    • Locate cron jobs owned by other users of the system
    • List the active and inactive systemd timers
  • Services:
    • List network connections (TCP & UDP)
    • List running processes
    • Lookup and list process binaries and associated permissions
    • List inetd.conf/xined.conf contents and associated binary file permissions
    • List init.d binary permissions
  • Version Information (of the following):
    • Sudo
    • MYSQL
    • Postgres
    • Apache
      • Checks user config
      • Shows enabled modules
      • Checks for htpasswd files
      • View www directories
  • Default/Weak Credentials:
    • Checks for default/weak Postgres accounts
    • Checks for default/weak MYSQL accounts
  • Searches:
    • Locate all SUID/GUID files
    • Locate all world-writable SUID/GUID files
    • Locate all SUID/GUID files owned by root
    • Locate ‘interesting’ SUID/GUID files (i.e. nmap, vim etc)
    • Locate files with POSIX capabilities
    • List all world-writable files
    • Find/list all accessible *.plan files and display contents
    • Find/list all accessible *.rhosts files and display contents
    • Show NFS server details
    • Locate *.conf and *.log files containing keyword supplied at script runtime
    • List all *.conf files located in /etc
    • .bak file search
    • Locate mail
  • Platform/software specific tests:
    • Checks to determine if we’re in a Docker container
    • Checks to see if the host has Docker installed
    • Checks to determine if we’re in an LXC container

中文功能介绍

LinEnum执行的检查/任务的高级摘要:

内核和发行版发布详细信息

系统信息:

  • 主机名
  • 网络详情:
  • 当前IP
  • 默认路线详细信息
  • DNS服务器信息

用户信息:

  • 当前用户详细信息
  • 上次登录的用户
  • 显示登录到主机的用户
  • 列出所有用户,包括uid/gid信息
  • 列出root帐户
  • 提取密码策略和哈希存储方法信息
  • 检查umask值
  • 检查密码哈希是否存储在/etc/passwd中
  • 提取“默认”uid(如0、1000、1001等)的完整详细信息
  • 尝试读取受限文件,即/etc/shadow
  • 列出当前用户的历史文件(如.bash_history, .nano_history等)
  • 基本SSH检查

特权访问:

  • 哪些用户最近使用过sudo
  • 确定是否可以访问/etc/sudoers
  • 确定当前用户是否具有无密码的Sudo访问权限
  • 是否通过Sudo(即nmap、vim等)提供sudo提权
  • 根目录是否可访问
  • 列出/home的权限

环境变量:

  • 显示当前$PATH
  • 显示环境信息

定时任务:

  • 列出所有cron定时任务
  • 找到所有可写cron定时任务
  • 找到系统其他用户拥有的cron定时任务
  • 列出激活和未激活的systemd定时任务

服务:

  • 列出网络连接(TCP和UDP)
  • 列出正在运行的进程
  • 查找并列出进程二进制文件和相关权限
  • 列出inetd.conf/xined.conf内容和相关的二进制文件权限
  • 列出init.d二进制权限

版本信息(以下各项):

  • Sudo
  • Mysql
  • Postgres
  • Apache
    • 检查用户配置
    • 显示已启用的模块
    • 检查htpasswd文件
    • 查看www目录

默认凭据:

  • 检查Postgres帐户弱密码
  • 检查MYSQL帐户弱密码

搜索:

  • 找到所有SUID/GUID文件

  • 找到所有可写的SUID/GUID文件

  • 找到root拥有的所有SUID/GUID文件

  • 找到可能有用的SUID/GUID文件(即nmap、vim等)

  • 查找具有POSIX功能的文件

  • 列出所有可写的文件

  • 查找/列出所有可访问的*.plan文件并显示内容

  • 查找/列出所有可访问的*.rhosts文件并显示内容

  • 显示NFS服务器详细信息

  • 找到包含脚本运行时提供的关键字的*.conf和*.log文件

  • 列出位于/etc中的所有*.conf文件

.bak文件搜索

  • 本地邮件

平台/软件特定测试:

  • 检查以确定我们是否在Docker容器中
  • 检查主机是否安装了Docker
    bak文件搜索
  • 本地邮件

平台/软件特定测试:

  • 检查以确定我们是否在Docker容器中
  • 检查主机是否安装了Docker
  • 检查以确定我们是否在LXC容器中
    undefined
 类似资料: