diff --git a/.gitignore b/.gitignore index 39cd1d5..a138cef 100755 --- a/.gitignore +++ b/.gitignore @@ -33,4 +33,6 @@ winPEAS/winPEASexe/Directory.Build.targets .dccache ./*/.dccache regexes.yaml +.github/instructions/ +.github/workflows/build-artifacts.yml build_lists/regexes.yaml \ No newline at end of file diff --git a/linPEAS/builder/linpeas_builder.py b/linPEAS/builder/linpeas_builder.py index eb6cde1..6664e2a 100644 --- a/linPEAS/builder/linpeas_builder.py +++ b/linPEAS/builder/linpeas_builder.py @@ -20,7 +20,10 @@ def main(all_modules, all_no_fat_modules, no_network_scanning, small, include_mo lbuilder = LinpeasBuilder(ploaded) lbuilder.build() lbuilder.write_linpeas(output) - os.remove(TEMPORARY_LINPEAS_BASE_PATH) # Remove the built linpeas_base_temp.sh file + try: + os.remove(TEMPORARY_LINPEAS_BASE_PATH) # Remove the built linpeas_base_temp.sh file + except FileNotFoundError: + pass # Already removed (e.g. by a concurrent builder invocation in tests) st = os.stat(output) os.chmod(output, st.st_mode | stat.S_IEXEC) diff --git a/linPEAS/builder/linpeas_parts/10_api_keys_regex/regexes.sh b/linPEAS/builder/linpeas_parts/10_api_keys_regex/regexes.sh index 539000a..3171958 100644 --- a/linPEAS/builder/linpeas_parts/10_api_keys_regex/regexes.sh +++ b/linPEAS/builder/linpeas_parts/10_api_keys_regex/regexes.sh @@ -5,6 +5,7 @@ # Description: Regexes # License: GNU GPL # Version: 1.0 +# Mitre: T1552.001,T1528 # Functions Used: print_2title, search_for_regex # Global Variables: $REGEXES, $TIMEOUT # Initial Functions: diff --git a/linPEAS/builder/linpeas_parts/1_system_information/10_Environment.sh b/linPEAS/builder/linpeas_parts/1_system_information/10_Environment.sh index 8ca821b..05b0a4a 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/10_Environment.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/10_Environment.sh @@ -25,6 +25,7 @@ # - Configuration abuse # License: GNU GPL # Version: 1.0 +# Mitre: T1082,T1552.007 # Functions Used: echo_not_found, print_2title, print_info # Global Variables: $NoEnvVars, $EnvVarsRed # Initial Functions: @@ -33,7 +34,7 @@ # Small linpeas: 1 -print_2title "Environment" +print_2title "Environment" "T1082,T1552.007" print_info "Any private information inside environment variables?" (env || printenv || set) 2>/dev/null | grep -Eiv "$NoEnvVars" | sed -${E} "s,$EnvVarsRed,${SED_RED},g" || echo_not_found "env || set" echo "" \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/1_system_information/11_Dmesg.sh b/linPEAS/builder/linpeas_parts/1_system_information/11_Dmesg.sh index 512ff03..b15a140 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/11_Dmesg.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/11_Dmesg.sh @@ -21,6 +21,7 @@ # - Kernel module replacement # License: GNU GPL # Version: 1.0 +# Mitre: T1082 # Functions Used: echo_not_found, print_2title, print_info # Global Variables: $DEBUG # Initial Functions: @@ -30,7 +31,7 @@ if [ "$(command -v dmesg 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then - print_2title "Searching Signature verification failed in dmesg" + print_2title "Searching Signature verification failed in dmesg" "T1082" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#dmesg-signature-verification-failed" (dmesg 2>/dev/null | grep "signature") || echo_not_found "dmesg" echo "" diff --git a/linPEAS/builder/linpeas_parts/1_system_information/12_Macos_os_checks.sh b/linPEAS/builder/linpeas_parts/1_system_information/12_Macos_os_checks.sh index e795792..add3615 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/12_Macos_os_checks.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/12_Macos_os_checks.sh @@ -26,6 +26,7 @@ # - System modification # License: GNU GPL # Version: 1.0 +# Mitre: T1082 # Functions Used:macosNotSigned, print_2title # Global Variables: $MACPEAS # Initial Functions: @@ -35,18 +36,18 @@ if [ "$MACPEAS" ]; then - print_2title "Kernel Extensions not belonging to apple" + print_2title "Kernel Extensions not belonging to apple" "T1082" kextstat 2>/dev/null | grep -Ev " com.apple." echo "" - print_2title "Unsigned Kernel Extensions" + print_2title "Unsigned Kernel Extensions" "T1082" macosNotSigned /Library/Extensions macosNotSigned /System/Library/Extensions echo "" fi if [ "$MACPEAS" ] && [ "$(command -v brew 2>/dev/null || echo -n '')" ]; then - print_2title "Brew Doctor Suggestions" + print_2title "Brew Doctor Suggestions" "T1082" brew doctor echo "" fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/1_system_information/16_Protections.sh b/linPEAS/builder/linpeas_parts/1_system_information/16_Protections.sh index a800b3b..4282fc3 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/16_Protections.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/16_Protections.sh @@ -27,6 +27,7 @@ # - Protection circumvention # License: GNU GPL # Version: 1.0 +# Mitre: T1518.001 # Functions Used: echo_not_found, print_2title, print_list, warn_exec # Global Variables: # Initial Functions: @@ -58,7 +59,7 @@ print_sysctl_eq_zero() { } #-- SY) AppArmor -print_2title "Protections" +print_2title "Protections" "T1518.001" print_list "AppArmor enabled? .............. "$NC if [ "$(command -v aa-status 2>/dev/null || echo -n '')" ]; then aa-status 2>&1 | sed "s,disabled,${SED_RED}," diff --git a/linPEAS/builder/linpeas_parts/1_system_information/17_Kernel_Modules.sh b/linPEAS/builder/linpeas_parts/1_system_information/17_Kernel_Modules.sh index a615ebb..edad460 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/17_Kernel_Modules.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/17_Kernel_Modules.sh @@ -14,6 +14,7 @@ # * Common vulnerable modules: nf_tables, eBPF, overlayfs, etc. # License: GNU GPL # Version: 1.0 +# Mitre: T1547.006 # Functions Used: print_2title, print_3title # Global Variables: # Initial Functions: @@ -22,11 +23,10 @@ # Small linpeas: 1 echo "" -print_2title "Kernel Modules Information" - +print_2title "Kernel Modules Information" "T1547.006" # List loaded kernel modules if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then - print_3title "Loaded kernel modules" + print_3title "Loaded kernel modules" "T1547.006" if [ -f "/proc/modules" ]; then if command -v lsmod >/dev/null 2>&1; then lsmod @@ -39,7 +39,7 @@ if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then fi # Check for kernel modules with weak permissions -print_3title "Kernel modules with weak perms?" +print_3title "Kernel modules with weak perms?" "T1547.006" if [ -d "/lib/modules" ]; then find /lib/modules -type f -name "*.ko" -ls 2>/dev/null | grep -Ev "root\s+root" | sed -${E} "s,.*,${SED_RED},g" if [ $? -eq 1 ]; then @@ -51,7 +51,7 @@ fi echo "" # Check for kernel modules that can be loaded by unprivileged users -print_3title "Kernel modules loadable? " +print_3title "Kernel modules loadable? " "T1547.006" if [ -f "/proc/sys/kernel/modules_disabled" ]; then if [ "$(cat /proc/sys/kernel/modules_disabled)" = "0" ]; then echo "Modules can be loaded" | sed -${E} "s,.*,${SED_RED},g" @@ -63,7 +63,7 @@ else fi # Check for module signature enforcement -print_3title "Module signature enforcement? " +print_3title "Module signature enforcement? " "T1547.006" if [ -f "/proc/sys/kernel/module_sig_enforce" ]; then if [ "$(cat /proc/sys/kernel/module_sig_enforce)" = "1" ]; then echo "Enforced" | sed -${E} "s,.*,${SED_GREEN},g" diff --git a/linPEAS/builder/linpeas_parts/1_system_information/19_Kernel_Exploit_Registry.sh b/linPEAS/builder/linpeas_parts/1_system_information/19_Kernel_Exploit_Registry.sh index a608f8e..c7240f7 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/19_Kernel_Exploit_Registry.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/19_Kernel_Exploit_Registry.sh @@ -6,6 +6,7 @@ # Description: The module executes on all Unix-like systems and auto-detects OS applicability. # License: GNU GPL # Version: 1.0 +# Mitre: T1068 # Functions Used: kercve_run_registry, print_2title # Global Variables: # Initial Functions: @@ -13,6 +14,6 @@ # Fat linpeas: 0 # Small linpeas: 1 -print_2title "Kernel Exploit Registry" +print_2title "Kernel Exploit Registry" "T1068" kercve_run_registry echo "" diff --git a/linPEAS/builder/linpeas_parts/1_system_information/1_Operative_system.sh b/linPEAS/builder/linpeas_parts/1_system_information/1_Operative_system.sh index ae0f03b..57ad4a5 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/1_Operative_system.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/1_Operative_system.sh @@ -25,6 +25,7 @@ # - Kernel exploitation # License: GNU GPL # Version: 1.0 +# Mitre: T1082 # Functions Used: print_2title, print_info, warn_exec # Global Variables: $MACPEAS, $kernelDCW_Ubuntu_Precise_1, $kernelB, $kernelDCW_Ubuntu_Precise_2, $kernelDCW_Ubuntu_Precise_3, $kernelDCW_Ubuntu_Precise_4, $kernelDCW_Ubuntu_Precise_5, $kernelDCW_Ubuntu_Precise_6, $kernelDCW_Rhel5_1, $kernelDCW_Rhel5_2, $kernelDCW_Rhel5_3, $kernelDCW_Rhel6_1, $kernelDCW_Rhel6_2, $kernelDCW_Rhel6_3, $kernelDCW_Rhel6_4, $kernelDCW_Rhel7, $kernelDCW_Ubuntu_Trusty_1, $kernelDCW_Ubuntu_Trusty_2, $kernelDCW_Ubuntu_Trusty_3, $kernelDCW_Ubuntu_Trusty_4, $kernelDCW_Ubuntu_Xenial # Initial Functions: @@ -32,7 +33,7 @@ # Fat linpeas: 0 # Small linpeas: 1 -print_2title "Operative system" +print_2title "Operative system" "T1082" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#kernel-exploits" (cat /proc/version || uname -a ) 2>/dev/null | sed -${E} "s,$kernelDCW_Ubuntu_Precise_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_5,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_6,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Xenial,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel7,${SED_RED_YELLOW}," | sed -${E} "s,$kernelB,${SED_RED}," warn_exec lsb_release -a 2>/dev/null diff --git a/linPEAS/builder/linpeas_parts/1_system_information/2_Sudo_version.sh b/linPEAS/builder/linpeas_parts/1_system_information/2_Sudo_version.sh index 3c82cbb..5a1d865 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/2_Sudo_version.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/2_Sudo_version.sh @@ -19,6 +19,7 @@ # - Command injection # License: GNU GPL # Version: 1.0 +# Mitre: T1548.003,T1068 # Functions Used: echo_not_found, print_2title, print_info # Global Variables: $sudovB # Initial Functions: @@ -27,7 +28,7 @@ # Small linpeas: 1 -print_2title "Sudo version" +print_2title "Sudo version" "T1548.003,T1068" if [ "$(command -v sudo 2>/dev/null || echo -n '')" ]; then print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-version" sudo -V 2>/dev/null | grep "Sudo ver" | sed -${E} "s,$sudovB,${SED_RED}," diff --git a/linPEAS/builder/linpeas_parts/1_system_information/3_USBCreator.sh b/linPEAS/builder/linpeas_parts/1_system_information/3_USBCreator.sh index 493b24c..6623c03 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/3_USBCreator.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/3_USBCreator.sh @@ -19,6 +19,7 @@ # - USB device creation abuse # License: GNU GPL # Version: 1.0 +# Mitre: T1548.003,T1068 # Functions Used: print_2title, print_info # Global Variables: $DEBUG # Initial Functions: @@ -28,7 +29,7 @@ if (busctl list 2>/dev/null | grep -q com.ubuntu.USBCreator) || [ "$DEBUG" ]; then - print_2title "USBCreator" + print_2title "USBCreator" "T1548.003,T1068" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.html" pc_version=$(dpkg -l 2>/dev/null | grep policykit-desktop-privileges | grep -oP "[0-9][0-9a-zA-Z\.]+") diff --git a/linPEAS/builder/linpeas_parts/1_system_information/4_Path.sh b/linPEAS/builder/linpeas_parts/1_system_information/4_Path.sh index 1d35f49..948c94f 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/4_Path.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/4_Path.sh @@ -22,6 +22,7 @@ # - Sudo PATH abuse # License: GNU GPL # Version: 1.0 +# Mitre: T1574.007 # Functions Used: print_2title, print_info # Global Variables: $DEBUG, $IAMROOT, $OLDPATH, $PATH, $Wfolders # Initial Functions: @@ -30,7 +31,7 @@ # Small linpeas: 1 -print_2title "PATH" +print_2title "PATH" "T1574.007" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-path-abuses" if ! [ "$IAMROOT" ]; then echo "$OLDPATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\.,${SED_RED_YELLOW},g" diff --git a/linPEAS/builder/linpeas_parts/1_system_information/5_Date.sh b/linPEAS/builder/linpeas_parts/1_system_information/5_Date.sh index 5c51ba1..caf3e6f 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/5_Date.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/5_Date.sh @@ -25,6 +25,7 @@ # - Cron job abuse # License: GNU GPL # Version: 1.0 +# Mitre: T1082 # Functions Used: print_2title, warn_exec # Global Variables: # Initial Functions: @@ -33,7 +34,7 @@ # Small linpeas: 0 -print_2title "Date & uptime" +print_2title "Date & uptime" "T1082" warn_exec date 2>/dev/null warn_exec uptime 2>/dev/null echo "" diff --git a/linPEAS/builder/linpeas_parts/1_system_information/6_CPU_info.sh b/linPEAS/builder/linpeas_parts/1_system_information/6_CPU_info.sh index 4b0d5d9..1ae1b82 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/6_CPU_info.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/6_CPU_info.sh @@ -25,6 +25,7 @@ # - CPU timing exploitation # License: GNU GPL # Version: 1.0 +# Mitre: T1082 # Functions Used: print_2title, warn_exec # Global Variables: $DEBUG, $EXTRA_CHECKS # Initial Functions: @@ -34,7 +35,7 @@ if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then - print_2title "CPU info" + print_2title "CPU info" "T1082" warn_exec lscpu 2>/dev/null echo "" fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/1_system_information/7_Mounts.sh b/linPEAS/builder/linpeas_parts/1_system_information/7_Mounts.sh index b8dfe99..a096d29 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/7_Mounts.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/7_Mounts.sh @@ -25,6 +25,7 @@ # - Shared mount abuse # License: GNU GPL # Version: 1.0 +# Mitre: T1082,T1120 # Functions Used: print_2title, print_info # Global Variables: $DEBUG, $mountG, $mountpermsB, $mountpermsG, $notmounted, $Wfolders, $mounted # Initial Functions: @@ -34,7 +35,7 @@ if [ -f "/etc/fstab" ] || [ "$DEBUG" ]; then - print_2title "Unmounted file-system?" + print_2title "Unmounted file-system?" "T1082,T1120" print_info "Check if you can mount umounted devices" grep -v "^#" /etc/fstab 2>/dev/null | grep -Ev "\W+\#|^#" | sed -${E} "s,$mountG,${SED_GREEN},g" | sed -${E} "s,$notmounted,${SED_RED},g" | sed -${E} "s%$mounted%${SED_BLUE}%g" | sed -${E} "s,$Wfolders,${SED_RED}," | sed -${E} "s,$mountpermsB,${SED_RED},g" | sed -${E} "s,$mountpermsG,${SED_GREEN},g" echo "" diff --git a/linPEAS/builder/linpeas_parts/1_system_information/8_Disks.sh b/linPEAS/builder/linpeas_parts/1_system_information/8_Disks.sh index a775bda..46baf52 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/8_Disks.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/8_Disks.sh @@ -25,6 +25,7 @@ # - Shared disk access # License: GNU GPL # Version: 1.0 +# Mitre: T1082 # Functions Used: print_2title, warn_exec # Global Variables: $DEBUG # Initial Functions: @@ -34,14 +35,14 @@ if [ -d "/dev" ] || [ "$DEBUG" ] ; then - print_2title "Any sd*/disk* disk in /dev? (limit 20)" + print_2title "Any sd*/disk* disk in /dev? (limit 20)" "T1082" ls /dev 2>/dev/null | grep -Ei "^sd|^disk" | sed "s,crypt,${SED_RED}," | head -n 20 echo "" fi if [ "$(command -v smbutil 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then - print_2title "Mounted SMB Shares" + print_2title "Mounted SMB Shares" "T1082" warn_exec smbutil statshares -a echo "" fi diff --git a/linPEAS/builder/linpeas_parts/1_system_information/9_Disks_extra.sh b/linPEAS/builder/linpeas_parts/1_system_information/9_Disks_extra.sh index 22cbbf1..6184e0d 100644 --- a/linPEAS/builder/linpeas_parts/1_system_information/9_Disks_extra.sh +++ b/linPEAS/builder/linpeas_parts/1_system_information/9_Disks_extra.sh @@ -26,6 +26,7 @@ # - Resource-based attacks # License: GNU GPL # Version: 1.0 +# Mitre: T1082 # Functions Used: print_2title, warn_exec # Global Variables: $DEBUG, $EXTRA_CHECKS # Initial Functions: @@ -35,18 +36,18 @@ if ([ "$(command -v diskutil 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]) && [ "$EXTRA_CHECKS" ]; then - print_2title "Mounted disks information" + print_2title "Mounted disks information" "T1082" warn_exec diskutil list echo "" fi if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then - print_2title "System stats" + print_2title "System stats" "T1082" (df -h || lsblk) 2>/dev/null || echo_not_found "df and lsblk" warn_exec free 2>/dev/null echo "" - print_2title "Inode usage" + print_2title "Inode usage" "T1082" warn_exec df -i 2>/dev/null echo "" fi diff --git a/linPEAS/builder/linpeas_parts/2_container/1_Container_tools.sh b/linPEAS/builder/linpeas_parts/2_container/1_Container_tools.sh index 8e8683f..4f98ea5 100644 --- a/linPEAS/builder/linpeas_parts/2_container/1_Container_tools.sh +++ b/linPEAS/builder/linpeas_parts/2_container/1_Container_tools.sh @@ -22,6 +22,7 @@ # - Container escape tool usage # License: GNU GPL # Version: 1.0 +# Mitre: T1613 # Functions Used: print_2title # Global Variables: # Initial Functions: @@ -29,8 +30,7 @@ # Fat linpeas: 0 # Small linpeas: 1 -print_2title "Container related tools present (if any):" - +print_2title "Container related tools present (if any):" "T1613" # Container runtimes command -v docker command -v lxc diff --git a/linPEAS/builder/linpeas_parts/2_container/2_List_mounted_tokens.sh b/linPEAS/builder/linpeas_parts/2_container/2_List_mounted_tokens.sh index 669e9bd..2beb270 100644 --- a/linPEAS/builder/linpeas_parts/2_container/2_List_mounted_tokens.sh +++ b/linPEAS/builder/linpeas_parts/2_container/2_List_mounted_tokens.sh @@ -5,6 +5,7 @@ # Description: List tokens mounted in the system if any # License: GNU GPL # Version: 1.0 +# Mitre: T1528,T1552.007 # Functions Used: print_2title, print_info # Global Variables: # Initial Functions: @@ -14,7 +15,7 @@ if [ "$(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p')" ]; then - print_2title "Listing mounted tokens" + print_2title "Listing mounted tokens" "T1528,T1552.007" print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.html" ALREADY_TOKENS="IinItialVaaluE" for i in $(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p'); do diff --git a/linPEAS/builder/linpeas_parts/2_container/3_Container_details.sh b/linPEAS/builder/linpeas_parts/2_container/3_Container_details.sh index d6bad98..5881cf0 100644 --- a/linPEAS/builder/linpeas_parts/2_container/3_Container_details.sh +++ b/linPEAS/builder/linpeas_parts/2_container/3_Container_details.sh @@ -25,6 +25,7 @@ # - Network escape techniques # License: GNU GPL # Version: 1.0 +# Mitre: T1613,T1611 # Functions Used: containerCheck, echo_no, print_2title, print_list, warn_exec # Global Variables: $containerType # Initial Functions: containerCheck @@ -32,8 +33,7 @@ # Fat linpeas: 0 # Small linpeas: 1 -print_2title "Container details" - +print_2title "Container details" "T1613,T1611" print_list "Is this a container? ...........$NC $containerType" if [ -e "/proc/vz" ] && ! [ -e "/proc/bc" ]; then diff --git a/linPEAS/builder/linpeas_parts/2_container/4_Docker_container_details.sh b/linPEAS/builder/linpeas_parts/2_container/4_Docker_container_details.sh index e5cad03..a375e6b 100644 --- a/linPEAS/builder/linpeas_parts/2_container/4_Docker_container_details.sh +++ b/linPEAS/builder/linpeas_parts/2_container/4_Docker_container_details.sh @@ -5,6 +5,7 @@ # Description: Get docker Container details from the inside # License: GNU GPL # Version: 1.0 +# Mitre: T1613 # Functions Used: checkDockerRootless, checkDockerVersionExploits, containerCheck, enumerateDockerSockets, inDockerGroup, print_2title, print_list # Global Variables: $containerType, $DOCKER_GROUP, $DOCKER_ROOTLESS, $dockerVersion, $inContainer, $VULN_CVE_2019_5736, $VULN_CVE_2019_13139, $VULN_CVE_2021_41091 # Initial Functions: containerCheck @@ -15,7 +16,7 @@ #If docker if echo "$containerType" | grep -qi "docker"; then - print_2title "Docker Container details" + print_2title "Docker Container details" "T1613" inDockerGroup print_list "Am I inside Docker group .......$NC $DOCKER_GROUP\n" | sed -${E} "s,Yes,${SED_RED_YELLOW}," print_list "Looking and enumerating Docker Sockets (if any):\n"$NC @@ -31,7 +32,7 @@ if echo "$containerType" | grep -qi "docker"; then echo "" fi if df -h | grep docker; then - print_2title "Docker Overlays" + print_2title "Docker Overlays" "T1613" df -h | grep docker fi fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/2_container/5_Container_breakout.sh b/linPEAS/builder/linpeas_parts/2_container/5_Container_breakout.sh index 3d0fb8f..41896fe 100644 --- a/linPEAS/builder/linpeas_parts/2_container/5_Container_breakout.sh +++ b/linPEAS/builder/linpeas_parts/2_container/5_Container_breakout.sh @@ -37,6 +37,7 @@ # - Container escape tool execution # License: GNU GPL # Version: 1.0 +# Mitre: T1611 # Functions Used: checkContainerExploits, checkProcSysBreakouts, containerCheck, enumerateDockerSockets, print_2title, print_3title, print_info, print_list, warn_exec # Global Variables: $binfmt_misc_breakout, $containercapsB, $containerType, $core_pattern_breakout, $dev_mounted, $efi_efivars_writable, $efi_vars_writable, $GREP_IGNORE_MOUNTS, $inContainer, $kallsyms_readable, $kcore_readable, $kmem_readable, $kmem_writable, $kmsg_readable, $mem_readable, $mem_writable, $modprobe_present, $mountinfo_readable, $panic_on_oom_dos, $panic_sys_fs_dos, $proc_configgz_readable, $proc_mounted, $run_unshare, $release_agent_breakout1, $release_agent_breakout2, $release_agent_breakout3, $sched_debug_readable, $security_present, $security_writable, $sysreq_trigger_dos, $uevent_helper_breakout, $vmcoreinfo_readable, $VULN_CVE_2019_5021, $self_mem_readable # Initial Functions: containerCheck @@ -46,7 +47,7 @@ if [ "$inContainer" ]; then echo "" - print_2title "Container & breakout enumeration" + print_2title "Container & breakout enumeration" "T1611" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html" # Basic container info @@ -56,7 +57,7 @@ if [ "$inContainer" ]; then fi # Security mechanisms - print_3title "Security Mechanisms" + print_3title "Security Mechanisms" "T1611" seccomp_mode_num="$(awk '/^Seccomp:/{print $2}' /proc/self/status 2>/dev/null)" seccomp_mode_desc="unknown" case "$seccomp_mode_num" in @@ -87,8 +88,7 @@ if [ "$inContainer" ]; then fi # Known vulnerabilities - print_3title "Known Vulnerabilities" - + print_3title "Known Vulnerabilities" "T1611" checkContainerExploits print_list "Vulnerable to CVE-2019-5021 .... $VULN_CVE_2019_5021\n"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW}," @@ -97,8 +97,7 @@ if [ "$inContainer" ]; then (command -v nsenter || command -v unshare || command -v chroot || command -v capsh || command -v setcap || command -v getcap || command -v docker || command -v kubectl || command -v ctr || command -v runc || command -v containerd || command -v crio || command -v podman || command -v lxc || command -v rkt || command -v nerdctl || echo "No") | sed -${E} "s,nsenter|unshare|chroot|capsh|setcap|getcap|docker|kubectl|ctr|runc|containerd|crio|podman|lxc|rkt|nerdctl,${SED_RED},g" # Runtime vulnerabilities - print_3title "Runtime Vulnerabilities" - + print_3title "Runtime Vulnerabilities" "T1611" # Check for known runtime vulnerabilities if [ "$(command -v runc || echo -n '')" ]; then print_list "Runc version ................. "$NC @@ -131,7 +130,7 @@ if [ "$inContainer" ]; then fi # Mount escape vectors - print_3title "Breakout via mounts" + print_3title "Breakout via mounts" "T1611" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.html" checkProcSysBreakouts @@ -164,7 +163,7 @@ if [ "$inContainer" ]; then mount | grep -E "shared|slave" | sed -${E} "s,docker.sock|host|privileged,${SED_RED},g" # Capability checks - print_3title "Capability Checks" + print_3title "Capability Checks" "T1611" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/capabilities-abuse-escape.html" print_list "Dangerous capabilities ......... "$NC @@ -188,7 +187,7 @@ if [ "$inContainer" ]; then fi # Namespace checks - print_3title "Namespace Checks" + print_3title "Namespace Checks" "T1611" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/namespaces/index.html" print_list "Current namespaces ............. "$NC @@ -228,8 +227,7 @@ if [ "$inContainer" ]; then enumerateDockerSockets # Additional breakout vectors - print_3title "Additional Breakout Vectors" - + print_3title "Additional Breakout Vectors" "T1611" print_list "is modprobe present ............ $modprobe_present\n" | sed -${E} "s,/.*,${SED_RED}," print_list "DoS via panic_on_oom ........... $panic_on_oom_dos\n" | sed -${E} "s,Yes,${SED_RED}," print_list "DoS via panic_sys_fs ........... $panic_sys_fs_dos\n" | sed -${E} "s,Yes,${SED_RED}," @@ -239,7 +237,7 @@ if [ "$inContainer" ]; then print_list "Container escape tools in PATH . "$NC (which nsenter 2>/dev/null || which unshare 2>/dev/null || which chroot 2>/dev/null || which capsh 2>/dev/null || which setcap 2>/dev/null || which getcap 2>/dev/null || echo "No") | sed -${E} "s,nsenter|unshare|chroot|capsh|setcap|getcap,${SED_RED},g" - print_3title "Extra Breakout Vectors" + print_3title "Extra Breakout Vectors" "T1611" print_list "/proc/config.gz readable ....... $proc_configgz_readable\n" | sed -${E} "s,Yes,${SED_RED}," print_list "/proc/sched_debug readable ..... $sched_debug_readable\n" | sed -${E} "s,Yes,${SED_RED}," print_list "/proc/*/mountinfo readable ..... $mountinfo_readable\n" | sed -${E} "s,Yes,${SED_RED}," @@ -279,7 +277,7 @@ if [ "$inContainer" ]; then # Kubernetes specific checks if echo "$containerType" | grep -qi "kubernetes"; then - print_3title "Kubernetes Specific Checks" + print_3title "Kubernetes Specific Checks" "T1611" print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.html" print_list "Kubernetes namespace ...........$NC $(cat /run/secrets/kubernetes.io/serviceaccount/namespace /var/run/secrets/kubernetes.io/serviceaccount/namespace /secrets/kubernetes.io/serviceaccount/namespace 2>/dev/null)\n" @@ -315,7 +313,7 @@ if [ "$inContainer" ]; then fi # Interesting files and mounts - print_3title "Interesting Files & Mounts" + print_3title "Interesting Files & Mounts" "T1611" print_list "Interesting files mounted ........ "$NC (mount -l || cat /proc/self/mountinfo || cat /proc/1/mountinfo || cat /proc/mounts || cat /proc/self/mounts || cat /proc/1/mounts )2>/dev/null | grep -Ev "$GREP_IGNORE_MOUNTS" | sed -${E} "s,.sock,${SED_RED}," | sed -${E} "s,docker.sock,${SED_RED_YELLOW}," | sed -${E} "s,/dev/,${SED_RED},g" diff --git a/linPEAS/builder/linpeas_parts/2_container/7_RW_bind_mounts_nosuid.sh b/linPEAS/builder/linpeas_parts/2_container/7_RW_bind_mounts_nosuid.sh index d73a1cd..a33b5eb 100644 --- a/linPEAS/builder/linpeas_parts/2_container/7_RW_bind_mounts_nosuid.sh +++ b/linPEAS/builder/linpeas_parts/2_container/7_RW_bind_mounts_nosuid.sh @@ -8,6 +8,7 @@ # (classic container-to-host breakout via writable bind mount). # License: GNU GPL # Version: 1.0 +# Mitre: T1611 # Functions Used: containerCheck, print_2title, print_list, print_info # Global Variables: $inContainer # Initial Functions: containerCheck @@ -19,7 +20,7 @@ containerCheck if [ "$inContainer" ]; then echo "" - print_2title "Container - Writable bind mounts w/o nosuid (SUID persistence risk)" + print_2title "Container - Writable bind mounts w/o nosuid (SUID persistence risk)" "T1611" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#writable-bind-mounts" if [ -r /proc/self/mountinfo ]; then diff --git a/linPEAS/builder/linpeas_parts/3_cloud/10_Azure_automation_account.sh b/linPEAS/builder/linpeas_parts/3_cloud/10_Azure_automation_account.sh index 80b07db..9f9a7e3 100644 --- a/linPEAS/builder/linpeas_parts/3_cloud/10_Azure_automation_account.sh +++ b/linPEAS/builder/linpeas_parts/3_cloud/10_Azure_automation_account.sh @@ -5,6 +5,7 @@ # Description: Azure Automation Account Service Enumeration # License: GNU GPL # Version: 1.0 +# Mitre: T1552.005,T1580 # Functions Used: check_az_automation_acc, exec_with_jq, print_2title, print_3title # Global Variables: $is_az_automation_acc, # Initial Functions: check_az_automation_acc @@ -16,8 +17,7 @@ API_VERSION="2019-08-01" #https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp if [ "$is_az_automation_acc" = "Yes" ]; then - print_2title "Azure Automation Account Service Enumeration" - + print_2title "Azure Automation Account Service Enumeration" "T1552.005,T1580" HEADER="X-IDENTITY-HEADER:$IDENTITY_HEADER" az_req="" @@ -30,16 +30,16 @@ if [ "$is_az_automation_acc" = "Yes" ]; then fi if [ "$az_req" ]; then - print_3title "Management token" + print_3title "Management token" "T1552.005,T1580" exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://management.azure.com/" echo - print_3title "Graph token" + print_3title "Graph token" "T1552.005,T1580" exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://graph.microsoft.com/" echo - print_3title "Vault token" + print_3title "Vault token" "T1552.005,T1580" exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://vault.azure.net/" echo - print_3title "Storage token" + print_3title "Storage token" "T1552.005,T1580" exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://storage.azure.com/" fi echo "" diff --git a/linPEAS/builder/linpeas_parts/3_cloud/11_DO_Droplet.sh b/linPEAS/builder/linpeas_parts/3_cloud/11_DO_Droplet.sh index b935c13..2d3a770 100644 --- a/linPEAS/builder/linpeas_parts/3_cloud/11_DO_Droplet.sh +++ b/linPEAS/builder/linpeas_parts/3_cloud/11_DO_Droplet.sh @@ -5,6 +5,7 @@ # Description: DO Droplet Enumeration # License: GNU GPL # Version: 1.0 +# Mitre: T1552.005,T1580 # Functions Used: check_do, print_2title # Global Variables: $is_do # Initial Functions: check_do @@ -14,8 +15,7 @@ if [ "$is_do" = "Yes" ]; then - print_2title "DO Droplet Enumeration" - + print_2title "DO Droplet Enumeration" "T1552.005,T1580" do_req="" if [ "$(command -v curl || echo -n '')" ]; then do_req='curl -s -f -L ' diff --git a/linPEAS/builder/linpeas_parts/3_cloud/13_Ali_Cloud.sh b/linPEAS/builder/linpeas_parts/3_cloud/13_Ali_Cloud.sh index 6c6bff6..55baa27 100644 --- a/linPEAS/builder/linpeas_parts/3_cloud/13_Ali_Cloud.sh +++ b/linPEAS/builder/linpeas_parts/3_cloud/13_Ali_Cloud.sh @@ -5,6 +5,7 @@ # Description: Ali Cloud Platform Enumeration # License: GNU GPL # Version: 1.0 +# Mitre: T1552.005,T1580 # Functions Used: print_2title, print_3title, print_info # Global Variables: $is_aliyun_ecs # Initial Functions: check_aliyun_ecs @@ -28,11 +29,11 @@ if [ "$is_aliyun_ecs" = "Yes" ]; then fi if [ "$aliyun_token" ]; then - print_2title "Aliyun ECS Enumeration" + print_2title "Aliyun ECS Enumeration" "T1552.005,T1580" print_info "https://help.aliyun.com/zh/ecs/user-guide/view-instance-metadata" echo "" - print_3title "Instance Info" + print_3title "Instance Info" "T1552.005,T1580" i_hostname=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/hostname) [ "$i_hostname" ] && echo "Hostname: $i_hostname" i_instance_id=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/instance-id) @@ -50,7 +51,7 @@ if [ "$is_aliyun_ecs" = "Yes" ]; then [ "$i_zone_id" ] && echo "Zone ID: $i_zone_id" echo "" - print_3title "Network Info" + print_3title "Network Info" "T1552.005,T1580" i_pub_ipv4=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/public-ipv4) [ "$i_pub_ipv4" ] && echo "Public IPv4: $i_pub_ipv4" i_priv_ipv4=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/private-ipv4) @@ -77,7 +78,7 @@ if [ "$is_aliyun_ecs" = "Yes" ]; then done echo "" - print_3title "Service account " + print_3title "Service account " "T1552.005,T1580" for sa in $(eval $aliyun_req "http://100.100.100.200/latest/meta-data/ram/security-credentials/"); do echo " Name: $sa" echo " STS Token: "$(eval $aliyun_req "http://100.100.100.200/latest/meta-data/ram/security-credentials/$sa") @@ -85,7 +86,7 @@ if [ "$is_aliyun_ecs" = "Yes" ]; then done echo "" - print_3title "Possbile admin ssh Public keys" + print_3title "Possbile admin ssh Public keys" "T1552.005,T1580" for key in $(eval $aliyun_req "http://100.100.100.200/latest/meta-data/public-keys/"); do echo " Name: $key" echo " Key: "$(eval $aliyun_req "http://100.100.100.200/latest/meta-data/public-keys/${key}openssh-key") diff --git a/linPEAS/builder/linpeas_parts/3_cloud/14_IBM_Cloud.sh b/linPEAS/builder/linpeas_parts/3_cloud/14_IBM_Cloud.sh index 4ab92b6..cc3a220 100644 --- a/linPEAS/builder/linpeas_parts/3_cloud/14_IBM_Cloud.sh +++ b/linPEAS/builder/linpeas_parts/3_cloud/14_IBM_Cloud.sh @@ -5,6 +5,7 @@ # Description: IBM Cloud Enumeration # License: GNU GPL # Version: 1.0 +# Mitre: T1552.005,T1580 # Functions Used: check_ibm_vm, print_2title, print_3title # Global Variables: $IBM_TOKEN, $is_ibm_vm # Initial Functions: check_ibm_vm @@ -14,8 +15,7 @@ if [ "$is_ibm_vm" = "Yes" ]; then - print_2title "IBM Cloud Enumeration" - + print_2title "IBM Cloud Enumeration" "T1552.005,T1580" if ! [ "$IBM_TOKEN" ]; then echo "Couldn't get the metadata token:(" @@ -34,17 +34,17 @@ if [ "$is_ibm_vm" = "Yes" ]; then fi if [ "$ibm_req" ]; then - print_3title "Instance Details" + print_3title "Instance Details" "T1552.005,T1580" exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/instance?version=2022-03-01" - print_3title "Keys and User data" + print_3title "Keys and User data" "T1552.005,T1580" exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/instance/initialization?version=2022-03-01" exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/keys?version=2022-03-01" - print_3title "Placement Groups" + print_3title "Placement Groups" "T1552.005,T1580" exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/placement_groups?version=2022-03-01" - print_3title "IAM credentials" + print_3title "IAM credentials" "T1552.005,T1580" exec_with_jq eval $ibm_req -X POST "http://169.254.169.254/instance_identity/v1/iam_token?version=2022-03-01" fi fi diff --git a/linPEAS/builder/linpeas_parts/3_cloud/15_Tencent_Cloud.sh b/linPEAS/builder/linpeas_parts/3_cloud/15_Tencent_Cloud.sh index d53ee4a..743d751 100644 --- a/linPEAS/builder/linpeas_parts/3_cloud/15_Tencent_Cloud.sh +++ b/linPEAS/builder/linpeas_parts/3_cloud/15_Tencent_Cloud.sh @@ -5,6 +5,7 @@ # Description: Tencent Cloud Platform Enumeration # License: GNU GPL # Version: 1.0 +# Mitre: T1552.005,T1580 # Functions Used: print_2title, print_3title, print_info # Global Variables: $is_tencent_cvm # Initial Functions: check_tencent_cvm @@ -24,12 +25,12 @@ if [ "$is_tencent_cvm" = "Yes" ]; then fi - print_2title "Tencent CVM Enumeration" + print_2title "Tencent CVM Enumeration" "T1552.005,T1580" print_info "https://cloud.tencent.com/document/product/213/4934" # Todo: print_info "Hacktricks Documents needs to be updated" echo "" - print_3title "Instance Info" + print_3title "Instance Info" "T1552.005,T1580" i_tencent_owner_account=$(eval $tencent_req http://169.254.0.23/latest/meta-data/app-id) [ "$i_tencent_owner_account" ] && echo "Tencent Owner Account: $i_tencent_owner_account" i_hostname=$(eval $tencent_req http://169.254.0.23/latest/meta-data/hostname) @@ -48,7 +49,7 @@ if [ "$is_tencent_cvm" = "Yes" ]; then [ "$i_zone_id" ] && echo "Zone ID: $i_zone_id" echo "" - print_3title "Network Info" + print_3title "Network Info" "T1552.005,T1580" for mac_tencent in $(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/); do echo " Mac: $mac_tencent" echo " Primary IPv4: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/primary-local-ipv4) @@ -67,7 +68,7 @@ if [ "$is_tencent_cvm" = "Yes" ]; then done echo "" - print_3title "Service account " + print_3title "Service account " "T1552.005,T1580" for sa_tencent in $(eval $tencent_req "http://169.254.0.23/latest/meta-data/cam/security-credentials/"); do echo " Name: $sa_tencent" echo " STS Token: "$(eval $tencent_req "http://169.254.0.23/latest/meta-data/cam/security-credentials/$sa_tencent") @@ -75,7 +76,7 @@ if [ "$is_tencent_cvm" = "Yes" ]; then done echo "" - print_3title "Possbile admin ssh Public keys" + print_3title "Possbile admin ssh Public keys" "T1552.005,T1580" for key_tencent in $(eval $tencent_req "http://169.254.0.23/latest/meta-data/public-keys/"); do echo " Name: $key_tencent" echo " Key: "$(eval $tencent_req "http://169.254.0.23/latest/meta-data/public-keys/${key_tencent}openssh-key") @@ -83,6 +84,6 @@ if [ "$is_tencent_cvm" = "Yes" ]; then done echo "" - print_3title "User Data" + print_3title "User Data" "T1552.005,T1580" eval $tencent_req http://169.254.0.23/latest/user-data; echo "" fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/3_cloud/1_Check_if_in_cloud.sh b/linPEAS/builder/linpeas_parts/3_cloud/1_Check_if_in_cloud.sh index e93097b..ad4a356 100644 --- a/linPEAS/builder/linpeas_parts/3_cloud/1_Check_if_in_cloud.sh +++ b/linPEAS/builder/linpeas_parts/3_cloud/1_Check_if_in_cloud.sh @@ -5,6 +5,7 @@ # Description: Check if the current system is inside a cloud environment # License: GNU GPL # Version: 1.0 +# Mitre: T1580 # Functions Used: check_aws_codebuild, check_aws_ec2, check_aws_ecs, check_aws_lambda, check_az_app, check_az_vm, check_az_automation_acc, check_do, check_gcp, check_ibm_vm, check_tencent_cvm, print_list # Global Variables: $is_aws_codebuild, $is_aws_ecs, $is_aws_ec2, , $is_aws_lambda, $is_az_app, $is_az_automation_acc, $is_az_vm, $is_do, $is_gcp_vm, $is_gcp_function, $is_ibm_vm, $is_aws_ec2_beanstalk, $is_aliyun_ecs, $is_tencent_cvm # Initial Functions: check_gcp, check_aws_ecs, check_aws_ec2, check_aws_lambda, check_aws_codebuild, check_do, check_ibm_vm, check_az_vm, check_az_app, check_az_automation_acc, check_aliyun_ecs, check_tencent_cvm diff --git a/linPEAS/builder/linpeas_parts/3_cloud/2_AWS_EC2.sh b/linPEAS/builder/linpeas_parts/3_cloud/2_AWS_EC2.sh index f5383d6..67e96a7 100644 --- a/linPEAS/builder/linpeas_parts/3_cloud/2_AWS_EC2.sh +++ b/linPEAS/builder/linpeas_parts/3_cloud/2_AWS_EC2.sh @@ -5,6 +5,7 @@ # Description: AWS EC2 Enumeration # License: GNU GPL # Version: 1.0 +# Mitre: T1552.005,T1580 # Functions Used: check_aws_ec2, exec_with_jq, print_2title, print_3title # Global Variables: $is_aws_ec2 # Initial Functions: check_aws_ec2 @@ -14,8 +15,7 @@ if [ "$is_aws_ec2" = "Yes" ]; then - print_2title "AWS EC2 Enumeration" - + print_2title "AWS EC2 Enumeration" "T1552.005,T1580" TOKEN="" TOKEN_HEADER="X-aws-ec2-metadata-token" TOKEN_TTL="X-aws-ec2-metadata-token-ttl-seconds: 21600" @@ -43,11 +43,11 @@ if [ "$is_aws_ec2" = "Yes" ]; then printf "region: "; eval $aws_req "$URL/placement/region"; echo "" echo "" - print_3title "Account Info" + print_3title "Account Info" "T1552.005,T1580" exec_with_jq eval $aws_req "$URL/identity-credentials/ec2/info"; echo "" echo "" - print_3title "Network Info" + print_3title "Network Info" "T1552.005,T1580" for mac in $(eval $aws_req "$URL/network/interfaces/macs/" 2>/dev/null); do echo "Mac: $mac" printf "Owner ID: "; eval $aws_req "$URL/network/interfaces/macs/$mac/owner-id"; echo "" @@ -62,7 +62,7 @@ if [ "$is_aws_ec2" = "Yes" ]; then done echo "" - print_3title "IAM Role" + print_3title "IAM Role" "T1552.005,T1580" exec_with_jq eval $aws_req "$URL/iam/info"; echo "" for role in $(eval $aws_req "$URL/iam/security-credentials/" 2>/dev/null); do echo "Role: $role" @@ -71,14 +71,14 @@ if [ "$is_aws_ec2" = "Yes" ]; then done echo "" - print_3title "User Data" + print_3title "User Data" "T1552.005,T1580" eval $aws_req "http://169.254.169.254/latest/user-data"; echo "" echo "" - print_3title "EC2 Security Credentials" + print_3title "EC2 Security Credentials" "T1552.005,T1580" exec_with_jq eval $aws_req "$URL/identity-credentials/ec2/security-credentials/ec2-instance"; echo "" - print_3title "SSM Runnig" + print_3title "SSM Runnig" "T1552.005,T1580" ps aux 2>/dev/null | grep "ssm-agent" | grep -Ev "grep|sed s,ssm-agent" | sed "s,ssm-agent,${SED_RED}," fi echo "" diff --git a/linPEAS/builder/linpeas_parts/3_cloud/3_AWS_ECS.sh b/linPEAS/builder/linpeas_parts/3_cloud/3_AWS_ECS.sh index 1a6a5e9..2738399 100644 --- a/linPEAS/builder/linpeas_parts/3_cloud/3_AWS_ECS.sh +++ b/linPEAS/builder/linpeas_parts/3_cloud/3_AWS_ECS.sh @@ -5,6 +5,7 @@ # Description: AWS ECS Enumeration # License: GNU GPL # Version: 1.0 +# Mitre: T1552.005,T1580 # Functions Used: check_aws_ecs, exec_with_jq, print_2title, print_3title # Global Variables: $aws_ecs_metadata_uri, $aws_ecs_service_account_uri, $is_aws_ecs # Initial Functions: check_aws_ecs @@ -14,8 +15,7 @@ if [ "$is_aws_ecs" = "Yes" ]; then - print_2title "AWS ECS Enumeration" - + print_2title "AWS ECS Enumeration" "T1552.005,T1580" aws_ecs_req="" if [ "$(command -v curl || echo -n '')" ]; then aws_ecs_req='curl -s -f' @@ -26,11 +26,11 @@ if [ "$is_aws_ecs" = "Yes" ]; then fi if [ "$aws_ecs_metadata_uri" ]; then - print_3title "Container Info" + print_3title "Container Info" "T1552.005,T1580" exec_with_jq eval $aws_ecs_req "$aws_ecs_metadata_uri" echo "" - print_3title "Task Info" + print_3title "Task Info" "T1552.005,T1580" exec_with_jq eval $aws_ecs_req "$aws_ecs_metadata_uri/task" echo "" else @@ -38,14 +38,14 @@ if [ "$is_aws_ecs" = "Yes" ]; then fi if [ "$aws_ecs_service_account_uri" ]; then - print_3title "IAM Role" + print_3title "IAM Role" "T1552.005,T1580" exec_with_jq eval $aws_ecs_req "$aws_ecs_service_account_uri" echo "" else echo "I couldn't find AWS_CONTAINER_CREDENTIALS_RELATIVE_URI env var to get IAM role info (the task is running without a task role probably)" fi - print_3title "ECS task metadata hints" + print_3title "ECS task metadata hints" "T1552.005,T1580" aws_exec_env=$(printenv AWS_EXECUTION_ENV 2>/dev/null) if [ "$aws_exec_env" ]; then printf "AWS_EXECUTION_ENV=%s\n" "$aws_exec_env" @@ -70,7 +70,7 @@ if [ "$is_aws_ecs" = "Yes" ]; then fi echo "" - print_3title "IMDS reachability from this task" + print_3title "IMDS reachability from this task" "T1552.005,T1580" imds_token="" imds_roles="" imds_http_code="" @@ -128,7 +128,7 @@ if [ "$is_aws_ecs" = "Yes" ]; then fi echo "" - print_3title "ECS agent IMDS settings" + print_3title "ECS agent IMDS settings" "T1552.005,T1580" if [ -r "/etc/ecs/ecs.config" ]; then ecs_block_line=$(grep -E "^ECS_AWSVPC_BLOCK_IMDS=" /etc/ecs/ecs.config 2>/dev/null | tail -n 1) ecs_host_line=$(grep -E "^ECS_ENABLE_TASK_IAM_ROLE_NETWORK_HOST=" /etc/ecs/ecs.config 2>/dev/null | tail -n 1) @@ -158,7 +158,7 @@ if [ "$is_aws_ecs" = "Yes" ]; then fi echo "" - print_3title "DOCKER-USER IMDS filtering" + print_3title "DOCKER-USER IMDS filtering" "T1552.005,T1580" iptables_cmd="" if command -v iptables >/dev/null 2>&1; then iptables_cmd=$(command -v iptables) diff --git a/linPEAS/builder/linpeas_parts/3_cloud/4_AWS_Lambda.sh b/linPEAS/builder/linpeas_parts/3_cloud/4_AWS_Lambda.sh index 5470c46..834e8cd 100644 --- a/linPEAS/builder/linpeas_parts/3_cloud/4_AWS_Lambda.sh +++ b/linPEAS/builder/linpeas_parts/3_cloud/4_AWS_Lambda.sh @@ -5,6 +5,7 @@ # Description: AWS Lambda Enumeration # License: GNU GPL # Version: 1.0 +# Mitre: T1552.005,T1580 # Functions Used: check_aws_lambda, print_2title # Global Variables: $is_aws_lambda # Initial Functions: check_aws_lambda @@ -14,7 +15,7 @@ if [ "$is_aws_lambda" = "Yes" ]; then - print_2title "AWS Lambda Enumeration" + print_2title "AWS Lambda Enumeration" "T1552.005,T1580" printf "Function name: "; env | grep AWS_LAMBDA_FUNCTION_NAME printf "Region: "; env | grep AWS_REGION printf "Secret Access Key: "; env | grep AWS_SECRET_ACCESS_KEY diff --git a/linPEAS/builder/linpeas_parts/3_cloud/5_AWS_Codebuild.sh b/linPEAS/builder/linpeas_parts/3_cloud/5_AWS_Codebuild.sh index 7039328..c607dd2 100644 --- a/linPEAS/builder/linpeas_parts/3_cloud/5_AWS_Codebuild.sh +++ b/linPEAS/builder/linpeas_parts/3_cloud/5_AWS_Codebuild.sh @@ -5,6 +5,7 @@ # Description: AWS Codebuild Enumeration # License: GNU GPL # Version: 1.0 +# Mitre: T1552.005,T1580 # Functions Used: check_aws_codebuild, exec_with_jq, print_2title, print_3title # Global Variables: $is_aws_codebuild # Initial Functions: check_aws_codebuild @@ -14,8 +15,7 @@ if [ "$is_aws_codebuild" = "Yes" ]; then - print_2title "AWS Codebuild Enumeration" - + print_2title "AWS Codebuild Enumeration" "T1552.005,T1580" aws_req="" if [ "$(command -v curl || echo -n '')" ]; then aws_req="curl -s -f" @@ -27,12 +27,12 @@ if [ "$is_aws_codebuild" = "Yes" ]; then fi if [ "$aws_req" ]; then - print_3title "Credentials" + print_3title "Credentials" "T1552.005,T1580" CREDS_PATH=$(cat /codebuild/output/tmp/env.sh | grep "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" | cut -d "'" -f 2) URL_CREDS="http://169.254.170.2$CREDS_PATH" # Already has a / at the begginig exec_with_jq eval $aws_req "$URL_CREDS"; echo "" - print_3title "Container Info" + print_3title "Container Info" "T1552.005,T1580" METADATA_URL=$(cat /codebuild/output/tmp/env.sh | grep "ECS_CONTAINER_METADATA_URI" | cut -d "'" -f 2) exec_with_jq eval $aws_req "$METADATA_URL"; echo "" fi diff --git a/linPEAS/builder/linpeas_parts/3_cloud/6_Google_cloud_function.sh b/linPEAS/builder/linpeas_parts/3_cloud/6_Google_cloud_function.sh index 63e300d..0add309 100644 --- a/linPEAS/builder/linpeas_parts/3_cloud/6_Google_cloud_function.sh +++ b/linPEAS/builder/linpeas_parts/3_cloud/6_Google_cloud_function.sh @@ -5,6 +5,7 @@ # Description: Google Cloud Function Enumeration # License: GNU GPL # Version: 1.0 +# Mitre: T1552.005,T1580 # Functions Used: check_gcp, print_2title, print_3title, print_info # Global Variables: $is_gcp_function, $GCP_GOOD_SCOPES, $GCP_BAD_SCOPES # Initial Functions: check_gcp @@ -25,7 +26,7 @@ if [ "$is_gcp_function" = "Yes" ]; then # GCP Enumeration if [ "$gcp_req" ]; then - print_2title "Google Cloud Platform Enumeration" + print_2title "Google Cloud Platform Enumeration" "T1552.005,T1580" print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/gcp-security/index.html" ## GC Project Info @@ -43,7 +44,7 @@ if [ "$is_gcp_function" = "Yes" ]; then [ "$inst_zone" ] && echo "Zone: $inst_zone" echo "" - print_3title "Service Accounts" + print_3title "Service Accounts" "T1552.005,T1580" for sa in $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/"); do echo " Name: $sa" echo " Email: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${sa}email") diff --git a/linPEAS/builder/linpeas_parts/3_cloud/7_Google_cloud_vm.sh b/linPEAS/builder/linpeas_parts/3_cloud/7_Google_cloud_vm.sh index 53b83f5..dc08527 100644 --- a/linPEAS/builder/linpeas_parts/3_cloud/7_Google_cloud_vm.sh +++ b/linPEAS/builder/linpeas_parts/3_cloud/7_Google_cloud_vm.sh @@ -5,6 +5,7 @@ # Description: Google Cloud VM Enumeration # License: GNU GPL # Version: 1.0 +# Mitre: T1552.005,T1580 # Functions Used: check_gcp, print_2title, print_3title, print_info # Global Variables: $is_gcp_vm, $GCP_GOOD_SCOPES, $GCP_BAD_SCOPES # Initial Functions: check_gcp @@ -25,7 +26,7 @@ if [ "$is_gcp_vm" = "Yes" ]; then if [ "$gcp_req" ]; then - print_2title "Google Cloud Platform Enumeration" + print_2title "Google Cloud Platform Enumeration" "T1552.005,T1580" print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/gcp-security/index.html" ## GC Project Info @@ -80,7 +81,7 @@ if [ "$is_gcp_vm" = "Yes" ]; then [ "$inst_k8s_kubenv" ] && echo "K8s Kube-env: $inst_k8s_kubenv" echo "" - print_3title "Interfaces" + print_3title "Interfaces" "T1552.005,T1580" for iface in $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/"); do echo " IP: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/ip") echo " Subnetmask: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/subnetmask") @@ -91,12 +92,12 @@ if [ "$is_gcp_vm" = "Yes" ]; then done echo "" - print_3title "User Data" + print_3title "User Data" "T1552.005,T1580" echo $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/startup-script") echo "" echo "" - print_3title "Service Accounts" + print_3title "Service Accounts" "T1552.005,T1580" for sa in $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/"); do echo " Name: $sa" echo " Email: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/email") diff --git a/linPEAS/builder/linpeas_parts/3_cloud/8_Azure_VM.sh b/linPEAS/builder/linpeas_parts/3_cloud/8_Azure_VM.sh index 48b1744..6266d5f 100644 --- a/linPEAS/builder/linpeas_parts/3_cloud/8_Azure_VM.sh +++ b/linPEAS/builder/linpeas_parts/3_cloud/8_Azure_VM.sh @@ -5,6 +5,7 @@ # Description: Azure VM Enumeration # License: GNU GPL # Version: 1.0 +# Mitre: T1552.005,T1580 # Functions Used: check_az_vm, exec_with_jq, print_2title, print_3title # Global Variables: $is_az_vm # Initial Functions: check_az_vm @@ -14,8 +15,7 @@ if [ "$is_az_vm" = "Yes" ]; then - print_2title "Azure VM Enumeration" - + print_2title "Azure VM Enumeration" "T1552.005,T1580" HEADER="Metadata:true" URL="http://169.254.169.254/metadata" API_VERSION="2021-12-13" #https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux#supported-api-versions @@ -30,38 +30,38 @@ if [ "$is_az_vm" = "Yes" ]; then fi if [ "$az_req" ]; then - print_3title "Instance details" + print_3title "Instance details" "T1552.005,T1580" exec_with_jq eval $az_req "$URL/instance?api-version=$API_VERSION" echo "" - print_3title "Load Balancer details" + print_3title "Load Balancer details" "T1552.005,T1580" exec_with_jq eval $az_req "$URL/loadbalancer?api-version=$API_VERSION" echo "" - print_3title "User Data" + print_3title "User Data" "T1552.005,T1580" exec_with_jq eval $az_req "$URL/instance/compute/userData?api-version=$API_VERSION\&format=text" | base64 -d 2>/dev/null echo "" - print_3title "Custom Data and other configs (root needed)" + print_3title "Custom Data and other configs (root needed)" "T1552.005,T1580" (cat /var/lib/waagent/ovf-env.xml || cat /var/lib/waagent/CustomData/ovf-env.xml) 2>/dev/null | sed "s,CustomData.*,${SED_RED}," echo "" - print_3title "Management token" + print_3title "Management token" "T1552.005,T1580" print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm" exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://management.azure.com/" echo "" - print_3title "Graph token" + print_3title "Graph token" "T1552.005,T1580" print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm" exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://graph.microsoft.com/" echo "" - print_3title "Vault token" + print_3title "Vault token" "T1552.005,T1580" print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm" exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://vault.azure.net/" echo "" - print_3title "Storage token" + print_3title "Storage token" "T1552.005,T1580" print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm" exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://storage.azure.com/" echo "" diff --git a/linPEAS/builder/linpeas_parts/3_cloud/9_Azure_app_service.sh b/linPEAS/builder/linpeas_parts/3_cloud/9_Azure_app_service.sh index ba5050d..bcb66f1 100644 --- a/linPEAS/builder/linpeas_parts/3_cloud/9_Azure_app_service.sh +++ b/linPEAS/builder/linpeas_parts/3_cloud/9_Azure_app_service.sh @@ -5,6 +5,7 @@ # Description: Azure App Service Enumeration # License: GNU GPL # Version: 1.0 +# Mitre: T1552.005,T1580 # Functions Used: check_az_app, exec_with_jq, print_2title, print_3title # Global Variables: $is_az_app, # Initial Functions: check_az_app @@ -16,8 +17,7 @@ API_VERSION="2019-08-01" #https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp if [ "$is_az_app" = "Yes" ]; then - print_2title "Azure App Service Enumeration" - + print_2title "Azure App Service Enumeration" "T1552.005,T1580" HEADER="X-IDENTITY-HEADER:$IDENTITY_HEADER" az_req="" @@ -30,16 +30,16 @@ if [ "$is_az_app" = "Yes" ]; then fi if [ "$az_req" ]; then - print_3title "Management token" + print_3title "Management token" "T1552.005,T1580" exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://management.azure.com/" echo - print_3title "Graph token" + print_3title "Graph token" "T1552.005,T1580" exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://graph.microsoft.com/" echo - print_3title "Vault token" + print_3title "Vault token" "T1552.005,T1580" exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://vault.azure.net/" echo - print_3title "Storage token" + print_3title "Storage token" "T1552.005,T1580" exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://storage.azure.com/" fi echo "" diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/10_Services.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/10_Services.sh index 9097856..a5de860 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/10_Services.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/10_Services.sh @@ -5,6 +5,7 @@ # Description: Services and service files analysis with privilege escalation vectors # License: GNU GPL # Version: 1.2 +# Mitre: T1543.002,T1007 # Functions Used: echo_not_found, print_2title, print_info, print_3title # Global Variables: $EXTRA_CHECKS, $IAMROOT, $SEARCH_IN_FOLDER, $TIMEOUT, $WRITABLESYSTEMDPATH # Initial Functions: @@ -13,7 +14,7 @@ # Small linpeas: 0 if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Services and Service Files" + print_2title "Services and Service Files" "T1543.002,T1007" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#services" # Function to check service content for privilege escalation vectors @@ -125,7 +126,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then # List all services and check for privilege escalation vectors echo "" - print_3title "Active services:" + print_3title "Active services:" "T1543.002,T1007" systemctl list-units --type=service --state=active 2>/dev/null | grep -v "UNIT" | while read -r line; do service_unit=$(echo "$line" | awk '{print $1}') if [ -n "$service_unit" ]; then @@ -145,7 +146,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then # Check for disabled but available services echo "" - print_3title "Disabled services:" + print_3title "Disabled services:" "T1543.002,T1007" systemctl list-unit-files --type=service --state=disabled 2>/dev/null | grep -v "UNIT FILE" | while read -r line; do service_unit=$(echo "$line" | awk '{print $1}') if [ -n "$service_unit" ]; then @@ -166,7 +167,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then # Check service files from PSTORAGE_SYSTEMD if [ -n "$PSTORAGE_SYSTEMD" ]; then echo "" - print_3title "Additional service files:" + print_3title "Additional service files:" "T1543.002,T1007" printf "%s\n" "$PSTORAGE_SYSTEMD" | while read -r service_file; do if [ -n "$service_file" ] && [ -e "$service_file" ]; then check_service_file "$service_file" @@ -177,7 +178,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then # Check for outdated services if EXTRA_CHECKS is enabled if [ "$EXTRA_CHECKS" ]; then echo "" - print_3title "Service versions and status:" + print_3title "Service versions and status:" "T1543.002,T1007" if [ "$TIMEOUT" ]; then $TIMEOUT 30 sh -c "(service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null" || echo_not_found "service|chkconfig|rc-status|launchctl" else diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/11_Systemd.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/11_Systemd.sh index a4b27d4..6689058 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/11_Systemd.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/11_Systemd.sh @@ -14,6 +14,7 @@ # * Writable paths: Replace executables in writable paths to get code execution # License: GNU GPL # Version: 1.1 +# Mitre: T1543.002 # Functions Used: print_2title, print_list, echo_not_found # Global Variables: $SEARCH_IN_FOLDER, $Wfolders, $SED_RED, $SED_RED_YELLOW, $NC # Initial Functions: @@ -22,7 +23,7 @@ # Small linpeas: 1 if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Systemd Information" + print_2title "Systemd Information" "T1543.002" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#systemd-path---relative-paths" # Function to check if systemctl is available @@ -161,7 +162,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then echo "" - print_2title "Systemd PATH" + print_2title "Systemd PATH" "T1543.002" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#systemd-path---relative-paths" if check_systemctl; then systemctl show-environment 2>/dev/null | diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/12_Socket_files.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/12_Socket_files.sh index afb9186..12c0875 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/12_Socket_files.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/12_Socket_files.sh @@ -10,6 +10,7 @@ # - Socket files with unsafe configurations # License: GNU GPL # Version: 1.2 +# Mitre: T1559 # Functions Used: print_2title, print_info, print_list # Global Variables: $IAMROOT, $SEARCH_IN_FOLDER, $SED_RED, $SED_RED_YELLOW, $NC # Initial Functions: @@ -18,7 +19,7 @@ # Small linpeas: 0 if ! [ "$IAMROOT" ]; then - print_2title "Analyzing .socket files" + print_2title "Analyzing .socket files" "T1559" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets" # Function to check if path is relative diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/13_Unix_sockets_listening.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/13_Unix_sockets_listening.sh index ed7d407..0c8b33a 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/13_Unix_sockets_listening.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/13_Unix_sockets_listening.sh @@ -10,6 +10,7 @@ # - Socket protocol analysis # License: GNU GPL # Version: 1.1 +# Mitre: T1571,T1049 # Functions Used: print_2title, print_info # Global Variables: $EXTRA_CHECKS, $groupsB, $groupsVB, $IAMROOT, $idB, $knw_grps, $knw_usrs, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $SED_RED, $SED_GREEN, $SED_RED_YELLOW, $NC, $RED # Initial Functions: @@ -19,7 +20,7 @@ if ! [ "$IAMROOT" ]; then if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Unix Sockets Analysis" + print_2title "Unix Sockets Analysis" "T1571,T1049" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets" diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/14_DBus_analysis.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/14_DBus_analysis.sh index d2cc574..16031de 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/14_DBus_analysis.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/14_DBus_analysis.sh @@ -11,6 +11,7 @@ # - D-Bus Privilege Escalation Vectors # License: GNU GPL # Version: 1.3 +# Mitre: T1559.001 # Functions Used: print_2title, print_3title, print_info, echo_not_found # Global Variables: $IAMROOT, $mygroups, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $dbuslistG, $knw_usrs, $rootcommon, $SED_RED, $SED_GREEN, $SED_BLUE, $SED_LIGHT_CYAN, $SED_LIGHT_MAGENTA, $NC # Initial Functions: @@ -19,7 +20,7 @@ # Small linpeas: 1 if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "D-Bus Analysis" + print_2title "D-Bus Analysis" "T1559.001" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#d-bus" @@ -213,7 +214,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then # Analyze D-Bus Configuration Files if [ "$PSTORAGE_DBUS" ]; then echo "" - print_2title "D-Bus Configuration Files" + print_2title "D-Bus Configuration Files" "T1559.001" echo "$PSTORAGE_DBUS" | while read -r dir; do for dbus_file in "$dir"/*; do if [ -f "$dbus_file" ]; then @@ -229,7 +230,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then # Check for D-Bus session bus if command -v dbus-send >/dev/null 2>&1; then echo "" - print_3title "D-Bus Session Bus Analysis" + print_3title "D-Bus Session Bus Analysis" "T1559.001" if dbus-send --session --dest=org.freedesktop.DBus --type=method_call --print-reply /org/freedesktop/DBus org.freedesktop.DBus.ListNames 2>/dev/null | grep -q "Error"; then echo "(${RED}No access to session bus${NC})" else diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/15_Rcommands_trust.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/15_Rcommands_trust.sh index 5444984..a83ee2c 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/15_Rcommands_trust.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/15_Rcommands_trust.sh @@ -6,6 +6,7 @@ # which can allow passwordless root via hostname/DNS manipulation. # License: GNU GPL # Version: 1.0 +# Mitre: T1021.004 # Functions Used: print_2title, print_3title, echo_not_found # Global Variables: # Initial Functions: @@ -14,10 +15,9 @@ # Small linpeas: 1 if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Legacy r-commands (rsh/rlogin/rexec) and host-based trust" - + print_2title "Legacy r-commands (rsh/rlogin/rexec) and host-based trust" "T1021.004" echo "" - print_3title "Listening r-services (TCP 512-514)" + print_3title "Listening r-services (TCP 512-514)" "T1021.004" if command -v ss >/dev/null 2>&1; then ss -ltnp 2>/dev/null | awk '$1 ~ /^LISTEN$/ && $4 ~ /:(512|513|514)$/ {print}' || echo_not_found "ss" elif command -v netstat >/dev/null 2>&1; then @@ -27,7 +27,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then fi echo "" - print_3title "systemd units exposing r-services" + print_3title "systemd units exposing r-services" "T1021.004" if command -v systemctl >/dev/null 2>&1; then systemctl list-unit-files 2>/dev/null | grep -E '^(rlogin|rsh|rexec)\.(socket|service)\b' || echo_not_found "rlogin|rsh|rexec units" systemctl list-sockets 2>/dev/null | grep -E '\b(rlogin|rsh|rexec)\.socket\b' || true @@ -36,7 +36,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then fi echo "" - print_3title "inetd/xinetd configuration for r-services" + print_3title "inetd/xinetd configuration for r-services" "T1021.004" if [ -f /etc/inetd.conf ]; then grep -vE '^\s*#|^\s*$' /etc/inetd.conf 2>/dev/null | grep -Ei '\b(shell|login|exec|rsh|rlogin|rexec)\b' 2>/dev/null || echo " No r-services found in /etc/inetd.conf" else @@ -60,7 +60,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then fi echo "" - print_3title "Installed r-service server packages" + print_3title "Installed r-service server packages" "T1021.004" if command -v dpkg >/dev/null 2>&1; then dpkg -l 2>/dev/null | grep -E '\b(rsh-server|rsh-redone-server|krb5-rsh-server|inetutils-inetd|openbsd-inetd|xinetd|netkit-rsh)\b' || echo " No related packages found via dpkg" elif command -v rpm >/dev/null 2>&1; then @@ -70,7 +70,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then fi echo "" - print_3title "/etc/hosts.equiv and /etc/shosts.equiv" + print_3title "/etc/hosts.equiv and /etc/shosts.equiv" "T1021.004" for f in /etc/hosts.equiv /etc/shosts.equiv; do if [ -f "$f" ]; then perms=$(stat -c %a "$f" 2>/dev/null) @@ -87,7 +87,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then done echo "" - print_3title "Per-user .rhosts files" + print_3title "Per-user .rhosts files" "T1021.004" any_rhosts=false for rfile in /root/.rhosts /home/*/.rhosts; do if [ -f "$rfile" ]; then @@ -107,7 +107,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then if ! $any_rhosts; then echo_not_found ".rhosts"; fi echo "" - print_3title "PAM rhosts authentication" + print_3title "PAM rhosts authentication" "T1021.004" shown=false for p in /etc/pam.d/rlogin /etc/pam.d/rsh; do if [ -f "$p" ]; then @@ -119,7 +119,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then if ! $shown; then echo_not_found "/etc/pam.d/rlogin|rsh"; fi echo "" - print_3title "SSH HostbasedAuthentication" + print_3title "SSH HostbasedAuthentication" "T1021.004" if [ -f /etc/ssh/sshd_config ]; then if grep -qiE '^[^#]*HostbasedAuthentication\s+yes' /etc/ssh/sshd_config 2>/dev/null; then echo " HostbasedAuthentication yes (check /etc/shosts.equiv or ~/.shosts)" @@ -131,7 +131,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then fi echo "" - print_3title "Potential DNS control indicators (local)" + print_3title "Potential DNS control indicators (local)" "T1021.004" (ps -eo comm,args 2>/dev/null | grep -Ei '(^|/)(pdns|pdns_server|pdns_recursor|powerdns-admin)( |$)' | grep -Ev 'grep|bash' || echo " Not detected") echo "" diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/16_Crontab_UI_misconfig.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/16_Crontab_UI_misconfig.sh index 49e9049..419c828 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/16_Crontab_UI_misconfig.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/16_Crontab_UI_misconfig.sh @@ -8,6 +8,7 @@ # - Cron DB path (CRON_DB_PATH) and weak permissions / embedded secrets in jobs # License: GNU GPL # Version: 1.0 +# Mitre: T1053.003 # Functions Used: print_2title, print_info, print_list, echo_not_found # Global Variables: $SEARCH_IN_FOLDER, $SED_RED, $SED_RED_YELLOW, $NC # Initial Functions: @@ -16,7 +17,7 @@ # Small linpeas: 1 if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Crontab UI (root) misconfiguration checks" + print_2title "Crontab UI (root) misconfiguration checks" "T1053.003" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs" # Collect candidate services referencing crontab-ui diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/17_Deleted_open_files.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/17_Deleted_open_files.sh index 95e6c67..3307f22 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/17_Deleted_open_files.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/17_Deleted_open_files.sh @@ -5,6 +5,7 @@ # Description: Identify deleted files still held open by running processes # License: GNU GPL # Version: 1.0 +# Mitre: T1083 # Functions Used: print_2title, print_info # Global Variables: $DEBUG, $EXTRA_CHECKS, $E, $SED_RED # Initial Functions: @@ -13,12 +14,12 @@ # Small linpeas: 1 if [ "$(command -v lsof 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then - print_2title "Deleted files still open" + print_2title "Deleted files still open" "T1083" print_info "Open deleted files can hide tools and still consume disk space" lsof +L1 2>/dev/null | sed -${E} "s,\\(deleted\\),${SED_RED},g" echo "" elif [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then - print_2title "Deleted files still open" + print_2title "Deleted files still open" "T1083" print_info "lsof not found, scanning /proc for deleted file descriptors" ls -l /proc/[0-9]*/fd 2>/dev/null | grep "(deleted)" | sed -${E} "s,\\(deleted\\),${SED_RED},g" | head -n 200 echo "" diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/1_List_processes.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/1_List_processes.sh index 2ddb825..d267a89 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/1_List_processes.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/1_List_processes.sh @@ -5,6 +5,7 @@ # Description: List running processes and check for unusual configurations # License: GNU GPL # Version: 1.4 +# Mitre: T1057 # Functions Used: print_2title, print_info, print_ps # Global Variables: $capsB, $knw_usrs, $nosh_usrs, $NOUSEPS, $processesB, $processesDump, $processesVB, $rootcommon, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $Wfolders # Initial Functions: @@ -13,8 +14,7 @@ # Small linpeas: 1 if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Running processes (cleaned)" - + print_2title "Running processes (cleaned)" "T1057" if [ "$NOUSEPS" ]; then printf ${BLUE}"[i]$GREEN Looks like ps is not finding processes, going to read from /proc/ and not going to monitor 1min of processes\n"$NC fi @@ -234,7 +234,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then fi # Additional checks for each process - print_2title "Processes with unusual configurations" + print_2title "Processes with unusual configurations" "T1057" for pid in $(find /proc -maxdepth 1 -regex '/proc/[0-9]+' -printf "%f\n" 2>/dev/null); do # Skip if process doesn't exist or we can't access it [ ! -d "/proc/$pid" ] && continue diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/2_Process_cred_in_memory.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/2_Process_cred_in_memory.sh index 4135abf..608cf42 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/2_Process_cred_in_memory.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/2_Process_cred_in_memory.sh @@ -5,6 +5,7 @@ # Description: Processes with credentials inside memory and memory-mapped files # License: GNU GPL # Version: 1.2 +# Mitre: T1003.007 # Functions Used: echo_not_found, print_2title, print_info # Global Variables: $pslist, $SEARCH_IN_FOLDER, $processesDump, $nosh_usrs, $processesB, $knw_usrs, $rootcommon, $sh_usrs, $processesVB # Initial Functions: @@ -13,7 +14,7 @@ # Small linpeas: 1 if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Processes with credentials in memory (root req)" + print_2title "Processes with credentials in memory (root req)" "T1003.007" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#credentials-from-process-memory" # Common credential-storing processes @@ -30,7 +31,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then # Check for processes with open handles to credential files echo "" - print_2title "Opened Files by processes" + print_2title "Opened Files by processes" "T1003.007" for pid in $(find /proc -maxdepth 1 -regex '/proc/[0-9]+' -printf "%f\n" 2>/dev/null); do # Skip if process doesn't exist or we can't access it [ ! -d "/proc/$pid" ] && continue @@ -76,7 +77,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then # Check for processes with memory-mapped files that might contain credentials echo "" - print_2title "Processes with memory-mapped credential files" + print_2title "Processes with memory-mapped credential files" "T1003.007" for pid in $(find /proc -maxdepth 1 -regex '/proc/[0-9]+' -printf "%f\n" 2>/dev/null); do # Skip if process doesn't exist or we can't access it [ ! -d "/proc/$pid" ] && continue diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/3_Process_binaries_perms.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/3_Process_binaries_perms.sh index fac29ea..1bce4a0 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/3_Process_binaries_perms.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/3_Process_binaries_perms.sh @@ -5,6 +5,7 @@ # Description: Check the permissions of the binaries of the running processes # License: GNU GPL # Version: 1.2 +# Mitre: T1574,T1554 # Functions Used: print_2title, print_info # Global Variables: $knw_usrs, $nosh_usrs, $NOUSEPS, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $Wfolders # Initial Functions: @@ -14,7 +15,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then if [ "$NOUSEPS" ]; then - print_2title "Binary processes permissions (non 'root root' and not belonging to current user)" + print_2title "Binary processes permissions (non 'root root' and not belonging to current user)" "T1574,T1554" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes" # Get list of writable binaries diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/4_Processes_PPID_different_user.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/4_Processes_PPID_different_user.sh index c846abb..fd9411f 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/4_Processes_PPID_different_user.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/4_Processes_PPID_different_user.sh @@ -5,6 +5,7 @@ # Description: Processes whose PPID belongs to a different user (not root) # License: GNU GPL # Version: 1.1 +# Mitre: T1134.004 # Functions Used: print_2title, print_info # Global Variables: $nosh_usrs, $NOUSEPS, $SEARCH_IN_FOLDER, $sh_usrs, $USER # Initial Functions: @@ -13,7 +14,7 @@ # Small linpeas: 1 if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$NOUSEPS" ]; then - print_2title "Processes whose PPID belongs to a different user (not root)" + print_2title "Processes whose PPID belongs to a different user (not root)" "T1134.004" print_info "You will know if a user can somehow spawn processes as a different user" # Function to get user by PID using /proc diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/5_Files_open_process_other_user.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/5_Files_open_process_other_user.sh index 4fb9bd5..582b4eb 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/5_Files_open_process_other_user.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/5_Files_open_process_other_user.sh @@ -5,6 +5,7 @@ # Description: Files opened by processes belonging to other users # License: GNU GPL # Version: 1.1 +# Mitre: T1083 # Functions Used: print_2title, print_info # Global Variables: $IAMROOT, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER # Initial Functions: @@ -14,7 +15,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then if ! [ "$IAMROOT" ]; then - print_2title "Files opened by processes belonging to other users" + print_2title "Files opened by processes belonging to other users" "T1083" print_info "This is usually empty because of the lack of privileges to read other user processes information" # Function to get username by UID diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/6_Different_procs_1min.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/6_Different_procs_1min.sh index 7cf222f..9ff505d 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/6_Different_procs_1min.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/6_Different_procs_1min.sh @@ -5,6 +5,7 @@ # Description: Different processes executed during 1 min # License: GNU GPL # Version: 1.0 +# Mitre: T1057 # Functions Used: print_2title, print_info # Global Variables: $nosh_usrs, $sh_usrs, $Wfolders # Initial Functions: @@ -15,7 +16,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then if ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then - print_2title "Different processes executed during 1 min (interesting is low number of repetitions)" + print_2title "Different processes executed during 1 min (interesting is low number of repetitions)" "T1057" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#frequent-cron-jobs" temp_file=$(mktemp) if [ "$(ps -e -o user,command 2>/dev/null)" ]; then diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/7_Cron_jobs.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/7_Cron_jobs.sh index a990c5f..e62e00e 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/7_Cron_jobs.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/7_Cron_jobs.sh @@ -5,6 +5,7 @@ # Description: Enumerate system cron jobs and check for privilege escalation vectors # License: GNU GPL # Version: 1.2 +# Mitre: T1053.003 # Functions Used: echo_not_found, print_2title, print_info # Global Variables: $cronjobsG, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $Wfolders, $cronjobsB, $PATH # Initial Functions: @@ -13,10 +14,10 @@ # Small linpeas: 1 if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Check for vulnerable cron jobs" + print_2title "Check for vulnerable cron jobs" "T1053.003" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs" - print_3title "Cron jobs list" + print_3title "Cron jobs list" "T1053.003" command -v crontab 2>/dev/null || echo_not_found "crontab" crontab -l 2>/dev/null | tr -d "\r" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED}," command -v incrontab 2>/dev/null || echo_not_found "incrontab" @@ -29,10 +30,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then atq 2>/dev/null echo "" - print_3title "Checking for specific cron jobs vulnerabilities" - - - + print_3title "Checking for specific cron jobs vulnerabilities" "T1053.003" # Function to check if a binary is writable and executable check_binary_perms() { local bin="$1" @@ -244,7 +242,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then # done #fi else - print_2title "Cron jobs" + print_2title "Cron jobs" "T1053.003" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs" find "$SEARCH_IN_FOLDER" '(' -type d -or -type f ')' '(' -name "cron*" -or -name "anacron" -or -name "anacrontab" -or -name "incron.d" -or -name "incron" -or -name "at" -or -name "periodic" ')' -exec echo {} \; -exec ls -lR {} \; fi diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/8_Macos_launch_agents_daemons.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/8_Macos_launch_agents_daemons.sh index 335ec24..63c7b87 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/8_Macos_launch_agents_daemons.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/8_Macos_launch_agents_daemons.sh @@ -5,6 +5,7 @@ # Description: Third party LaunchAgents & LaunchDemons and privilege escalation vectors # License: GNU GPL # Version: 1.1 +# Mitre: T1543.001 # Functions Used: print_2title, print_info # Global Variables: $MACPEAS, $SEARCH_IN_FOLDER # Initial Functions: @@ -14,7 +15,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then if [ "$MACPEAS" ]; then - print_2title "Third party LaunchAgents & LaunchDemons" + print_2title "Third party LaunchAgents & LaunchDemons" "T1543.001" print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#launchd" print_info "Checking for privilege escalation vectors in LaunchAgents & LaunchDaemons:" print_info "1. Writable plist files" @@ -100,7 +101,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then done echo "" - print_2title "StartupItems" + print_2title "StartupItems" "T1543.001" print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#startup-items" for startup_dir in /Library/StartupItems/ /System/Library/StartupItems/; do [ ! -d "$startup_dir" ] && continue @@ -114,7 +115,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then done echo "" - print_2title "Login Items" + print_2title "Login Items" "T1543.001" print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#startup-items" osascript -e 'tell application "System Events" to get the name of every login item' 2>/dev/null | tr ", " "\n" | while read -r login_item; do if [ -n "$login_item" ]; then @@ -128,7 +129,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then done echo "" - print_2title "SPStartupItemDataType" + print_2title "SPStartupItemDataType" "T1543.001" system_profiler SPStartupItemDataType 2>/dev/null | while read -r line; do if echo "$line" | grep -q "Location:"; then location=$(echo "$line" | cut -d: -f2- | xargs) @@ -140,7 +141,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then done echo "" - print_2title "Emond scripts" + print_2title "Emond scripts" "T1543.001" print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#emond" if [ -d "/private/var/db/emondClients" ]; then find "/private/var/db/emondClients" -type f 2>/dev/null | while read -r emond_script; do @@ -152,7 +153,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then fi echo "" - print_2title "Periodic tasks" + print_2title "Periodic tasks" "T1543.001" print_info "Checking periodic tasks for privilege escalation vectors" for periodic_dir in /etc/periodic/daily /etc/periodic/weekly /etc/periodic/monthly; do [ ! -d "$periodic_dir" ] && continue diff --git a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/9_System_timers.sh b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/9_System_timers.sh index 0c9eebd..5aec9ab 100644 --- a/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/9_System_timers.sh +++ b/linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/9_System_timers.sh @@ -5,6 +5,7 @@ # Description: System Timers and privilege escalation vectors # License: GNU GPL # Version: 1.2 +# Mitre: T1053.003 # Functions Used: echo_not_found, print_2title, print_info, print_3title # Global Variables: $SEARCH_IN_FOLDER, $timersG # Initial Functions: @@ -13,7 +14,7 @@ # Small linpeas: 1 if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "System timers" + print_2title "System timers" "T1053.003" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#timers" # Function to check timer content for privilege escalation vectors @@ -111,7 +112,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then } # List all timers and check for privilege escalation vectors - print_3title "Active timers:" + print_3title "Active timers:" "T1053.003" systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | while read -r line; do # Extract timer unit name timer_unit=$(echo "$line" | awk '{print $1}') @@ -131,7 +132,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then done || echo_not_found # Check for disabled but available timers - print_3title "Disabled timers:" + print_3title "Disabled timers:" "T1053.003" systemctl list-unit-files --type=timer --state=disabled 2>/dev/null | grep -v "UNIT FILE" | while read -r line; do timer_unit=$(echo "$line" | awk '{print $1}') if [ -n "$timer_unit" ]; then @@ -144,7 +145,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then # Check timer files from PSTORAGE_TIMER if [ -n "$PSTORAGE_TIMER" ]; then - print_3title "Additional timer files:" + print_3title "Additional timer files:" "T1053.003" printf "%s\n" "$PSTORAGE_TIMER" | while read -r timer_file; do if [ -n "$timer_file" ] && [ -e "$timer_file" ]; then check_timer_file "$timer_file" diff --git a/linPEAS/builder/linpeas_parts/5_network_information/10_Macos_hardware_ports.sh b/linPEAS/builder/linpeas_parts/5_network_information/10_Macos_hardware_ports.sh index 08d9778..a35bae9 100644 --- a/linPEAS/builder/linpeas_parts/5_network_information/10_Macos_hardware_ports.sh +++ b/linPEAS/builder/linpeas_parts/5_network_information/10_Macos_hardware_ports.sh @@ -5,6 +5,7 @@ # Description: Enumerate macOS hardware ports # License: GNU GPL # Version: 1.0 +# Mitre: T1016 # Functions Used: print_2title # Global Variables: $EXTRA_CHECKS, $MACPEAS # Initial Functions: @@ -14,27 +15,27 @@ if [ "$MACPEAS" ] && [ "$EXTRA_CHECKS" ]; then - print_2title "Hardware Ports" + print_2title "Hardware Ports" "T1016" networksetup -listallhardwareports echo "" - print_2title "VLANs" + print_2title "VLANs" "T1016" networksetup -listVLANs echo "" - print_2title "Wifi Info" + print_2title "Wifi Info" "T1016" networksetup -getinfo Wi-Fi echo "" - print_2title "Check Enabled Proxies" + print_2title "Check Enabled Proxies" "T1016" scutil --proxy echo "" - print_2title "Wifi Proxy URL" + print_2title "Wifi Proxy URL" "T1016" networksetup -getautoproxyurl Wi-Fi echo "" - print_2title "Wifi Web Proxy" + print_2title "Wifi Web Proxy" "T1016" networksetup -getwebproxy Wi-Fi echo "" fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/5_network_information/11_Internet_access.sh b/linPEAS/builder/linpeas_parts/5_network_information/11_Internet_access.sh index 6a86560..87c8256 100644 --- a/linPEAS/builder/linpeas_parts/5_network_information/11_Internet_access.sh +++ b/linPEAS/builder/linpeas_parts/5_network_information/11_Internet_access.sh @@ -5,6 +5,7 @@ # Description: Check for internet access # License: GNU GPL # Version: 1.0 +# Mitre: T1016,T1590 # Functions Used: check_dns, check_icmp, check_tcp_443, check_tcp_443_bin, check_tcp_80, print_2title, print_3title, print_info, check_external_hostname # Global Variables: $E # Initial Functions: @@ -14,8 +15,7 @@ -print_2title "Internet Access?" - +print_2title "Internet Access?" "T1016,T1590" TIMEOUT_INTERNET_SECONDS=5 if [ "$SUPERFAST" ]; then @@ -44,13 +44,13 @@ wait 2>/dev/null if [ "$tcp443_bin_status" -eq 0 ] && \ [ -z "$SUPERFAST" ] && [ -z "$NOT_CHECK_EXTERNAL_HOSTNAME" ]; then echo "" - print_2title "Is hostname malicious or leaked?" + print_2title "Is hostname malicious or leaked?" "T1016,T1590" print_info "This will check the public IP and hostname in known malicious lists and leaks to find any relevant information about the host." check_external_hostname 2>/dev/null fi echo "" -print_3title "Proxy discovery" +print_3title "Proxy discovery" "T1016,T1590" print_info "Checking common proxy env vars and apt proxy config" (env | grep -iE '^(http|https|ftp|all)_proxy=|^no_proxy=') 2>/dev/null | sed -${E} "s,_proxy|no_proxy,${SED_RED_YELLOW},g" grep -RinE 'Acquire::(http|https)::Proxy|proxy' /etc/apt/apt.conf /etc/apt/apt.conf.d 2>/dev/null | sed -${E} "s,proxy|Acquire::http::Proxy|Acquire::https::Proxy,${SED_RED_YELLOW},g" diff --git a/linPEAS/builder/linpeas_parts/5_network_information/1_Network_interfaces.sh b/linPEAS/builder/linpeas_parts/5_network_information/1_Network_interfaces.sh index 575b007..3ce4190 100644 --- a/linPEAS/builder/linpeas_parts/5_network_information/1_Network_interfaces.sh +++ b/linPEAS/builder/linpeas_parts/5_network_information/1_Network_interfaces.sh @@ -5,6 +5,7 @@ # Description: Check network interfaces # License: GNU GPL # Version: 1.0 +# Mitre: T1016 # Functions Used: print_2title, print_3title # Global Variables: $E, $SED_RED_YELLOW # Initial Functions: @@ -61,7 +62,7 @@ parse_network_interfaces() { fi } -print_2title "Interfaces" +print_2title "Interfaces" "T1016" cat /etc/networks 2>/dev/null # Try standard tools first, then fall back to our custom function @@ -74,21 +75,21 @@ else fi if command -v ip >/dev/null 2>&1; then - print_3title "Routing & policy quick view" + print_3title "Routing & policy quick view" "T1016" ip route 2>/dev/null ip -6 route 2>/dev/null | head -n 30 echo "" ip rule 2>/dev/null - print_3title "Virtual/overlay interfaces quick view" + print_3title "Virtual/overlay interfaces quick view" "T1016" ip -d link 2>/dev/null | grep -E "^[0-9]+:|veth|docker|cni|flannel|br-|bridge|vlan|bond|tun|tap|wg|tailscale" | sed -${E} "s,veth|docker|cni|flannel|br-|bridge|vlan|bond|tun|tap|wg|tailscale,${SED_RED_YELLOW},g" - print_3title "Network namespaces quick view" + print_3title "Network namespaces quick view" "T1016" ip netns list 2>/dev/null ls -la /var/run/netns/ 2>/dev/null fi -print_3title "Forwarding status" +print_3title "Forwarding status" "T1016" sysctl net.ipv4.ip_forward net.ipv6.conf.all.forwarding 2>/dev/null | sed -${E} "s,=[[:space:]]*1,${SED_RED_YELLOW},g" echo "" diff --git a/linPEAS/builder/linpeas_parts/5_network_information/2_Hostname_hosts_dns.sh b/linPEAS/builder/linpeas_parts/5_network_information/2_Hostname_hosts_dns.sh index 45e9a8d..7e3407b 100644 --- a/linPEAS/builder/linpeas_parts/5_network_information/2_Hostname_hosts_dns.sh +++ b/linPEAS/builder/linpeas_parts/5_network_information/2_Hostname_hosts_dns.sh @@ -5,6 +5,7 @@ # Description: Get hostname, hosts and DNS # License: GNU GPL # Version: 1.0 +# Mitre: T1016,T1018 # Functions Used: print_2title, warn_exec # Global Variables: # Initial Functions: @@ -14,7 +15,7 @@ # Function to get hostname using multiple methods get_hostname_info() { - print_3title "Hostname Information" + print_3title "Hostname Information" "T1016,T1018" # Try multiple methods to get hostname if command -v hostname >/dev/null 2>&1; then echo "System hostname: $(hostname 2>/dev/null)" @@ -33,7 +34,7 @@ get_hostname_info() { # Function to get hosts file information get_hosts_info() { - print_3title "Hosts File Information" + print_3title "Hosts File Information" "T1016,T1018" if [ -f "/etc/hosts" ]; then echo "Contents of /etc/hosts:" grep -v "^#" /etc/hosts 2>/dev/null | grep -v "^$" | while read -r line; do @@ -45,8 +46,7 @@ get_hosts_info() { # Function to get DNS information get_dns_info() { - print_3title "DNS Configuration" - + print_3title "DNS Configuration" "T1016,T1018" # Get resolv.conf information if [ -f "/etc/resolv.conf" ]; then echo "DNS Servers (resolv.conf):" @@ -99,8 +99,7 @@ get_dns_info() { echo "" } -print_2title "Hostname, hosts and DNS" - +print_2title "Hostname, hosts and DNS" "T1016,T1018" # Execute all information gathering functions get_hostname_info get_hosts_info diff --git a/linPEAS/builder/linpeas_parts/5_network_information/3_Network_neighbours.sh b/linPEAS/builder/linpeas_parts/5_network_information/3_Network_neighbours.sh index 7f73695..e121f23 100644 --- a/linPEAS/builder/linpeas_parts/5_network_information/3_Network_neighbours.sh +++ b/linPEAS/builder/linpeas_parts/5_network_information/3_Network_neighbours.sh @@ -5,6 +5,7 @@ # Description: Networks and neighbours # License: GNU GPL # Version: 1.0 +# Mitre: T1018,T1040 # Functions Used: print_2title, print_3title # Global Variables: $EXTRA_CHECKS, $MACPEAS # Initial Functions: @@ -14,7 +15,7 @@ # Function to parse routing information from /proc/net/route parse_proc_route() { - print_3title "Routing Table (from /proc/net/route)" + print_3title "Routing Table (from /proc/net/route)" "T1018,T1040" echo "Destination Gateway Genmask Flags Metric Ref Use Iface" echo "--------------------------------------------------------------------------------" # Skip header line and process each route @@ -39,7 +40,7 @@ parse_proc_route() { # Function to parse ARP information from /proc/net/arp parse_proc_arp() { - print_3title "ARP Table (from /proc/net/arp)" + print_3title "ARP Table (from /proc/net/arp)" "T1018,T1040" echo "IP address HW type Flags HW address Mask Device" echo "------------------------------------------------------------------------" # Skip header line and process each ARP entry @@ -61,10 +62,9 @@ parse_proc_arp() { # Function to get network neighbors information get_network_neighbors() { - print_2title "Networks and neighbours" - + print_2title "Networks and neighbours" "T1018,T1040" # Get routing information - print_3title "Routing Information" + print_3title "Routing Information" "T1018,T1040" if [ "$MACPEAS" ]; then # macOS specific if command -v netstat >/dev/null 2>&1; then @@ -88,7 +88,7 @@ get_network_neighbors() { fi # Get ARP information - print_3title "ARP Information" + print_3title "ARP Information" "T1018,T1040" if command -v arp >/dev/null 2>&1; then if [ "$MACPEAS" ]; then arp -a 2>/dev/null @@ -102,8 +102,7 @@ get_network_neighbors() { fi # Additional neighbor discovery methods - print_3title "Additional Neighbor Information" - + print_3title "Additional Neighbor Information" "T1018,T1040" # Check for IPv6 neighbors if available if [ -f "/proc/net/ipv6_neigh" ]; then echo "IPv6 Neighbors:" diff --git a/linPEAS/builder/linpeas_parts/5_network_information/4_Open_ports.sh b/linPEAS/builder/linpeas_parts/5_network_information/4_Open_ports.sh index 482308c..87734fa 100644 --- a/linPEAS/builder/linpeas_parts/5_network_information/4_Open_ports.sh +++ b/linPEAS/builder/linpeas_parts/5_network_information/4_Open_ports.sh @@ -5,6 +5,7 @@ # Description: Enumerate open ports # License: GNU GPL # Version: 1.0 +# Mitre: T1049 # Functions Used: print_2title, print_3title, print_info # Global Variables: $E, $SED_RED, $SED_RED_YELLOW # Initial Functions: @@ -43,7 +44,7 @@ parse_proc_net_ports() { local header_sep="--------------------------------------------------------------------------------" if [ -f "$proc_file" ]; then - print_3title "Active $proto Ports (from /proc/net/$proto)" + print_3title "Active $proto Ports (from /proc/net/$proto)" "T1049" echo "$header" echo "$header_sep" @@ -106,15 +107,15 @@ parse_proc_net_ports() { # Function to get open ports information get_open_ports() { - print_2title "Active Ports" + print_2title "Active Ports" "T1049" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-ports" # Try standard tools first if command -v netstat >/dev/null 2>&1; then - print_3title "Active Ports (netstat)" + print_3title "Active Ports (netstat)" "T1049" netstat -punta 2>/dev/null | grep -i listen | sed -${E} "s,127.0.[0-9]+.[0-9]+|:::|::1:|0\.0\.0\.0,${SED_RED},g" elif command -v ss >/dev/null 2>&1; then - print_3title "Active Ports (ss)" + print_3title "Active Ports (ss)" "T1049" ss -nltpu 2>/dev/null | grep -i listen | sed -${E} "s,127.0.[0-9]+.[0-9]+|:::|::1:|0\.0\.0\.0,${SED_RED},g" else # Fallback to parsing /proc/net files @@ -123,14 +124,14 @@ get_open_ports() { fi # Focused local service exposure view - print_3title "Local-only listeners (loopback)" + print_3title "Local-only listeners (loopback)" "T1049" if command -v ss >/dev/null 2>&1; then ss -nltpu 2>/dev/null | grep -E "127\.0\.0\.1:|::1:" | sed -${E} "s,127\.0\.0\.1:|::1:,${SED_RED},g" elif command -v netstat >/dev/null 2>&1; then netstat -punta 2>/dev/null | grep -i listen | grep -E "127\.0\.0\.1:|::1:" | sed -${E} "s,127\.0\.0\.1:|::1:,${SED_RED},g" fi - print_3title "Unique listener bind addresses" + print_3title "Unique listener bind addresses" "T1049" if command -v ss >/dev/null 2>&1; then ss -nltpuH 2>/dev/null | awk '{ a=$5 @@ -158,13 +159,12 @@ get_open_ports() { }' | sort -u | sed -${E} "s,127\.0\.0\.1|::1,${SED_RED},g" fi - print_3title "Potential local forwarders/relays" + print_3title "Potential local forwarders/relays" "T1049" ps aux 2>/dev/null | grep -E "[s]ocat|[s]sh .*(-L|-R|-D)|[n]cat|[n]c .*-l" | sed -${E} "s,socat|ssh|-L|-R|-D|ncat|nc,${SED_RED_YELLOW},g" # Additional port information if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then - print_3title "Additional Port Information" - + print_3title "Additional Port Information" "T1049" # Check for listening ports in /proc/net/unix if [ -f "/proc/net/unix" ]; then echo "Unix Domain Sockets:" diff --git a/linPEAS/builder/linpeas_parts/5_network_information/5_Macos_network_capabilities.sh b/linPEAS/builder/linpeas_parts/5_network_information/5_Macos_network_capabilities.sh index 3ad3330..b2f35c8 100644 --- a/linPEAS/builder/linpeas_parts/5_network_information/5_Macos_network_capabilities.sh +++ b/linPEAS/builder/linpeas_parts/5_network_information/5_Macos_network_capabilities.sh @@ -5,6 +5,7 @@ # Description: MacOS network Capabilities # License: GNU GPL # Version: 1.0 +# Mitre: T1016 # Functions Used: print_2title, print_3title, warn_exec # Global Variables: $MACPEAS, $EXTRA_CHECKS # Initial Functions: @@ -14,28 +15,27 @@ # Function to get network capabilities information get_macos_network_capabilities() { - print_2title "Network Capabilities" - + print_2title "Network Capabilities" "T1016" # Basic network information echo "" - print_3title "Network Interfaces and Configuration" + print_3title "Network Interfaces and Configuration" "T1016" warn_exec system_profiler SPNetworkDataType # Network locations echo "" - print_3title "Network Locations" + print_3title "Network Locations" "T1016" warn_exec system_profiler SPNetworkLocationDataType # Network extensions echo "" - print_3title "Network Extensions" + print_3title "Network Extensions" "T1016" if [ -d "/Library/SystemExtensions" ]; then warn_exec systemextensionsctl list fi # Network security echo "" - print_3title "Network Security" + print_3title "Network Security" "T1016" if command -v networksetup >/dev/null 2>&1; then echo "Firewall Status:" warn_exec networksetup -getglobalstate @@ -54,29 +54,29 @@ get_macos_network_capabilities() { if [ "$EXTRA_CHECKS" ]; then # Network preferences echo "" - print_3title "Network Preferences" + print_3title "Network Preferences" "T1016" if [ -f "/Library/Preferences/SystemConfiguration/preferences.plist" ]; then warn_exec plutil -p /Library/Preferences/SystemConfiguration/preferences.plist | grep -A 5 "NetworkServices" fi # Network statistics echo "" - print_3title "Network Statistics" + print_3title "Network Statistics" "T1016" warn_exec netstat -s # Network routes echo "" - print_3title "Network Routes" + print_3title "Network Routes" "T1016" warn_exec netstat -rn # Network interfaces details echo "" - print_3title "Network Interfaces Details" + print_3title "Network Interfaces Details" "T1016" warn_exec ifconfig -a # Network kernel extensions echo "" - print_3title "Network Kernel Extensions" + print_3title "Network Kernel Extensions" "T1016" warn_exec kextstat | grep -i network fi diff --git a/linPEAS/builder/linpeas_parts/5_network_information/6_Macos_network_services.sh b/linPEAS/builder/linpeas_parts/5_network_information/6_Macos_network_services.sh index 7eab11c..92beba1 100644 --- a/linPEAS/builder/linpeas_parts/5_network_information/6_Macos_network_services.sh +++ b/linPEAS/builder/linpeas_parts/5_network_information/6_Macos_network_services.sh @@ -5,6 +5,7 @@ # Description: Enumerate macos network services # License: GNU GPL # Version: 1.0 +# Mitre: T1016 # Functions Used: print_2title, print_3title, warn_exec # Global Variables: $EXTRA_CHECKS, $MACPEAS, $E, $SED_RED # Initial Functions: @@ -25,8 +26,7 @@ check_listening_port() { # Function to get sharing services status get_sharing_services_status() { - print_2title "MacOS Sharing Services Status" - + print_2title "MacOS Sharing Services Status" "T1016" # Define services and their ports using parallel arrays services="Screen Sharing File Sharing Remote Login Remote Management Remote Apple Events Back to My Mac AirPlay Receiver AirDrop Bonjour Printer Sharing Internet Sharing" ports="5900 88,445,548 22 3283 3031 4488 7000 5353 5353 515,631 67,68" @@ -77,8 +77,7 @@ get_sharing_services_status() { # Function to get VPN information get_vpn_info() { - print_3title "VPN Information" - + print_3title "VPN Information" "T1016" # Get VPN configurations warn_exec system_profiler SPNetworkLocationDataType | grep -A 5 -B 7 ": Password" | sed -${E} "s,Password|Authorization Name.*,${SED_RED},g" @@ -95,8 +94,7 @@ get_vpn_info() { # Function to get firewall information get_firewall_info() { - print_3title "Firewall Information" - + print_3title "Firewall Information" "T1016" # Get firewall status warn_exec system_profiler SPFirewallDataType @@ -117,8 +115,7 @@ get_firewall_info() { # Function to get additional network information get_additional_network_info() { if [ "$EXTRA_CHECKS" ]; then - print_3title "Additional Network Information" - + print_3title "Additional Network Information" "T1016" # Bluetooth information echo "Bluetooth Status:" warn_exec system_profiler SPBluetoothDataType diff --git a/linPEAS/builder/linpeas_parts/5_network_information/7_Tcpdump.sh b/linPEAS/builder/linpeas_parts/5_network_information/7_Tcpdump.sh index 37c3b3b..c169b91 100644 --- a/linPEAS/builder/linpeas_parts/5_network_information/7_Tcpdump.sh +++ b/linPEAS/builder/linpeas_parts/5_network_information/7_Tcpdump.sh @@ -5,6 +5,7 @@ # Description: Check network traffic analysis capabilities and tools # License: GNU GPL # Version: 1.0 +# Mitre: T1040 # Functions Used: print_2title, print_3title, print_info, warn_exec # Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN, $SED_RED_YELLOW # Initial Functions: @@ -52,11 +53,10 @@ check_promiscuous_mode() { # Main function to check network traffic analysis capabilities check_network_traffic_analysis() { - print_2title "Network Traffic Analysis Capabilities" - + print_2title "Network Traffic Analysis Capabilities" "T1040" # Check for sniffing tools echo "" - print_3title "Available Sniffing Tools" + print_3title "Available Sniffing Tools" "T1040" tools_found=0 if check_command tcpdump; then @@ -116,7 +116,7 @@ check_network_traffic_analysis() { # Check network interfaces echo "" - print_3title "Network Interfaces Sniffing Capabilities" + print_3title "Network Interfaces Sniffing Capabilities" "T1040" interfaces_found=0 # Get list of network interfaces @@ -161,7 +161,7 @@ check_network_traffic_analysis() { # Check for sensitive traffic patterns if we have sniffing capabilities if [ $tools_found -eq 1 ] && [ $interfaces_found -eq 1 ]; then echo "" - print_3title "Sensitive Traffic Detection" + print_3title "Sensitive Traffic Detection" "T1040" print_info "Checking for common sensitive traffic patterns..." # List of sensitive traffic patterns to check @@ -193,14 +193,13 @@ check_network_traffic_analysis() { fi echo "" - print_3title "Running sniffing/traffic reconstruction processes" + print_3title "Running sniffing/traffic reconstruction processes" "T1040" ps aux 2>/dev/null | grep -E "[t]cpdump|[d]umpcap|[t]shark|[w]ireshark|[n]grep|[t]cpflow" | sed -${E} "s,.*,${SED_RED_YELLOW},g" # Additional information if [ "$EXTRA_CHECKS" ]; then echo "" - print_3title "Additional Network Analysis Information" - + print_3title "Additional Network Analysis Information" "T1040" # Check for network monitoring tools echo "Checking for network monitoring tools..." for tool in nethogs iftop iotop nload bmon; do diff --git a/linPEAS/builder/linpeas_parts/5_network_information/8_Iptables.sh b/linPEAS/builder/linpeas_parts/5_network_information/8_Iptables.sh index d06dd2c..516d6ac 100644 --- a/linPEAS/builder/linpeas_parts/5_network_information/8_Iptables.sh +++ b/linPEAS/builder/linpeas_parts/5_network_information/8_Iptables.sh @@ -5,6 +5,7 @@ # Description: Analyze firewall rules and configurations # License: GNU GPL # Version: 1.0 +# Mitre: T1016 # Functions Used: print_2title, print_3title, warn_exec, echo_not_found # Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN, $SED_YELLOW, $SED_RED_YELLOW # Initial Functions: @@ -26,8 +27,7 @@ check_command() { # Function to analyze iptables rules analyze_iptables() { echo "" - print_3title "Iptables Rules" - + print_3title "Iptables Rules" "T1016" # Check if iptables is available if ! check_command iptables; then echo_not_found "iptables" @@ -70,8 +70,7 @@ analyze_iptables() { # Function to analyze nftables rules analyze_nftables() { echo "" - print_3title "Nftables Rules" - + print_3title "Nftables Rules" "T1016" # Check if nft is available if ! check_command nft; then echo_not_found "nftables" @@ -107,8 +106,7 @@ analyze_nftables() { # Function to analyze firewalld rules analyze_firewalld() { echo "" - print_3title "Firewalld Rules" - + print_3title "Firewalld Rules" "T1016" # Check if firewall-cmd is available if ! check_command firewall-cmd; then echo_not_found "firewalld" @@ -148,8 +146,7 @@ analyze_firewalld() { # Function to analyze UFW rules analyze_ufw() { echo "" - print_3title "UFW Rules" - + print_3title "UFW Rules" "T1016" # Check if ufw is available if ! check_command ufw; then echo_not_found "ufw" @@ -176,8 +173,7 @@ analyze_ufw() { # Main function to analyze firewall rules analyze_firewall_rules() { - print_2title "Firewall Rules Analysis" - + print_2title "Firewall Rules Analysis" "T1016" # Analyze different firewall systems analyze_iptables analyze_nftables @@ -185,7 +181,7 @@ analyze_firewall_rules() { analyze_ufw echo "" - print_3title "Forwarding and rp_filter" + print_3title "Forwarding and rp_filter" "T1016" for sysctl_var in net.ipv4.ip_forward net.ipv6.conf.all.forwarding net.ipv4.conf.all.rp_filter; do sysctl "$sysctl_var" 2>/dev/null | sed -${E} "s,=[[:space:]]*1,${SED_RED_YELLOW},g" done @@ -198,8 +194,7 @@ analyze_firewall_rules() { # Additional checks if EXTRA_CHECKS is enabled if [ "$EXTRA_CHECKS" ]; then echo "" - print_3title "Additional Firewall Information" - + print_3title "Additional Firewall Information" "T1016" # Check for common firewall configuration files echo "Checking for firewall configuration files..." for config_file in /etc/sysconfig/iptables /etc/sysconfig/ip6tables /etc/iptables/rules.v4 /etc/iptables/rules.v6 /etc/nftables.conf /etc/ufw/user.rules /etc/ufw/user6.rules; do diff --git a/linPEAS/builder/linpeas_parts/5_network_information/9_Inetdconf.sh b/linPEAS/builder/linpeas_parts/5_network_information/9_Inetdconf.sh index 885c5c1..758f2fd 100644 --- a/linPEAS/builder/linpeas_parts/5_network_information/9_Inetdconf.sh +++ b/linPEAS/builder/linpeas_parts/5_network_information/9_Inetdconf.sh @@ -5,6 +5,7 @@ # Description: Analyze inetd and xinetd services and configurations # License: GNU GPL # Version: 1.0 +# Mitre: T1049 # Functions Used: print_2title, print_3title, warn_exec, echo_not_found # Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN, $SED_YELLOW # Initial Functions: @@ -26,8 +27,7 @@ check_command() { # Function to analyze inetd services analyze_inetd() { echo "" - print_3title "Inetd Services" - + print_3title "Inetd Services" "T1049" # Check if inetd is installed if ! check_command inetd; then echo_not_found "inetd" @@ -67,8 +67,7 @@ analyze_inetd() { # Function to analyze xinetd services analyze_xinetd() { echo "" - print_3title "Xinetd Services" - + print_3title "Xinetd Services" "T1049" # Check if xinetd is installed if ! check_command xinetd; then echo_not_found "xinetd" @@ -129,8 +128,7 @@ analyze_xinetd() { # Function to check for running inetd/xinetd services check_running_services() { echo "" - print_3title "Running Inetd/Xinetd Services" - + print_3title "Running Inetd/Xinetd Services" "T1049" # Check netstat for services if check_command netstat; then echo "Active Services (from netstat):" @@ -152,8 +150,7 @@ check_running_services() { # Main function to analyze inetd/xinetd services analyze_inetd_services() { - print_2title "Inetd/Xinetd Services Analysis" - + print_2title "Inetd/Xinetd Services Analysis" "T1049" # Analyze inetd and xinetd services analyze_inetd analyze_xinetd @@ -164,8 +161,7 @@ analyze_inetd_services() { # Additional checks if EXTRA_CHECKS is enabled if [ "$EXTRA_CHECKS" ]; then echo "" - print_3title "Additional Inetd/Xinetd Information" - + print_3title "Additional Inetd/Xinetd Information" "T1049" # Check for inetd/xinetd logs echo "Checking for service logs..." for log_file in /var/log/inetd.log /var/log/xinetd.log /var/log/messages /var/log/syslog; do diff --git a/linPEAS/builder/linpeas_parts/6_users_information/10_Pkexec.sh b/linPEAS/builder/linpeas_parts/6_users_information/10_Pkexec.sh index c2be55e..d88f18e 100644 --- a/linPEAS/builder/linpeas_parts/6_users_information/10_Pkexec.sh +++ b/linPEAS/builder/linpeas_parts/6_users_information/10_Pkexec.sh @@ -5,6 +5,7 @@ # Description: Check Pkexec policy and related files for privilege escalation # License: GNU GPL # Version: 1.0 +# Mitre: T1548.003,T1548.004,T1068 # Functions Used: print_2title, print_info # Global Variables: $Groups, $groupsB, $groupsVB, $nosh_usrs, $sh_usrs, $USER # Initial Functions: @@ -13,11 +14,11 @@ # Small linpeas: 1 -print_2title "Checking Pkexec and Polkit" +print_2title "Checking Pkexec and Polkit" "T1548.003,T1548.004,T1068" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html#pe---method-2" echo "" -print_3title "Polkit Binary" +print_3title "Polkit Binary" "T1548.003,T1068" # Check pkexec binary pkexec_bin=$(command -v pkexec 2>/dev/null) if [ -n "$pkexec_bin" ]; then @@ -39,7 +40,7 @@ fi # Check polkit policies echo "" -print_3title "Polkit Policies" +print_3title "Polkit Policies" "T1548.003" for policy_dir in "/etc/polkit-1/localauthority.conf.d/" "/etc/polkit-1/rules.d/" "/usr/share/polkit-1/rules.d/"; do if [ -d "$policy_dir" ]; then echo "Checking $policy_dir:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g" @@ -59,6 +60,6 @@ done # Check for polkit authentication agent echo "" -print_3title "Polkit Authentication Agent" +print_3title "Polkit Authentication Agent" "T1548.004" ps aux 2>/dev/null | grep -i "polkit" | grep -v "grep" echo "" diff --git a/linPEAS/builder/linpeas_parts/6_users_information/11_Superusers.sh b/linPEAS/builder/linpeas_parts/6_users_information/11_Superusers.sh index e9629c4..3e8a78b 100644 --- a/linPEAS/builder/linpeas_parts/6_users_information/11_Superusers.sh +++ b/linPEAS/builder/linpeas_parts/6_users_information/11_Superusers.sh @@ -5,6 +5,7 @@ # Description: Check for superusers and users with UID 0 # License: GNU GPL # Version: 1.0 +# Mitre: T1087.001 # Functions Used: print_2title, print_info # Global Variables: $knw_usrs, $nosh_usrs, $sh_usrs, $USER # Initial Functions: @@ -13,12 +14,12 @@ # Small linpeas: 1 -print_2title "Superusers and UID 0 Users" +print_2title "Superusers and UID 0 Users" "T1087.001" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html" # Check /etc/passwd for UID 0 users echo "" -print_3title "Users with UID 0 in /etc/passwd" +print_3title "Users with UID 0 in /etc/passwd" "T1087.001" awk -F: '($3 == "0") {print}' /etc/passwd 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_RED_YELLOW},g" | sed "s,root,${SED_RED},g" if [ command -v getent >/dev/null 2>&1 ]; then @@ -32,6 +33,6 @@ fi # Check for users with sudo privileges in sudoers echo "" -print_3title "Users with sudo privileges in sudoers" +print_3title "Users with sudo privileges in sudoers" "T1087.001" grep -v "^#" /etc/sudoers 2>/dev/null | grep -v "^$" | grep -v "^Defaults" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_RED_YELLOW},g" | sed "s,root,${SED_RED},g" echo "" diff --git a/linPEAS/builder/linpeas_parts/6_users_information/12_Users_with_console.sh b/linPEAS/builder/linpeas_parts/6_users_information/12_Users_with_console.sh index 0702ad7..e92b13b 100644 --- a/linPEAS/builder/linpeas_parts/6_users_information/12_Users_with_console.sh +++ b/linPEAS/builder/linpeas_parts/6_users_information/12_Users_with_console.sh @@ -5,6 +5,7 @@ # Description: Users with console # License: GNU GPL # Version: 1.0 +# Mitre: T1087.001 # Functions Used: print_2title # Global Variables: $MACPEAS, $sh_usrs, $TIMEOUT, $USER # Initial Functions: @@ -13,7 +14,7 @@ # Small linpeas: 1 -print_2title "Users with console" +print_2title "Users with console" "T1087.001" if [ "$MACPEAS" ]; then dscl . list /Users | while read un; do ushell=$(dscl . -read "/Users/$un" UserShell | cut -d " " -f2) diff --git a/linPEAS/builder/linpeas_parts/6_users_information/13_Users_groups.sh b/linPEAS/builder/linpeas_parts/6_users_information/13_Users_groups.sh index 7088bf5..9f0350d 100644 --- a/linPEAS/builder/linpeas_parts/6_users_information/13_Users_groups.sh +++ b/linPEAS/builder/linpeas_parts/6_users_information/13_Users_groups.sh @@ -5,6 +5,7 @@ # Description: Get all users & groups # License: GNU GPL # Version: 1.0 +# Mitre: T1087.001,T1069.001 # Functions Used: print_2title # Global Variables: $groupsB, $groupsVB, $knw_grps, $knw_usrs, $MACPEAS, $nosh_usrs, $sh_usrs, $USER # Initial Functions: @@ -13,7 +14,7 @@ # Small linpeas: 1 -print_2title "All users & groups" +print_2title "All users & groups" "T1087.001,T1069.001" if [ "$MACPEAS" ]; then dscl . list /Users | while read i; do id $i;done 2>/dev/null | sort | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" else diff --git a/linPEAS/builder/linpeas_parts/6_users_information/14_Login_now.sh b/linPEAS/builder/linpeas_parts/6_users_information/14_Login_now.sh index 9dad2b9..766b279 100644 --- a/linPEAS/builder/linpeas_parts/6_users_information/14_Login_now.sh +++ b/linPEAS/builder/linpeas_parts/6_users_information/14_Login_now.sh @@ -5,6 +5,7 @@ # Description: Check currently logged in users and their sessions # License: GNU GPL # Version: 1.0 +# Mitre: T1033 # Functions Used: print_2title # Global Variables: $knw_usrs, $nosh_usrs, $sh_usrs, $USER # Initial Functions: @@ -13,44 +14,43 @@ # Small linpeas: 1 -print_2title "Currently Logged in Users" - +print_2title "Currently Logged in Users" "T1033" # Check basic user information echo "" -print_3title "Basic user information" +print_3title "Basic user information" "T1033" (w || who || finger || users) 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g" # Check for active sessions echo "" -print_3title "Active sessions" +print_3title "Active sessions" "T1033" if command -v w >/dev/null 2>&1; then w 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g" fi # Check for logged in users via utmp echo "" -print_3title "Logged in users (utmp)" +print_3title "Logged in users (utmp)" "T1033" if [ -f "/var/run/utmp" ]; then who -a 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g" fi # Check for SSH sessions echo "" -print_3title "SSH sessions" +print_3title "SSH sessions" "T1033" if command -v ss >/dev/null 2>&1; then ss -tnp | grep ":22" 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g" fi # Check for screen sessions echo "" -print_3title "Screen sessions" +print_3title "Screen sessions" "T1033" if command -v screen >/dev/null 2>&1; then screen -ls 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g" fi # Check for tmux sessions echo "" -print_3title "Tmux sessions" +print_3title "Tmux sessions" "T1033" if command -v tmux >/dev/null 2>&1; then tmux list-sessions 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g" fi diff --git a/linPEAS/builder/linpeas_parts/6_users_information/15_Last_logons.sh b/linPEAS/builder/linpeas_parts/6_users_information/15_Last_logons.sh index 2971c67..2f432db 100644 --- a/linPEAS/builder/linpeas_parts/6_users_information/15_Last_logons.sh +++ b/linPEAS/builder/linpeas_parts/6_users_information/15_Last_logons.sh @@ -5,6 +5,7 @@ # Description: Check last logons and login history # License: GNU GPL # Version: 1.0 +# Mitre: T1033 # Functions Used: print_2title # Global Variables: $knw_usrs, $nosh_usrs, $sh_usrs, $USER # Initial Functions: @@ -12,25 +13,24 @@ # Fat linpeas: 0 # Small linpeas: 1 -print_2title "Last Logons and Login History" - +print_2title "Last Logons and Login History" "T1033" # Check last logins echo "" -print_3title "Last logins" +print_3title "Last logins" "T1033" if command -v last >/dev/null 2>&1; then last -n 20 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g" fi # Check failed login attempts echo "" -print_3title "Failed login attempts" +print_3title "Failed login attempts" "T1033" if command -v lastb >/dev/null 2>&1; then lastb -n 20 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g" fi # Check auth logs for recent logins echo "" -print_3title "Recent logins from auth.log (limit 20)" +print_3title "Recent logins from auth.log (limit 20)" "T1033" if [ -f "/var/log/auth.log" ]; then grep -i "login\|authentication\|accepted" /var/log/auth.log 2>/dev/null | tail -n 20 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g" fi @@ -38,7 +38,7 @@ fi # Last time logon each user echo "" if command -v lastlog >/dev/null 2>&1; then - print_3title "Last time logon each user" + print_3title "Last time logon each user" "T1033" lastlog 2>/dev/null | grep -v "Never" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," fi diff --git a/linPEAS/builder/linpeas_parts/6_users_information/17_Password_policy.sh b/linPEAS/builder/linpeas_parts/6_users_information/17_Password_policy.sh index 9a3b69e..038c678 100644 --- a/linPEAS/builder/linpeas_parts/6_users_information/17_Password_policy.sh +++ b/linPEAS/builder/linpeas_parts/6_users_information/17_Password_policy.sh @@ -5,6 +5,7 @@ # Description: Get assword policy # License: GNU GPL # Version: 1.0 +# Mitre: T1201 # Functions Used: echo_not_found, print_2title # Global Variables: $EXTRA_CHECKS, $MACPEAS # Initial Functions: @@ -14,16 +15,16 @@ if [ "$EXTRA_CHECKS" ]; then - print_2title "Password policy" + print_2title "Password policy" "T1201" grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null || echo_not_found "/etc/login.defs" echo "" if [ "$MACPEAS" ]; then - print_2title "Relevant last user info and user configs" + print_2title "Relevant last user info and user configs" "T1201" defaults read /Library/Preferences/com.apple.loginwindow.plist 2>/dev/null echo "" - print_2title "Guest user status" + print_2title "Guest user status" "T1201" sysadminctl -afpGuestAccess status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN}," sysadminctl -guestAccount status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN}," sysadminctl -smbGuestAccess status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN}," diff --git a/linPEAS/builder/linpeas_parts/6_users_information/18_Brute_su.sh b/linPEAS/builder/linpeas_parts/6_users_information/18_Brute_su.sh index c2a0229..7cf14eb 100644 --- a/linPEAS/builder/linpeas_parts/6_users_information/18_Brute_su.sh +++ b/linPEAS/builder/linpeas_parts/6_users_information/18_Brute_su.sh @@ -5,6 +5,7 @@ # Description: Brute su # License: GNU GPL # Version: 1.0 +# Mitre: T1110.001 # Functions Used: check_if_su_brute, print_2title, su_brute_user_num # Global Variables: $IAMROOT, $PASSTRY, $TIMEOUT # Initial Functions: diff --git a/linPEAS/builder/linpeas_parts/6_users_information/1_Macos_my_user_hooks.sh b/linPEAS/builder/linpeas_parts/6_users_information/1_Macos_my_user_hooks.sh index 63c2290..559afd5 100644 --- a/linPEAS/builder/linpeas_parts/6_users_information/1_Macos_my_user_hooks.sh +++ b/linPEAS/builder/linpeas_parts/6_users_information/1_Macos_my_user_hooks.sh @@ -5,6 +5,7 @@ # Description: Get current user Login and Logout hooks # License: GNU GPL # Version: 1.0 +# Mitre: T1033,T1543.001 # Functions Used: print_2title # Global Variables: $HOME, $MACPEAS # Initial Functions: @@ -14,7 +15,7 @@ if [ "$MACPEAS" ];then - print_2title "Current user Login and Logout hooks" + print_2title "Current user Login and Logout hooks" "T1033,T1543.001" defaults read $HOME/Library/Preferences/com.apple.loginwindow.plist 2>/dev/null | grep -e "Hook" echo "" fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/6_users_information/1_My_user.sh b/linPEAS/builder/linpeas_parts/6_users_information/1_My_user.sh index 2f1b23a..21be577 100644 --- a/linPEAS/builder/linpeas_parts/6_users_information/1_My_user.sh +++ b/linPEAS/builder/linpeas_parts/6_users_information/1_My_user.sh @@ -5,6 +5,7 @@ # Description: My User # License: GNU GPL # Version: 1.0 +# Mitre: T1033 # Functions Used: print_2title, print_info # Global Variables: $groupsB, $groupsVB, $idB, $knw_grps , $knw_usrs, $nosh_usrs,$sh_usrs, $USER # Initial Functions: @@ -13,7 +14,7 @@ # Small linpeas: 1 -print_2title "My user" +print_2title "My user" "T1033" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#users" (id || (whoami && groups)) 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g" echo "" \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/6_users_information/2_Macos_user_hooks.sh b/linPEAS/builder/linpeas_parts/6_users_information/2_Macos_user_hooks.sh index 55c0ac1..166fa4b 100644 --- a/linPEAS/builder/linpeas_parts/6_users_information/2_Macos_user_hooks.sh +++ b/linPEAS/builder/linpeas_parts/6_users_information/2_Macos_user_hooks.sh @@ -5,6 +5,7 @@ # Description: Enumerate all users login and logout hooks # License: GNU GPL # Version: 1.0 +# Mitre: T1543.001 # Functions Used: print_2title # Global Variables: $MACPEAS # Initial Functions: @@ -14,7 +15,7 @@ if [ "$MACPEAS" ];then - print_2title "All Login and Logout hooks" + print_2title "All Login and Logout hooks" "T1543.001" for user_home in /Users/*/ /private/var/root/; do if [ -f "${user_home}Library/Preferences/com.apple.loginwindow.plist" ]; then echo "User: $(basename "$user_home")" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g" diff --git a/linPEAS/builder/linpeas_parts/6_users_information/3_Macos_keychains.sh b/linPEAS/builder/linpeas_parts/6_users_information/3_Macos_keychains.sh index 7fbda0d..b1b2165 100644 --- a/linPEAS/builder/linpeas_parts/6_users_information/3_Macos_keychains.sh +++ b/linPEAS/builder/linpeas_parts/6_users_information/3_Macos_keychains.sh @@ -5,6 +5,7 @@ # Description: Get macOS keychains information # License: GNU GPL # Version: 1.0 +# Mitre: T1555.001 # Functions Used: print_2title, print_info # Global Variables: $MACPEAS # Initial Functions: @@ -14,7 +15,7 @@ if [ "$MACPEAS" ];then - print_2title "Keychains" + print_2title "Keychains" "T1555.001" print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#chainbreaker" echo "System Keychains:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g" security list-keychains 2>/dev/null | sed -${E} "s,.*,${SED_RED},g" diff --git a/linPEAS/builder/linpeas_parts/6_users_information/4_Macos_systemkey.sh b/linPEAS/builder/linpeas_parts/6_users_information/4_Macos_systemkey.sh index b357cea..1772eed 100644 --- a/linPEAS/builder/linpeas_parts/6_users_information/4_Macos_systemkey.sh +++ b/linPEAS/builder/linpeas_parts/6_users_information/4_Macos_systemkey.sh @@ -5,6 +5,7 @@ # Description: Get macOS SystemKey information (used for FileVault encryption) # License: GNU GPL # Version: 1.0 +# Mitre: T1555.001 # Functions Used: print_2title # Global Variables: $MACPEAS # Initial Functions: @@ -14,7 +15,7 @@ if [ "$MACPEAS" ];then - print_2title "SystemKey" + print_2title "SystemKey" "T1555.001" echo "The SystemKey is used by FileVault to encrypt/decrypt the volume. If you can read it, you might be able to decrypt the disk." echo -e "\nSystemKey file permissions:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g" ls -l /var/db/SystemKey 2>/dev/null | sed -${E} "s,.*,${SED_RED_YELLOW},g" diff --git a/linPEAS/builder/linpeas_parts/6_users_information/5_Pgp_keys.sh b/linPEAS/builder/linpeas_parts/6_users_information/5_Pgp_keys.sh index 976bb5e..cec023d 100644 --- a/linPEAS/builder/linpeas_parts/6_users_information/5_Pgp_keys.sh +++ b/linPEAS/builder/linpeas_parts/6_users_information/5_Pgp_keys.sh @@ -5,6 +5,7 @@ # Description: Check for PGP keys and related files that might contain sensitive information # License: GNU GPL # Version: 1.0 +# Mitre: T1552.004 # Functions Used: echo_not_found, print_2title, print_info # Global Variables: $HOME # Initial Functions: @@ -13,7 +14,7 @@ # Small linpeas: 1 -print_2title "PGP Keys and Related Files" +print_2title "PGP Keys and Related Files" "T1552.004" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#pgp-keys" # Check for GPG diff --git a/linPEAS/builder/linpeas_parts/6_users_information/6_Clipboard_highlighted_text.sh b/linPEAS/builder/linpeas_parts/6_users_information/6_Clipboard_highlighted_text.sh index ab6b2b9..8332638 100644 --- a/linPEAS/builder/linpeas_parts/6_users_information/6_Clipboard_highlighted_text.sh +++ b/linPEAS/builder/linpeas_parts/6_users_information/6_Clipboard_highlighted_text.sh @@ -5,6 +5,7 @@ # Description: Check clipboard and highlighted text for sensitive information # License: GNU GPL # Version: 1.0 +# Mitre: T1115 # Functions Used: echo_not_found, print_2title, print_info # Global Variables: $DEBUG, $pwd_inside_history # Initial Functions: @@ -14,7 +15,7 @@ if [ "$(command -v xclip 2>/dev/null || echo -n '')" ] || [ "$(command -v xsel 2>/dev/null || echo -n '')" ] || [ "$(command -v pbpaste 2>/dev/null || echo -n '')" ] || [ "$(command -v wl-paste 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then - print_2title "Clipboard and Highlighted Text" + print_2title "Clipboard and Highlighted Text" "T1115" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#clipboard" # Function to check clipboard content diff --git a/linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh b/linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh index 2c4bff5..ae1ec24 100644 --- a/linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh +++ b/linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh @@ -5,6 +5,7 @@ # Description: Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d # License: GNU GPL # Version: 1.0 +# Mitre: T1548.003 # Functions Used: echo_not_found, print_2title, print_info # Global Variables:$IAMROOT, $PASSWORD, $sudoB, $sudoG, $sudoVB1, $sudoVB2 # Initial Functions: @@ -13,7 +14,7 @@ # Small linpeas: 1 -print_2title "Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d" +print_2title "Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d" "T1548.003" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid" (echo '' | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,\!root,${SED_RED},") 2>/dev/null || echo_not_found "sudo" if [ "$PASSWORD" ]; then diff --git a/linPEAS/builder/linpeas_parts/6_users_information/8_Sudo_tokens.sh b/linPEAS/builder/linpeas_parts/6_users_information/8_Sudo_tokens.sh index 5aa9fed..7c08a25 100644 --- a/linPEAS/builder/linpeas_parts/6_users_information/8_Sudo_tokens.sh +++ b/linPEAS/builder/linpeas_parts/6_users_information/8_Sudo_tokens.sh @@ -5,6 +5,7 @@ # Description: Checking Sudo tokens # License: GNU GPL # Version: 1.0 +# Mitre: T1548.003 # Functions Used: print_2title, print_info # Global Variables: $HOME, $CURRENT_USER_PIVOT_PID # Initial Functions: get_current_user_privot_pid @@ -13,7 +14,7 @@ # Small linpeas: 1 -print_2title "Checking sudo tokens" +print_2title "Checking sudo tokens" "T1548.003" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#reusing-sudo-tokens" ptrace_scope="$(cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null)" if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then diff --git a/linPEAS/builder/linpeas_parts/6_users_information/9_Doas.sh b/linPEAS/builder/linpeas_parts/6_users_information/9_Doas.sh index 222c0bb..e8e0a90 100644 --- a/linPEAS/builder/linpeas_parts/6_users_information/9_Doas.sh +++ b/linPEAS/builder/linpeas_parts/6_users_information/9_Doas.sh @@ -5,6 +5,7 @@ # Description: Check doas configuration and permissions for privilege escalation # License: GNU GPL # Version: 1.0 +# Mitre: T1548.003 # Functions Used: echo_not_found, print_2title, print_info # Global Variables: $DEBUG, $nosh_usrs, $sh_usrs, $USER # Initial Functions: @@ -14,7 +15,7 @@ if [ -f "/etc/doas.conf" ] || [ -f "/usr/local/etc/doas.conf" ] || [ "$DEBUG" ]; then - print_2title "Doas Configuration" + print_2title "Doas Configuration" "T1548.003" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#doas" # Find doas binary and its config locations diff --git a/linPEAS/builder/linpeas_parts/7_software_information/1_Useful_software.sh b/linPEAS/builder/linpeas_parts/7_software_information/1_Useful_software.sh index 001bb2e..fff0b41 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/1_Useful_software.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/1_Useful_software.sh @@ -5,6 +5,7 @@ # Description: Useful Software # License: GNU GPL # Version: 1.0 +# Mitre: T1082 # Functions Used: print_2title # Global Variables: $SEARCH_IN_FOLDER, $USEFUL_SOFTWARE # Initial Functions: @@ -14,7 +15,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Useful software" + print_2title "Useful software" "T1082" for t in $USEFUL_SOFTWARE; do command -v "$t" || echo -n ''; done echo "" fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/7_software_information/2_Compilers.sh b/linPEAS/builder/linpeas_parts/7_software_information/2_Compilers.sh index d6a037d..eb46d3d 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/2_Compilers.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/2_Compilers.sh @@ -5,6 +5,7 @@ # Description: Search for compilers # License: GNU GPL # Version: 1.0 +# Mitre: T1587.001 # Functions Used: print_2title # Global Variables: $SEARCH_IN_FOLDER # Initial Functions: @@ -14,18 +15,18 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Installed Compilers" + print_2title "Installed Compilers" "T1587.001" (dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; command -v gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/"); echo "" if [ "$(command -v pkg 2>/dev/null || echo -n '')" ]; then - print_2title "Vulnerable Packages" + print_2title "Vulnerable Packages" "T1587.001" pkg audit -F | sed -${E} "s,vulnerable,${SED_RED},g" echo "" fi if [ "$(command -v brew 2>/dev/null || echo -n '')" ]; then - print_2title "Brew Installed Packages" + print_2title "Brew Installed Packages" "T1587.001" brew list echo "" fi diff --git a/linPEAS/builder/linpeas_parts/7_software_information/3_Macos_writable_installed_apps.sh b/linPEAS/builder/linpeas_parts/7_software_information/3_Macos_writable_installed_apps.sh index 08033c4..3338e10 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/3_Macos_writable_installed_apps.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/3_Macos_writable_installed_apps.sh @@ -5,6 +5,7 @@ # Description: Writable Installed Applications # License: GNU GPL # Version: 1.0 +# Mitre: T1574 # Functions Used: print_2title # Global Variables: $MACPEAS # Initial Functions: @@ -14,7 +15,7 @@ if [ "$MACPEAS" ]; then - print_2title "Writable Installed Applications" + print_2title "Writable Installed Applications" "T1574" system_profiler SPApplicationsDataType | grep "Location:" | cut -d ":" -f 2 | cut -c2- | while read f; do if [ -w "$f" ]; then echo "$f is writable" | sed -${E} "s,.*,${SED_RED},g" diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Apache_nginx.sh b/linPEAS/builder/linpeas_parts/7_software_information/Apache_nginx.sh index 73dab21..530e60c 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Apache_nginx.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Apache_nginx.sh @@ -5,6 +5,7 @@ # Description: Apache-Nginx # License: GNU GPL # Version: 1.0 +# Mitre: T1552.001 # Functions Used: print_3title, warn_exec # Global Variables: $NGINX_KNOWN_MODULES # Initial Functions: diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Awsvault.sh b/linPEAS/builder/linpeas_parts/7_software_information/Awsvault.sh index f2dc5d3..13930d7 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Awsvault.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Awsvault.sh @@ -5,6 +5,7 @@ # Description: Check aws-vault # License: GNU GPL # Version: 1.0 +# Mitre: T1552.005 # Functions Used: print_2title # Global Variables: $DEBUG # Initial Functions: @@ -15,6 +16,6 @@ AWSVAULT="$(command -v aws-vault 2>/dev/null || echo -n '')" if [ "$AWSVAULT" ] || [ "$DEBUG" ]; then - print_2title "Check aws-vault" + print_2title "Check aws-vault" "T1552.005" aws-vault list fi diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Browser_profiles.sh b/linPEAS/builder/linpeas_parts/7_software_information/Browser_profiles.sh index 85f9d02..8d8f201 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Browser_profiles.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Browser_profiles.sh @@ -5,6 +5,7 @@ # Description: List browser profiles that may store credentials/cookies # License: GNU GPL # Version: 1.0 +# Mitre: T1539,T1217 # Functions Used: print_2title, print_3title, print_info # Global Variables: $HOMESEARCH, $SED_RED # Initial Functions: @@ -12,7 +13,7 @@ # Fat linpeas: 0 # Small linpeas: 1 -print_2title "Browser Profiles" +print_2title "Browser Profiles" "T1539,T1217" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#browser-data" echo "" @@ -22,7 +23,7 @@ for h in $HOMESEARCH; do firefox_ini="$h/.mozilla/firefox/profiles.ini" if [ -f "$firefox_ini" ]; then - print_3title "Firefox profiles ($h)" + print_3title "Firefox profiles ($h)" "T1539,T1217" awk -F= ' /^\[Profile/ { in_profile=1 } /^Path=/ { path=$2 } @@ -54,7 +55,7 @@ for h in $HOMESEARCH; do if [ -d "$chrome_base" ]; then profiles=$(find "$chrome_base" -maxdepth 1 -type d \( -name "Default" -o -name "Profile *" \) 2>/dev/null) if [ "$profiles" ]; then - print_3title "Chromium profiles ($chrome_base)" + print_3title "Chromium profiles ($chrome_base)" "T1539,T1217" printf "%s\n" "$profiles" | sed -${E} "s,.*,${SED_RED}," echo "" fi diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Cached_AD_hashes.sh b/linPEAS/builder/linpeas_parts/7_software_information/Cached_AD_hashes.sh index 4dca8cf..244065a 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Cached_AD_hashes.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Cached_AD_hashes.sh @@ -5,6 +5,7 @@ # Description: Cached AD Hashes # License: GNU GPL # Version: 1.0 +# Mitre: T1003.003 # Functions Used: print_2title # Global Variables: $DEBUG # Initial Functions: @@ -15,7 +16,7 @@ adhashes=$(ls "/var/lib/samba/private/secrets.tdb" "/var/lib/samba/passdb.tdb" "/var/opt/quest/vas/authcache/vas_auth.vdb" "/var/lib/sss/db/cache_*" 2>/dev/null) if [ "$adhashes" ] || [ "$DEBUG" ]; then - print_2title "Searching AD cached hashes" + print_2title "Searching AD cached hashes" "T1003.003" ls -l "/var/lib/samba/private/secrets.tdb" "/var/lib/samba/passdb.tdb" "/var/opt/quest/vas/authcache/vas_auth.vdb" "/var/lib/sss/db/cache_*" 2>/dev/null echo "" fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Containerd.sh b/linPEAS/builder/linpeas_parts/7_software_information/Containerd.sh index bebb984..dafc47a 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Containerd.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Containerd.sh @@ -5,6 +5,7 @@ # Description: containerd installed # License: GNU GPL # Version: 1.0 +# Mitre: T1613 # Functions Used: print_2title, print_info # Global Variables: $DEBUG, $SEARCH_IN_FOLDER # Initial Functions: @@ -16,7 +17,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then containerd=$(command -v ctr || echo -n '') if [ "$containerd" ] || [ "$DEBUG" ]; then - print_2title "Checking if containerd(ctr) is available" + print_2title "Checking if containerd(ctr) is available" "T1613" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#containerd-ctr-privilege-escalation" if [ "$containerd" ]; then echo "ctr was found in $containerd, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED}," diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Docker.sh b/linPEAS/builder/linpeas_parts/7_software_information/Docker.sh index faaad8a..da32b23 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Docker.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Docker.sh @@ -5,6 +5,7 @@ # Description: Docker # License: GNU GPL # Version: 1.0 +# Mitre: T1613 # Functions Used: print_2title, print_info # Global Variables: $DEBUG, $IAMROOT # Initial Functions: @@ -14,7 +15,7 @@ if [ "$PSTORAGE_DOCKER" ] || [ "$DEBUG" ]; then - print_2title "Searching docker files (limit 70)" + print_2title "Searching docker files (limit 70)" "T1613" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/index.html#docker-breakout--privilege-escalation" printf "%s\n" "$PSTORAGE_DOCKER" | head -n 70 | while read f; do ls -l "$f" 2>/dev/null diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Dovecot.sh b/linPEAS/builder/linpeas_parts/7_software_information/Dovecot.sh index 98fa471..d7205b7 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Dovecot.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Dovecot.sh @@ -5,6 +5,7 @@ # Description: Dovecot # License: GNU GPL # Version: 1.0 +# Mitre: T1552.001 # Functions Used: echo_not_found, print_2title # Global Variables: $DEBUG # Initial Functions: @@ -16,7 +17,7 @@ # Needs testing dovecotpass=$(grep -r "PLAIN" /etc/dovecot 2>/dev/null) if [ "$dovecotpass" ] || [ "$DEBUG" ]; then - print_2title "Searching dovecot files" + print_2title "Searching dovecot files" "T1552.001" if [ -z "$dovecotpass" ]; then echo_not_found "dovecot credentials" else diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Extra_software.sh b/linPEAS/builder/linpeas_parts/7_software_information/Extra_software.sh index e5c7754..9d91c73 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Extra_software.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Extra_software.sh @@ -5,6 +5,7 @@ # Description: Add all the extra software checks from build_lists/sensitive_files.yaml that doesn't have linpeas disabled # License: GNU GPL # Version: 1.0 +# Mitre: T1082 # Functions Used: print_3title, warn_exec # Global Variables: $NGINX_KNOWN_MODULES # Initial Functions: diff --git a/linPEAS/builder/linpeas_parts/7_software_information/FreeIPA.sh b/linPEAS/builder/linpeas_parts/7_software_information/FreeIPA.sh index d428db4..be038aa 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/FreeIPA.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/FreeIPA.sh @@ -5,6 +5,7 @@ # Description: FreeIPA # License: GNU GPL # Version: 1.0 +# Mitre: T1552.001 # Functions Used: print_info # Global Variables: # Initial Functions: diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Gitlab.sh b/linPEAS/builder/linpeas_parts/7_software_information/Gitlab.sh index c42372c..df0c484 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Gitlab.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Gitlab.sh @@ -5,6 +5,7 @@ # Description: Searching GitLab related files # License: GNU GPL # Version: 1.0 +# Mitre: T1552.001 # Functions Used: print_2title # Global Variables: $DEBUG # Initial Functions: @@ -14,7 +15,7 @@ if [ "$(command -v gitlab-rails || echo -n '')" ] || [ "$(command -v gitlab-backup || echo -n '')" ] || [ "$PSTORAGE_GITLAB" ] || [ "$DEBUG" ]; then - print_2title "Searching GitLab related files" + print_2title "Searching GitLab related files" "T1552.001" #Check gitlab-rails if [ "$(command -v gitlab-rails || echo -n '')" ]; then echo "gitlab-rails was found. Trying to dump users..." diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Kcpassword.sh b/linPEAS/builder/linpeas_parts/7_software_information/Kcpassword.sh index 5e38749..ce8a232 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Kcpassword.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Kcpassword.sh @@ -5,6 +5,7 @@ # Description: Analyzing kcpassword files # License: GNU GPL # Version: 1.0 +# Mitre: T1555.001 # Functions Used: print_2title, print_info # Global Variables: $DEBUG # Initial Functions: @@ -14,7 +15,7 @@ if [ "$PSTORAGE_KCPASSWORD" ] || [ "$DEBUG" ]; then - print_2title "Analyzing kcpassword files" + print_2title "Analyzing kcpassword files" "T1555.001" print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#kcpassword" printf "%s\n" "$PSTORAGE_KCPASSWORD" | while read f; do echo "$f" | sed -${E} "s,.*,${SED_RED}," diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Kerberos.sh b/linPEAS/builder/linpeas_parts/7_software_information/Kerberos.sh index 65aa291..7da4f3a 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Kerberos.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Kerberos.sh @@ -5,6 +5,7 @@ # Description: Kerberos # License: GNU GPL # Version: 1.0 +# Mitre: T1558.003 # Functions Used: echo_not_found, print_2title, print_info # Global Variables: $DEBUG, $ITALIC # Initial Functions: @@ -17,7 +18,7 @@ kadmin_exists="$(command -v kadmin || echo -n '')" klist_exists="$(command -v klist || echo -n '')" kinit_exists="$(command -v kinit || echo -n '')" if [ "$kadmin_exists" ] || [ "$klist_exists" ] || [ "$kinit_exists" ] || [ "$PSTORAGE_KERBEROS" ] || [ "$DEBUG" ]; then - print_2title "Searching kerberos conf files and tickets" + print_2title "Searching kerberos conf files and tickets" "T1558.003" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/linux-active-directory.html#linux-active-directory" if [ "$kadmin_exists" ]; then echo "kadmin was found on $kadmin_exists" | sed "s,$kadmin_exists,${SED_RED},"; fi diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Log4shell.sh b/linPEAS/builder/linpeas_parts/7_software_information/Log4shell.sh index 6d84932..9d772a3 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Log4shell.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Log4shell.sh @@ -5,6 +5,7 @@ # Description: Searching Log4Shell vulnerable libraries # License: GNU GPL # Version: 1.0 +# Mitre: T1190 # Functions Used: print_2title # Global Variables: $DEBUG # Initial Functions: @@ -14,7 +15,7 @@ if [ "$PSTORAGE_LOG4SHELL" ] || [ "$DEBUG" ]; then - print_2title "Searching Log4Shell vulnerable libraries" + print_2title "Searching Log4Shell vulnerable libraries" "T1190" printf "%s\n" "$PSTORAGE_LOG4SHELL" | while read f; do echo "$f" | grep -E "log4j\-core\-(1\.[^0]|2\.[0-9][^0-9]|2\.1[0-6])" | sed -${E} "s,log4j\-core\-(1\.[^0]|2\.[0-9][^0-9]|2\.1[0-6]),${SED_RED},"; done diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Logstash.sh b/linPEAS/builder/linpeas_parts/7_software_information/Logstash.sh index fcd25c9..9534b10 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Logstash.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Logstash.sh @@ -5,6 +5,7 @@ # Description: Searching logstash files # License: GNU GPL # Version: 1.0 +# Mitre: T1552.001 # Functions Used: print_2title # Global Variables: $DEBUG, $knw_usrs, $nosh_usrs, $sh_usrs, $USER # Initial Functions: @@ -14,7 +15,7 @@ if [ "$PSTORAGE_LOGSTASH" ] || [ "$DEBUG" ]; then - print_2title "Searching logstash files" + print_2title "Searching logstash files" "T1552.001" printf "$PSTORAGE_LOGSTASH" printf "%s\n" "$PSTORAGE_LOGSTASH" | while read d; do if [ -r "$d/startup.options" ]; then diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Mysql.sh b/linPEAS/builder/linpeas_parts/7_software_information/Mysql.sh index 6212024..29a92e5 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Mysql.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Mysql.sh @@ -5,6 +5,7 @@ # Description: Mysql credentials # License: GNU GPL # Version: 1.0 +# Mitre: T1552.001 # Functions Used: print_2title # Global Variables: $DEBUG, $knw_usrs, $nosh_usrs, $sh_usrs, $DEBUG, $USER, $STRINGS # Initial Functions: @@ -14,7 +15,7 @@ if [ "$PSTORAGE_MYSQL" ] || [ "$DEBUG" ]; then - print_2title "Searching mysql credentials and exec" + print_2title "Searching mysql credentials and exec" "T1552.001" printf "%s\n" "$PSTORAGE_MYSQL" | while read d; do if [ -f "$d" ] && ! [ "$(basename $d)" = "mysql" ]; then # Only interested in "mysql" that are folders (filesaren't the ones with creds) echo "Potential file containing credentials:" @@ -66,7 +67,7 @@ echo "" #-- SI) Mysql version if [ "$(command -v mysql || echo -n '')" ] || [ "$(command -v mysqladmin || echo -n '')" ] || [ "$DEBUG" ]; then - print_2title "MySQL version" + print_2title "MySQL version" "T1552.001" mysql --version 2>/dev/null || echo_not_found "mysql" mysqluser=$(systemctl status mysql 2>/dev/null | grep -o ".\{0,0\}user.\{0,50\}" | cut -d '=' -f2 | cut -d ' ' -f1) if [ "$mysqluser" ]; then diff --git a/linPEAS/builder/linpeas_parts/7_software_information/PGP_GPG.sh b/linPEAS/builder/linpeas_parts/7_software_information/PGP_GPG.sh index 10d06e2..cf752a2 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/PGP_GPG.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/PGP_GPG.sh @@ -5,6 +5,7 @@ # Description: PGP-GPG # License: GNU GPL # Version: 1.0 +# Mitre: T1552.004 # Functions Used: echo_not_found # Global Variables: # Initial Functions: diff --git a/linPEAS/builder/linpeas_parts/7_software_information/PHP_Sessions.sh b/linPEAS/builder/linpeas_parts/7_software_information/PHP_Sessions.sh index e20691b..35b585f 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/PHP_Sessions.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/PHP_Sessions.sh @@ -5,6 +5,7 @@ # Description: PHP Sessions # License: GNU GPL # Version: 1.0 +# Mitre: T1552.001 # Functions Used: echo_not_found # Global Variables: # Initial Functions: diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Pamd.sh b/linPEAS/builder/linpeas_parts/7_software_information/Pamd.sh index a6bcbfa..322842f 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Pamd.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Pamd.sh @@ -5,6 +5,7 @@ # Description: Passwords inside pam.d # License: GNU GPL # Version: 1.0 +# Mitre: T1556.003 # Functions Used: print_2title # Global Variables: $DEBUG # Initial Functions: @@ -15,7 +16,7 @@ pamdpass=$(grep -Ri "passwd" ${ROOT_FOLDER}etc/pam.d/ 2>/dev/null | grep -v ":#") if [ "$pamdpass" ] || [ "$DEBUG" ]; then - print_2title "Passwords inside pam.d" + print_2title "Passwords inside pam.d" "T1556.003" grep -Ri "passwd" ${ROOT_FOLDER}etc/pam.d/ 2>/dev/null | grep -v ":#" | sed "s,passwd,${SED_RED}," echo "" fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Postgresql.sh b/linPEAS/builder/linpeas_parts/7_software_information/Postgresql.sh index 87103d1..89adb15 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Postgresql.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Postgresql.sh @@ -5,6 +5,7 @@ # Description: PostgreSQL brute # License: GNU GPL # Version: 1.0 +# Mitre: T1552.001 # Functions Used: echo_no, print_list, warn_exec # Global Variables: $DEBUG, $TIMEOUT # Initial Functions: diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Postgresql_Event_Triggers.sh b/linPEAS/builder/linpeas_parts/7_software_information/Postgresql_Event_Triggers.sh index 05d76fc..4bd778f 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Postgresql_Event_Triggers.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Postgresql_Event_Triggers.sh @@ -5,6 +5,7 @@ # Description: Detect unsafe PostgreSQL event triggers and postgres_fdw custom scripts that grant temporary SUPERUSER # License: GNU GPL # Version: 1.0 +# Mitre: T1505.001 # Functions Used: echo_not_found, print_2title, print_info # Global Variables: $DEBUG, $E, $SED_GREEN, $SED_RED, $SED_YELLOW, $TIMEOUT # Initial Functions: @@ -14,7 +15,7 @@ if [ "$DEBUG" ] || { [ "$TIMEOUT" ] && [ "$(command -v psql 2>/dev/null || echo -n '')" ]; }; then - print_2title "PostgreSQL event trigger ownership & postgres_fdw hooks" + print_2title "PostgreSQL event trigger ownership & postgres_fdw hooks" "T1505.001" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#postgresql-event-triggers" psql_bin="$(command -v psql 2>/dev/null || echo -n '')" diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Runc.sh b/linPEAS/builder/linpeas_parts/7_software_information/Runc.sh index 84f135b..05b689f 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Runc.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Runc.sh @@ -5,6 +5,7 @@ # Description: Runc # License: GNU GPL # Version: 1.0 +# Mitre: T1613,T1611 # Functions Used: print_2title, print_info # Global Variables: $DEBUG, $SEARCH_IN_FOLDER # Initial Functions: @@ -16,7 +17,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then runc=$(command -v runc || echo -n '') if [ "$runc" ] || [ "$DEBUG" ]; then - print_2title "Checking if runc is available" + print_2title "Checking if runc is available" "T1613,T1611" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#runc--privilege-escalation" if [ "$runc" ]; then echo "runc was found in $runc, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED}," diff --git a/linPEAS/builder/linpeas_parts/7_software_information/SKey.sh b/linPEAS/builder/linpeas_parts/7_software_information/SKey.sh index 5d5db68..a72499b 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/SKey.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/SKey.sh @@ -5,6 +5,7 @@ # Description: S/Key athentication # License: GNU GPL # Version: 1.0 +# Mitre: T1556 # Functions Used: print_2title # Global Variables: $DEBUG, $IAMROOT # Initial Functions: @@ -14,7 +15,7 @@ if (grep auth= /etc/login.conf 2>/dev/null | grep -v "^#" | grep -q skey) || [ "$DEBUG" ] ; then - print_2title "S/Key authentication" + print_2title "S/Key authentication" "T1556" printf "System supports$RED S/Key$NC authentication\n" if ! [ -d /etc/skey/ ]; then echo "${GREEN}S/Key authentication enabled, but has not been initialized" diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Screen_sessions.sh b/linPEAS/builder/linpeas_parts/7_software_information/Screen_sessions.sh index 8c16269..4076531 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Screen_sessions.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Screen_sessions.sh @@ -5,6 +5,7 @@ # Description: Screen sessions # License: GNU GPL # Version: 1.0 +# Mitre: T1563 # Functions Used: print_2title, print_info # Global Variables:$DEBUG, $SEARCH_IN_FOLDER, $USER, $wgroups # Initial Functions: @@ -14,7 +15,7 @@ if (command -v screen >/dev/null 2>&1 || [ -d "/run/screen" ] || [ "$DEBUG" ]) && ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Searching screen sessions" + print_2title "Searching screen sessions" "T1563" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-shell-sessions" screensess=$(screen -ls 2>/dev/null) screensess2=$(find /run/screen -type d -path "/run/screen/S-*" 2>/dev/null) @@ -27,7 +28,7 @@ if (command -v screen >/dev/null 2>&1 || [ -d "/run/screen" ] || [ "$DEBUG" ]) & done if [ -r "/etc/passwd" ]; then - print_3title "Checking other users screen sessions" + print_3title "Checking other users screen sessions" "T1563" cut -d: -f1,7 /etc/passwd 2>/dev/null | grep "sh$" | cut -d: -f1 | grep -v "^$USER$" | while read u; do uscreen=$(screen -ls "${u}/" 2>/dev/null | grep -v "No Sockets found" | grep -v "^$") if [ "$uscreen" ]; then diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Splunk.sh b/linPEAS/builder/linpeas_parts/7_software_information/Splunk.sh index 4301e12..3527f16 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Splunk.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Splunk.sh @@ -5,6 +5,7 @@ # Description: passwd files (splunk) # License: GNU GPL # Version: 1.0 +# Mitre: T1552.001 # Functions Used: print_2title # Global Variables: $DEBUG # Initial Functions: @@ -15,7 +16,7 @@ SPLUNK_BIN="$(command -v splunk 2>/dev/null || echo -n '')" if [ "$PSTORAGE_SPLUNK" ] || [ "$SPLUNK_BIN" ] || [ "$DEBUG" ]; then - print_2title "Searching uncommon passwd files (splunk)" + print_2title "Searching uncommon passwd files (splunk)" "T1552.001" if [ "$SPLUNK_BIN" ]; then echo "splunk binary was found installed on $SPLUNK_BIN" | sed "s,.*,${SED_RED},"; fi printf "%s\n" "$PSTORAGE_SPLUNK" | grep -v ".htpasswd" | sort | uniq | while read f; do if [ -f "$f" ] && ! [ -x "$f" ]; then diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Ssh.sh b/linPEAS/builder/linpeas_parts/7_software_information/Ssh.sh index 5a04c58..1a1394d 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Ssh.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Ssh.sh @@ -5,6 +5,7 @@ # Description: Searching ssl/ssh files # License: GNU GPL # Version: 1.0 +# Mitre: T1552.004,T1021.004 # Functions Used: print_2title, print_3title # Global Variables: $HOME, $HOMESEARCH, $ROOT_FOLDER, $SEARCH_IN_FOLDER, $TIMEOUT, $USER, $wgroups # Initial Functions: @@ -13,7 +14,7 @@ # Small linpeas: 1 -print_2title "Searching ssl/ssh files" +print_2title "Searching ssl/ssh files" "T1552.004,T1021.004" if [ "$PSTORAGE_CERTSB4" ]; then certsb4_grep=$(grep -L "\"\|'\|(" $PSTORAGE_CERTSB4 2>/dev/null); fi if ! [ "$SEARCH_IN_FOLDER" ]; then sshconfig="$(ls /etc/ssh/ssh_config 2>/dev/null)" @@ -62,53 +63,53 @@ if [ "$privatekeyfilesetc" ] || [ "$privatekeyfileshome" ] || [ "$privatekeyfile echo "" fi if [ "$certsb4_grep" ] || [ "$PSTORAGE_CERTSBIN" ]; then - print_3title "Some certificates were found (out limited):" + print_3title "Some certificates were found (out limited):" "T1552.004,T1021.004" printf "$certsb4_grep\n" | head -n 20 printf "$PSTORAGE_CERTSBIN\n" | head -n 20 echo "" fi if [ "$PSTORAGE_CERTSCLIENT" ]; then - print_3title "Some client certificates were found:" + print_3title "Some client certificates were found:" "T1552.004,T1021.004" printf "$PSTORAGE_CERTSCLIENT\n" echo "" fi if [ "$PSTORAGE_SSH_AGENTS" ]; then - print_3title "Some SSH Agent files were found:" + print_3title "Some SSH Agent files were found:" "T1552.004,T1021.004" printf "$PSTORAGE_SSH_AGENTS\n" echo "" fi if [ "$agent_sockets" ]; then - print_3title "Potential SSH agent sockets were found:" + print_3title "Potential SSH agent sockets were found:" "T1552.004,T1021.004" printf "%s\n" "$agent_sockets" | sed -${E} "s,.*,${SED_RED}," echo "" fi if ssh-add -l 2>/dev/null | grep -qv 'no identities'; then - print_3title "Listing SSH Agents" + print_3title "Listing SSH Agents" "T1552.004,T1021.004" ssh-add -l echo "" fi if gpg-connect-agent "keyinfo --list" /bye 2>/dev/null | grep "D - - 1"; then - print_3title "Listing gpg keys cached in gpg-agent" + print_3title "Listing gpg keys cached in gpg-agent" "T1552.004,T1021.004" gpg-connect-agent "keyinfo --list" /bye echo "" fi if [ "$writable_agents" ]; then - print_3title "Writable ssh and gpg agents" + print_3title "Writable ssh and gpg agents" "T1552.004,T1021.004" printf "%s\n" "$writable_agents" fi if [ "$PSTORAGE_SSH_CONFIG" ]; then - print_3title "Some home ssh config file was found" + print_3title "Some home ssh config file was found" "T1552.004,T1021.004" printf "%s\n" "$PSTORAGE_SSH_CONFIG" | while read f; do ls "$f" | sed -${E} "s,$f,${SED_RED},"; cat "$f" 2>/dev/null | grep -Iv "^$" | grep -v "^#" | sed -${E} "s,User|ProxyCommand,${SED_RED},"; done echo "" fi if [ "$hostsdenied" ]; then - print_3title "/etc/hosts.denied file found, read the rules:" + print_3title "/etc/hosts.denied file found, read the rules:" "T1552.004,T1021.004" printf "$hostsdenied\n" cat " ${ROOT_FOLDER}etc/hosts.denied" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_GREEN}," echo "" fi if [ "$hostsallow" ]; then - print_3title "/etc/hosts.allow file found, trying to read the rules:" + print_3title "/etc/hosts.allow file found, trying to read the rules:" "T1552.004,T1021.004" printf "$hostsallow\n" cat " ${ROOT_FOLDER}etc/hosts.allow" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_RED}," echo "" diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Tmux.sh b/linPEAS/builder/linpeas_parts/7_software_information/Tmux.sh index eced3b3..acfab2b 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Tmux.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Tmux.sh @@ -5,6 +5,7 @@ # Description: Enumerate Tmux # License: GNU GPL # Version: 1.0 +# Mitre: T1563 # Functions Used: print_2title, print_info # Global Variables: $DEBUG, $SEARCH_IN_FOLDER, $wgroups # Initial Functions: diff --git a/linPEAS/builder/linpeas_parts/7_software_information/Vault_ssh.sh b/linPEAS/builder/linpeas_parts/7_software_information/Vault_ssh.sh index ad9d640..7cb64c9 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/Vault_ssh.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/Vault_ssh.sh @@ -5,6 +5,7 @@ # Description: Searching Vault-ssh files # License: GNU GPL # Version: 1.0 +# Mitre: T1552.004 # Functions Used: print_2title # Global Variables: $DEBUG # Initial Functions: @@ -14,7 +15,7 @@ if [ "$PSTORAGE_VAULT_SSH_HELPER" ] || [ "$DEBUG" ]; then - print_2title "Searching Vault-ssh files" + print_2title "Searching Vault-ssh files" "T1552.004" printf "$PSTORAGE_VAULT_SSH_HELPER\n" printf "%s\n" "$PSTORAGE_VAULT_SSH_HELPER" | while read f; do cat "$f" 2>/dev/null; vault-ssh-helper -verify-only -config "$f" 2>/dev/null; done echo "" diff --git a/linPEAS/builder/linpeas_parts/7_software_information/YubiKey.sh b/linPEAS/builder/linpeas_parts/7_software_information/YubiKey.sh index 251032c..a4857f5 100644 --- a/linPEAS/builder/linpeas_parts/7_software_information/YubiKey.sh +++ b/linPEAS/builder/linpeas_parts/7_software_information/YubiKey.sh @@ -5,6 +5,7 @@ # Description: YubiKey athentication # License: GNU GPL # Version: 1.0 +# Mitre: T1556 # Functions Used: print_2title # Global Variables: $DEBUG, $IAMROOT # Initial Functions: @@ -14,7 +15,7 @@ if (grep "auth=" /etc/login.conf 2>/dev/null | grep -v "^#" | grep -q yubikey) || [ "$DEBUG" ]; then - print_2title "YubiKey authentication" + print_2title "YubiKey authentication" "T1556" printf "System supports$RED YubiKey authentication\n" if ! [ "$IAMROOT" ] && [ -w /var/db/yubikey/ ]; then echo "${RED}/var/db/yubikey/ is writable by you" diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/10_Read_creds_files.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/10_Read_creds_files.sh index e20ab68..98a5996 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/10_Read_creds_files.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/10_Read_creds_files.sh @@ -5,6 +5,7 @@ # Description: Hashes in passwd file, shadow files and other files # License: GNU GPL # Version: 1.0 +# Mitre: T1552.001 # Functions Used: echo_no, print_list # Global Variables: $IAMROOT, $SEARCH_IN_FOLDER, $USER, $wgroups # Initial Functions: diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/11_Root_files_home_dir.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/11_Root_files_home_dir.sh index 7adb938..6026ce4 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/11_Root_files_home_dir.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/11_Root_files_home_dir.sh @@ -5,6 +5,7 @@ # Description: Searching root files in home dirs # License: GNU GPL # Version: 1.0 +# Mitre: T1083 # Functions Used: echo_not_found, print_2title # Global Variables: $HOMESEARCH, $SEARCH_IN_FOLDER, $sh_usrs, $USER # Initial Functions: @@ -14,7 +15,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Searching root files in home dirs (limit 30)" + print_2title "Searching root files in home dirs (limit 30)" "T1083" (find $HOMESEARCH -user root 2>/dev/null | head -n 30 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_RED},g") || echo_not_found echo "" fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/12_Others_files_in_my_dirs.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/12_Others_files_in_my_dirs.sh index 8f14aca..7f6fb1d 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/12_Others_files_in_my_dirs.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/12_Others_files_in_my_dirs.sh @@ -5,6 +5,7 @@ # Description: Searching folders owned by me containing others files on it # License: GNU GPL # Version: 1.0 +# Mitre: T1083 # Functions Used: print_2title # Global Variables: $IAMROOT, $knw_usrs, $nosh_usrs, $ROOT_FOLDER, $sh_usrs ,$USER # Initial Functions: @@ -14,7 +15,7 @@ if ! [ "$IAMROOT" ]; then - print_2title "Searching folders owned by me containing others files on it (limit 100)" + print_2title "Searching folders owned by me containing others files on it (limit 100)" "T1083" (find $ROOT_FOLDER -type d -user "$USER" ! -path "/proc/*" ! -path "/sys/*" 2>/dev/null | head -n 100 | while read d; do find "$d" -maxdepth 1 ! -user "$USER" \( -type f -or -type d \) -exec ls -l {} \; 2>/dev/null; done) | sort | uniq | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${C}[1;13m&${C}[0m,g" echo "" fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/13_Root_readable_files_notworld_readeble.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/13_Root_readable_files_notworld_readeble.sh index 434d634..e960e8c 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/13_Root_readable_files_notworld_readeble.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/13_Root_readable_files_notworld_readeble.sh @@ -5,6 +5,7 @@ # Description: Readable files belonging to root and readable by me but not world readable # License: GNU GPL # Version: 1.0 +# Mitre: T1083 # Functions Used: echo_not_found, print_2title # Global Variables: $IAMROOT, $ROOT_FOLDER # Initial Functions: @@ -14,7 +15,7 @@ if ! [ "$IAMROOT" ]; then - print_2title "Readable files belonging to root and readable by me but not world readable" + print_2title "Readable files belonging to root and readable by me but not world readable" "T1083" (find $ROOT_FOLDER -type f -user root ! -perm -o=r ! -path "/proc/*" 2>/dev/null | grep -v "\.journal" | while read f; do if [ -r "$f" ]; then ls -l "$f" 2>/dev/null | sed -${E} "s,/.*,${SED_RED},"; fi; done) || echo_not_found echo "" fi diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/14_Writable_files_owner_all.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/14_Writable_files_owner_all.sh index a6c0918..1147ab2 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/14_Writable_files_owner_all.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/14_Writable_files_owner_all.sh @@ -5,6 +5,7 @@ # Description: Interesting writable files owned by me or writable by everyone (not in Home) # License: GNU GPL # Version: 1.0 +# Mitre: T1574.009,T1574.010 # Functions Used: print_2title, print_info # Global Variables: $HOME, $IAMROOT, $ITALIC, $notExtensions, $ROOT_FOLDER, $USER, $writeVB, $writeB # Initial Functions: @@ -14,7 +15,7 @@ if ! [ "$IAMROOT" ]; then - print_2title "Interesting writable files owned by me or writable by everyone (not in Home) (max 200)" + print_2title "Interesting writable files owned by me or writable by everyone (not in Home) (max 200)" "T1574.009,T1574.010" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files" #In the next file, you need to specify type "d" and "f" to avoid fake link files apparently writable by all obmowbe=$(find $ROOT_FOLDER '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "/dev/*" ! -path "/snap/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | sort | uniq | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n 200) diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/15_Writable_files_group.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/15_Writable_files_group.sh index 99efb42..0358068 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/15_Writable_files_group.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/15_Writable_files_group.sh @@ -5,6 +5,7 @@ # Description: Interesting GROUP writable files (not in Home) # License: GNU GPL # Version: 1.0 +# Mitre: T1574.009,T1574.010 # Functions Used: print_2title, print_info # Global Variables: $DEBUG, $HOME, $IAMROOT, $notExtensions, $ROOT_FOLDER, $writeVB, $writeB # Initial Functions: @@ -14,7 +15,7 @@ if ! [ "$IAMROOT" ]; then - print_2title "Interesting GROUP writable files (not in Home) (max 200)" + print_2title "Interesting GROUP writable files (not in Home) (max 200)" "T1574.009,T1574.010" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files" for g in $(groups); do iwfbg=$(find $ROOT_FOLDER '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null | grep -Ev "$notExtensions" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (act == pre){(cont += 1)} else {cont=0}; if (cont < 5){ print line_init; } if (cont == "5"){print "#)You_can_write_even_more_files_inside_last_directory\n"}; pre=act }' | head -n 200) diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/16_IGEL_OS_SUID.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/16_IGEL_OS_SUID.sh index 9a7d312..6aeab71 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/16_IGEL_OS_SUID.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/16_IGEL_OS_SUID.sh @@ -5,6 +5,7 @@ # Description: Detect IGEL OS environments that expose the SUID-root `setup`/`date` binaries and highlight writable NetworkManager/systemd configs that enable the documented privilege escalation chain (Metasploit linux/local/igel_network_priv_esc). # License: GNU GPL # Version: 1.0 +# Mitre: T1548.001 # Functions Used: print_2title, print_info # Global Variables: $ITALIC, $NC, $SED_GREEN, $SED_RED, $SED_RED_YELLOW, $SUPERFAST # Initial Functions: @@ -37,7 +38,7 @@ for candidate in /usr/bin/setup /bin/setup /usr/sbin/setup /opt/igel/bin/setup / done if [ -n "$igel_markers" ] || [ -n "$igel_suid_hits" ]; then - print_2title "IGEL OS SUID setup/date privilege escalation surface" + print_2title "IGEL OS SUID setup/date privilege escalation surface" "T1548.001" print_info "https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-11-28-2025" if [ -n "$igel_markers" ]; then echo "Potential IGEL OS detected via: $igel_marker_sources" | sed -${E} "s,.*,${SED_GREEN}," diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/16_Writable_root_execs.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/16_Writable_root_execs.sh index 1f86216..fdb8e96 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/16_Writable_root_execs.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/16_Writable_root_execs.sh @@ -5,6 +5,7 @@ # Description: Locate root-owned executables outside home folders that the current user can modify # License: GNU GPL # Version: 1.0 +# Mitre: T1574.009,T1574.010 # Functions Used: print_2title, print_info, echo_not_found # Global Variables: $DEBUG, $IAMROOT, $ROOT_FOLDER, $HOME, $writeVB # Initial Functions: @@ -13,7 +14,7 @@ # Small linpeas: 1 if ! [ "$IAMROOT" ]; then - print_2title "Writable root-owned executables I can modify (max 200)" + print_2title "Writable root-owned executables I can modify (max 200)" "T1574.009,T1574.010" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files" writable_root_execs=$( diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/1_SUID.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/1_SUID.sh index ae8e7f6..af06242 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/1_SUID.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/1_SUID.sh @@ -5,6 +5,7 @@ # Description: SUID - Check easy privesc, exploits and write perms # License: GNU GPL # Version: 1.0 +# Mitre: T1548.001 # Functions Used: echo_not_found, print_2title, print_info # Global Variables: $IAMROOT, $LDD, $ROOT_FOLDER, $READELF, $sidB, $sidG1, $sidG2, $sidG3, $sidG4, $sidVB, $sidVB2, $STRACE, $STRINGS, $TIMEOUT, $Wfolders, $cfuncs # Initial Functions: @@ -13,7 +14,7 @@ # Small linpeas: 1 -print_2title "SUID - Check easy privesc, exploits and write perms" +print_2title "SUID - Check easy privesc, exploits and write perms" "T1548.001" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid" if ! [ "$STRINGS" ]; then echo_not_found "strings" diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/2_SGID.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/2_SGID.sh index feeced2..5aee73b 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/2_SGID.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/2_SGID.sh @@ -5,6 +5,7 @@ # Description: SGID # License: GNU GPL # Version: 1.0 +# Mitre: T1548.001 # Functions Used: print_2title, print_info # Global Variables: $cfuncs, $IAMROOT, $LDD, $READELF, $ROOT_FOLDER, $sidB, $sidG1, $sidG2, $sidG3, $sidG4, $sidVB, $sidVB2, $STRACE, $STRINGS, $TIMEOUT, $Wfolders # Initial Functions: @@ -13,7 +14,7 @@ # Small linpeas: 1 -print_2title "SGID" +print_2title "SGID" "T1548.001" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid" sgids_files=$(find $ROOT_FOLDER -perm -2000 -type f ! -path "/dev/*" 2>/dev/null) printf "%s\n" "$sgids_files" | while read s; do diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/3_Files_ACLs.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/3_Files_ACLs.sh index a6dbdd2..7479d74 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/3_Files_ACLs.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/3_Files_ACLs.sh @@ -5,6 +5,7 @@ # Description: Files with ACLs # License: GNU GPL # Version: 1.0 +# Mitre: T1222 # Functions Used: echo_not_found, print_2title, print_info # Global Variables: $HOMESEARCH, $knw_usrs, $MACPEAS, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $writeB, $writeVB # Initial Functions: @@ -13,7 +14,7 @@ # Small linpeas: 1 -print_2title "Files with ACLs (limited to 50)" +print_2title "Files with ACLs (limited to 50)" "T1222" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#acls" if ! [ "$SEARCH_IN_FOLDER" ]; then ( (getfacl -t -s -R -p /bin /etc $HOMESEARCH /opt /sbin /usr /tmp /root 2>/dev/null) || echo_not_found "files with acls in searched folders" ) | head -n 70 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed -${E} "s,$writeVB,${SED_RED_YELLOW},g" | sed -${E} "s,$writeB,${SED_RED},g" diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/4_Capabilities.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/4_Capabilities.sh index 7668dd3..03c9846 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/4_Capabilities.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/4_Capabilities.sh @@ -5,6 +5,7 @@ # Description: Capabilities # License: GNU GPL # Version: 1.0 +# Mitre: T1548.001 # Functions Used: echo_not_found, print_2title, print_info, print_3title # Global Variables: $capsB, $capsVB, $IAMROOT, $SEARCH_IN_FOLDER # Initial Functions: @@ -14,10 +15,10 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Capabilities" + print_2title "Capabilities" "T1548.001" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#capabilities" if [ "$(command -v capsh || echo -n '')" ]; then - print_3title "Current shell capabilities" + print_3title "Current shell capabilities" "T1548.001" cat "/proc/$$/status" | grep Cap | while read -r cap_line; do cap_name=$(echo "$cap_line" | awk '{print $1}') cap_value=$(echo "$cap_line" | awk '{print $2}') @@ -70,7 +71,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then done echo "" - print_3title "Processes with capability sets (non-zero CapEff/CapAmb, limit 40)" + print_3title "Processes with capability sets (non-zero CapEff/CapAmb, limit 40)" "T1548.001" find /proc -maxdepth 2 -path "/proc/[0-9]*/status" 2>/dev/null | head -n 400 | while read -r proc_status; do proc_pid=$(echo "$proc_status" | cut -d/ -f3) proc_name=$(awk '/^Name:/{print $2}' "$proc_status" 2>/dev/null) @@ -105,11 +106,11 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then echo "" else - print_3title "Current shell capabilities" + print_3title "Current shell capabilities" "T1548.001" (cat "/proc/$$/status" | grep Cap | sed -${E} "s,.*0000000000000000|CapBnd: 0000003fffffffff,${SED_GREEN},") 2>/dev/null || echo_not_found "/proc/$$/status" echo "" - print_3title "Parent proc capabilities" + print_3title "Parent proc capabilities" "T1548.001" (cat "/proc/$PPID/status" | grep Cap | sed -${E} "s,.*0000000000000000|CapBnd: 0000003fffffffff,${SED_GREEN},") 2>/dev/null || echo_not_found "/proc/$PPID/status" echo "" fi diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/5_Users_with_capabilities.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/5_Users_with_capabilities.sh index 079fc36..6a913c8 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/5_Users_with_capabilities.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/5_Users_with_capabilities.sh @@ -5,6 +5,7 @@ # Description: Users with capabilities # License: GNU GPL # Version: 1.0 +# Mitre: T1548.001 # Functions Used: echo_not_found, print_2title, print_info # Global Variables: $capsB, $DEBUG, $knw_usrs, $nosh_usrs, $sh_usrs, $USER # Initial Functions: @@ -14,7 +15,7 @@ if [ -f "/etc/security/capability.conf" ] || [ "$DEBUG" ] || grep -Rqs "pam_cap\.so" /etc/pam.d /etc/pam.conf 2>/dev/null; then - print_2title "Users with capabilities" + print_2title "Users with capabilities" "T1548.001" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#capabilities" if [ -f "/etc/security/capability.conf" ]; then grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed -${E} "s,$capsB,${SED_RED},g" diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/6_Misconfigured_ldso.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/6_Misconfigured_ldso.sh index 853a50e..149c32d 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/6_Misconfigured_ldso.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/6_Misconfigured_ldso.sh @@ -5,6 +5,7 @@ # Description: Checking misconfigurations of ld.so # License: GNU GPL # Version: 1.0 +# Mitre: T1574.006 # Functions Used: print_2title, print_info # Global Variables: $IAMROOT, $ITALIC, $SEARCH_IN_FOLDER, $USER, $Wfolders, $ldsoconfdG, $wgroups # Initial Functions: @@ -14,7 +15,7 @@ if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$IAMROOT" ]; then - print_2title "Checking misconfigurations of ld.so" + print_2title "Checking misconfigurations of ld.so" "T1574.006" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#ldso" if [ -f "/etc/ld.so.conf" ] && [ -w "/etc/ld.so.conf" ]; then echo "You have write privileges over /etc/ld.so.conf" | sed -${E} "s,.*,${SED_RED_YELLOW},"; diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/7_Files_etc_profile_d.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/7_Files_etc_profile_d.sh index 8be91eb..097e4ca 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/7_Files_etc_profile_d.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/7_Files_etc_profile_d.sh @@ -5,6 +5,7 @@ # Description: Files (scripts) in /etc/profile.d/ # License: GNU GPL # Version: 1.0 +# Mitre: T1546.004 # Functions Used: check_critial_root_path, echo_not_found, print_2title, print_info # Global Variables: $IAMROOT, $MACPEAS, $profiledG, $SEARCH_IN_FOLDER # Initial Functions: @@ -14,7 +15,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Files (scripts) in /etc/profile.d/" + print_2title "Files (scripts) in /etc/profile.d/" "T1546.004" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#profiles-files" if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS (ls -la /etc/profile.d/ 2>/dev/null | sed -${E} "s,$profiledG,${SED_GREEN},") || echo_not_found "/etc/profile.d/" diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/8_Files_etc_init_d.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/8_Files_etc_init_d.sh index a15968f..bc5696d 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/8_Files_etc_init_d.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/8_Files_etc_init_d.sh @@ -5,6 +5,7 @@ # Description: Permissions in init, init.d, systemd, and rc.d # License: GNU GPL # Version: 1.0 +# Mitre: T1543.002 # Functions Used: check_critial_root_path, print_2title, print_info # Global Variables: $IAMROOT, $MACPEAS, $SEARCH_IN_FOLDER # Initial Functions: @@ -14,7 +15,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then -print_2title "Permissions in init, init.d, systemd, and rc.d" +print_2title "Permissions in init, init.d, systemd, and rc.d" "T1543.002" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#init-initd-systemd-and-rcd" if [ ! "$MACPEAS" ] && ! [ "$IAMROOT" ]; then #Those folders don´t exist on a MacOS check_critial_root_path "/etc/init/" diff --git a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/9_App_armour_profiles.sh b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/9_App_armour_profiles.sh index 5b6e241..7fe20b7 100644 --- a/linPEAS/builder/linpeas_parts/8_interesting_perms_files/9_App_armour_profiles.sh +++ b/linPEAS/builder/linpeas_parts/8_interesting_perms_files/9_App_armour_profiles.sh @@ -5,6 +5,7 @@ # Description: AppArmor profiles to prevent suid/capabilities abuse # License: GNU GPL # Version: 1.0 +# Mitre: T1518.001 # Functions Used: print_2title # Global Variables: $SEARCH_IN_FOLDER # Initial Functions: @@ -15,7 +16,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then if [ -d "/etc/apparmor.d/" ] && [ -r "/etc/apparmor.d/" ]; then - print_2title "AppArmor binary profiles" + print_2title "AppArmor binary profiles" "T1518.001" ls -l /etc/apparmor.d/ 2>/dev/null | grep -E "^-" | grep "\." echo "" fi diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/10_Others_homes.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/10_Others_homes.sh index 058bc78..1cde175 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/10_Others_homes.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/10_Others_homes.sh @@ -5,6 +5,7 @@ # Description: Files inside /home # License: GNU GPL # Version: 1.0 +# Mitre: T1552.001 # Functions Used: echo_not_found, print_2title # Global Variables: $HOMESEARCH, $SEARCH_IN_FOLDER, $USER # Initial Functions: @@ -14,7 +15,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Files inside others home (limit 20)" + print_2title "Files inside others home (limit 20)" "T1552.001" (find $HOMESEARCH -type f 2>/dev/null | grep -v -i "/"$USER | head -n 20) || echo_not_found echo "" fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/11_Mail_apps.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/11_Mail_apps.sh index 2b3bc0b..84c741f 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/11_Mail_apps.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/11_Mail_apps.sh @@ -5,6 +5,7 @@ # Description: Mail applications # License: GNU GPL # Version: 1.0 +# Mitre: T1114.001 # Functions Used: print_2title # Global Variables: $mail_apps, $SEARCH_IN_FOLDER # Initial Functions: @@ -14,7 +15,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Searching installed mail applications" + print_2title "Searching installed mail applications" "T1114.001" ls /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /etc 2>/dev/null | grep -Ewi "$mail_apps" | sort | uniq echo "" fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/12_Mails.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/12_Mails.sh index b0bb297..b2270ef 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/12_Mails.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/12_Mails.sh @@ -5,6 +5,7 @@ # Description: Mails # License: GNU GPL # Version: 1.0 +# Mitre: T1114.001 # Functions Used: echo_not_found, print_2title # Global Variables: $knw_usrs ,$nosh_usrs , $SEARCH_IN_FOLDER, $sh_usrs, $USER # Initial Functions: @@ -14,7 +15,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Mails (limit 50)" + print_2title "Mails (limit 50)" "T1114.001" (find /var/mail/ /var/spool/mail/ /private/var/mail -type f -ls 2>/dev/null | head -n 50 | sed -${E} "s,$sh_usrs,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_GREEN},g" | sed "s,$USER,${SED_RED},g") || echo_not_found echo "" fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/13_Backup_folders.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/13_Backup_folders.sh index d05b138..fb6c7c6 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/13_Backup_folders.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/13_Backup_folders.sh @@ -5,6 +5,7 @@ # Description: Backup folders # License: GNU GPL # Version: 1.0 +# Mitre: T1552.001 # Functions Used: print_2title # Global Variables: $DEBUG, $SEARCH_IN_FOLDER # Initial Functions: @@ -15,7 +16,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then if [ "$PSTORAGE_BACKUPS" ] || [ "$DEBUG" ]; then - print_2title "Backup folders" + print_2title "Backup folders" "T1552.001" printf "%s\n" "$PSTORAGE_BACKUPS" | while read b ; do ls -ld "$b" 2> /dev/null | sed -${E} "s,backups|backup,${SED_RED},g"; ls -l "$b" 2>/dev/null && echo "" diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/14_Backup_files.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/14_Backup_files.sh index 2080521..d9efb9d 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/14_Backup_files.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/14_Backup_files.sh @@ -5,6 +5,7 @@ # Description: Backup files # License: GNU GPL # Version: 1.0 +# Mitre: T1552.001 # Functions Used: print_2title # Global Variables: $notExtensions, $ROOT_FOLDER, $notBackup # Initial Functions: @@ -13,7 +14,7 @@ # Small linpeas: 0 -print_2title "Backup files (limited 100)" +print_2title "Backup files (limited 100)" "T1552.001" backs=$(find $ROOT_FOLDER -type f \( -name "*backup*" -o -name "*\.bak" -o -name "*\.bak\.*" -o -name "*\.bck" -o -name "*\.bck\.*" -o -name "*\.bk" -o -name "*\.bk\.*" -o -name "*\.old" -o -name "*\.old\.*" \) -not -path "/proc/*" 2>/dev/null) printf "%s\n" "$backs" | head -n 100 | while read b ; do if [ -r "$b" ]; then diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/15_Db_files.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/15_Db_files.sh index accab5a..2c7713a 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/15_Db_files.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/15_Db_files.sh @@ -5,6 +5,7 @@ # Description: Searching tables inside readable .db/.sql/.sqlite files # License: GNU GPL # Version: 1.0 +# Mitre: T1005 # Functions Used: print_2title # Global Variables: $DEBUG, $HOME, $MACPEAS # Initial Functions: @@ -14,7 +15,7 @@ if [ "$MACPEAS" ]; then - print_2title "Reading messages database" + print_2title "Reading messages database" "T1005" sqlite3 $HOME/Library/Messages/chat.db 'select * from message' 2>/dev/null sqlite3 $HOME/Library/Messages/chat.db 'select * from attachment' 2>/dev/null sqlite3 $HOME/Library/Messages/chat.db 'select * from deleted_messages' 2>/dev/null @@ -23,7 +24,7 @@ fi if [ "$PSTORAGE_DATABASE" ] || [ "$DEBUG" ]; then - print_2title "Searching tables inside readable .db/.sql/.sqlite files (limit 100)" + print_2title "Searching tables inside readable .db/.sql/.sqlite files (limit 100)" "T1005" FILECMD="$(command -v file 2>/dev/null || echo -n '')" printf "%s\n" "$PSTORAGE_DATABASE" | while read f; do if [ "$FILECMD" ]; then @@ -73,6 +74,6 @@ fi echo "" if [ "$MACPEAS" ]; then - print_2title "Downloaded Files" + print_2title "Downloaded Files" "T1005" sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 'select LSQuarantineAgentName, LSQuarantineDataURLString, LSQuarantineOriginURLString, date(LSQuarantineTimeStamp + 978307200, "unixepoch") as downloadedDate from LSQuarantineEvent order by LSQuarantineTimeStamp' | sort | grep -Ev "\|\|\|" fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/16_Macos_downloaded_files.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/16_Macos_downloaded_files.sh index 5a84c48..5530ca3 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/16_Macos_downloaded_files.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/16_Macos_downloaded_files.sh @@ -5,6 +5,7 @@ # Description: Check which files have been downloaded # License: GNU GPL # Version: 1.0 +# Mitre: T1005 # Functions Used: print_2title # Global Variables: $MACPEAS # Initial Functions: @@ -14,6 +15,6 @@ if [ "$MACPEAS" ]; then - print_2title "Downloaded Files" + print_2title "Downloaded Files" "T1005" sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 'select LSQuarantineAgentName, LSQuarantineDataURLString, LSQuarantineOriginURLString, date(LSQuarantineTimeStamp + 978307200, "unixepoch") as downloadedDate from LSQuarantineEvent order by LSQuarantineTimeStamp' | sort | grep -Ev "\|\|\|" fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/17_Web_files.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/17_Web_files.sh index a89fd25..1566124 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/17_Web_files.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/17_Web_files.sh @@ -5,6 +5,7 @@ # Description: Web files # License: GNU GPL # Version: 1.0 +# Mitre: T1005 # Functions Used: print_2title # Global Variables: $SEARCH_IN_FOLDER # Initial Functions: @@ -14,7 +15,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Web files?(output limit)" + print_2title "Web files?(output limit)" "T1005" ls -alhR /var/www/ 2>/dev/null | head ls -alhR /srv/www/htdocs/ 2>/dev/null | head ls -alhR /usr/local/www/apache22/data/ 2>/dev/null | head diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/18_Hidden_files.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/18_Hidden_files.sh index 831fcac..bbd2534 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/18_Hidden_files.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/18_Hidden_files.sh @@ -5,6 +5,7 @@ # Description: Get all relevant hidden files # License: GNU GPL # Version: 1.0 +# Mitre: T1564.001 # Functions Used: print_2title # Global Variables:$INT_HIDDEN_FILES, $ROOT_FOLDER # Initial Functions: @@ -13,6 +14,6 @@ # Small linpeas: 0 -print_2title "All relevant hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)" +print_2title "All relevant hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)" "T1564.001" find $ROOT_FOLDER -type f -iname ".*" ! -path "/sys/*" ! -path "/System/*" ! -path "/private/var/*" -exec ls -l {} \; 2>/dev/null | grep -Ev "$INT_HIDDEN_FILES" | grep -Ev "_history$|\.gitignore|.npmignore|\.listing|\.ignore|\.uuid|\.depend|\.placeholder|\.gitkeep|\.keep|\.keepme|\.travis.yml" | head -n 70 echo "" \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/19_Readable_files_tmp_backups.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/19_Readable_files_tmp_backups.sh index 60af4e1..166f5e1 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/19_Readable_files_tmp_backups.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/19_Readable_files_tmp_backups.sh @@ -5,6 +5,7 @@ # Description: Readable files in /tmp, /var/tmp, backups # License: GNU GPL # Version: 1.0 +# Mitre: T1552.001 # Functions Used: print_2title # Global Variables: $backup_folders_row, $SEARCH_IN_FOLDER # Initial Functions: @@ -14,7 +15,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)" + print_2title "Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)" "T1552.001" filstmpback=$(find /tmp /var/tmp /private/tmp /private/var/at/tmp /private/var/tmp $backup_folders_row -type f 2>/dev/null | grep -Ev "dpkg\.statoverride\.|dpkg\.status\.|apt\.extended_states\.|dpkg\.diversions\." | head -n 70) printf "%s\n" "$filstmpback" | while read f; do if [ -r "$f" ]; then ls -l "$f" 2>/dev/null; fi; done echo "" diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/1_Sh_files_in_PATH.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/1_Sh_files_in_PATH.sh index 71f4209..9e7d407 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/1_Sh_files_in_PATH.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/1_Sh_files_in_PATH.sh @@ -5,6 +5,7 @@ # Description: finds .sh files in path # License: GNU GPL # Version: 1.0 +# Mitre: T1574.007 # Functions Used: print_2title, print_info # Global Variables: $DEBUG, $IAMROOT, $SEARCH_IN_FOLDER, $shscripsG, $Wfolders, $PATH # Initial Functions: @@ -14,7 +15,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title ".sh files in path" + print_2title ".sh files in path" "T1574.007" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scriptbinaries-in-path" echo $PATH | tr ":" "\n" | while read d; do for f in $(find "$d" -name "*.sh" -o -name "*.sh.*" 2>/dev/null); do @@ -31,7 +32,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then broken_links=$(find "$d" -type l 2>/dev/null | xargs file 2>/dev/null | grep broken) if [ "$broken_links" ] || [ "$DEBUG" ]; then - print_2title "Broken links in path" + print_2title "Broken links in path" "T1574.007" echo $PATH | tr ":" "\n" | while read d; do find "$d" -type l 2>/dev/null | xargs file 2>/dev/null | grep broken | sed -${E} "s,broken,${SED_RED},"; done diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/20_Passwords_history_cmd.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/20_Passwords_history_cmd.sh index 00af5df..0470f94 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/20_Passwords_history_cmd.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/20_Passwords_history_cmd.sh @@ -5,6 +5,7 @@ # Description: Passwords in history cmd # License: GNU GPL # Version: 1.0 +# Mitre: T1552.001 # Functions Used: print_2title # Global Variables: $DEBUG, $pwd_inside_history # Initial Functions: @@ -14,7 +15,7 @@ if [ "$(history 2>/dev/null)" ] || [ "$DEBUG" ]; then - print_2title "Searching passwords in history cmd" + print_2title "Searching passwords in history cmd" "T1552.001" history | grep -Ei "$pwd_inside_history" "$f" 2>/dev/null | sed -${E} "s,$pwd_inside_history,${SED_RED}," echo "" fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/21_Passwords_history_files.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/21_Passwords_history_files.sh index 4805f74..4487e7e 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/21_Passwords_history_files.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/21_Passwords_history_files.sh @@ -5,6 +5,7 @@ # Description: Passwords in history files # License: GNU GPL # Version: 1.0 +# Mitre: T1552.001 # Functions Used: print_2title # Global Variables: $DEBUG, $pwd_inside_history # Initial Functions: @@ -14,7 +15,7 @@ if [ "$PSTORAGE_HISTORY" ] || [ "$DEBUG" ]; then - print_2title "Searching passwords in history files" + print_2title "Searching passwords in history files" "T1552.001" printf "%s\n" "$PSTORAGE_HISTORY" | while read f; do grep -EiH "$pwd_inside_history" "$f" 2>/dev/null | sed -${E} "s,$pwd_inside_history,${SED_RED},"; done echo "" fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/22_Passwords_php_files.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/22_Passwords_php_files.sh index 9857f17..1279d28 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/22_Passwords_php_files.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/22_Passwords_php_files.sh @@ -5,6 +5,7 @@ # Description: Searching passwords in config PHP files # License: GNU GPL # Version: 1.0 +# Mitre: T1552.001 # Functions Used: print_2title # Global Variables: $DEBUG # Initial Functions: @@ -14,7 +15,7 @@ if [ "$PSTORAGE_PHP_FILES" ] || [ "$DEBUG" ]; then - print_2title "Searching passwords in config PHP files" + print_2title "Searching passwords in config PHP files" "T1552.001" printf "%s\n" "$PSTORAGE_PHP_FILES" | while read c; do grep -EiIH "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass).*[=:].+|define ?\('(\w*passw|\w*user|\w*datab)" "$c" 2>/dev/null | grep -Ev "function|password.*= ?\"\"|password.*= ?''" | sed '/^.\{150\}./d' | sort | uniq | sed -${E} "s,[pP][aA][sS][sS][wW]|[dD][bB]_[pP][aA][sS][sS],${SED_RED},g"; done echo "" fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/23_Passwords_files_home.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/23_Passwords_files_home.sh index 7f88b62..ddc7337 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/23_Passwords_files_home.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/23_Passwords_files_home.sh @@ -5,6 +5,7 @@ # Description: Passwords files in home # License: GNU GPL # Version: 1.0 +# Mitre: T1552.001 # Functions Used: echo_not_found, print_2title # Global Variables: $DEBUG # Initial Functions: @@ -14,7 +15,7 @@ if [ "$PSTORAGE_PASSWORD_FILES" ] || [ "$DEBUG" ]; then - print_2title "Searching *password* or *credential* files in home (limit 70)" + print_2title "Searching *password* or *credential* files in home (limit 70)" "T1552.001" (printf "%s\n" "$PSTORAGE_PASSWORD_FILES" | grep -v "/snap/" | awk -F/ '{line_init=$0; if (!cont){ cont=0 }; $NF=""; act=$0; if (cont < 3){ print line_init; } if (cont == "3"){print " #)There are more creds/passwds files in the previous parent folder\n"}; if (act == pre){(cont += 1)} else {cont=0}; pre=act }' | head -n 70 | sed -${E} "s,password|credential,${SED_RED}," | sed "s,There are more creds/passwds files in the previous parent folder,${C}[3m&${C}[0m,") || echo_not_found echo "" fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/24_Passwords_TTY.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/24_Passwords_TTY.sh index c7def64..8385c2e 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/24_Passwords_TTY.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/24_Passwords_TTY.sh @@ -5,6 +5,7 @@ # Description: TTY passwords # License: GNU GPL # Version: 1.0 +# Mitre: T1552.001 # Functions Used: print_2title # Global Variables: $SEARCH_IN_FOLDER # Initial Functions: @@ -14,7 +15,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Checking for TTY (sudo/su) passwords in audit logs" + print_2title "Checking for TTY (sudo/su) passwords in audit logs" "T1552.001" aureport --tty 2>/dev/null | grep -E "su |sudo " | sed -${E} "s,su|sudo,${SED_RED},g" find /var/log/ -type f -exec grep -RE 'comm="su"|comm="sudo"' '{}' \; 2>/dev/null | sed -${E} "s,\"su\"|\"sudo\",${SED_RED},g" | sed -${E} "s,data=.*,${SED_RED},g" echo "" diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/25_IPs_logs.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/25_IPs_logs.sh index d56ff08..cba8a9e 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/25_IPs_logs.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/25_IPs_logs.sh @@ -5,6 +5,7 @@ # Description: Get TTY passwords # License: GNU GPL # Version: 1.0 +# Mitre: T1083 # Functions Used: print_2title # Global Variables: $SEARCH_IN_FOLDER # Initial Functions: @@ -14,7 +15,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Checking for TTY (sudo/su) passwords in audit logs" + print_2title "Checking for TTY (sudo/su) passwords in audit logs" "T1083" aureport --tty 2>/dev/null | grep -E "su |sudo " | sed -${E} "s,su|sudo,${SED_RED},g" find /var/log/ -type f -exec grep -RE 'comm="su"|comm="sudo"' '{}' \; 2>/dev/null | sed -${E} "s,\"su\"|\"sudo\",${SED_RED},g" | sed -${E} "s,data=.*,${SED_RED},g" echo "" diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/26_Mails_addr_inside_logs.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/26_Mails_addr_inside_logs.sh index 9602986..5649c47 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/26_Mails_addr_inside_logs.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/26_Mails_addr_inside_logs.sh @@ -5,6 +5,7 @@ # Description: Emails inside logs # License: GNU GPL # Version: 1.0 +# Mitre: T1114.001 # Functions Used: print_2title # Global Variables: $DEBUG, $knw_emails, $SEARCH_IN_FOLDER # Initial Functions: @@ -14,7 +15,7 @@ if [ "$DEBUG" ] || ( ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && ! [ "$SEARCH_IN_FOLDER" ] ); then - print_2title "Searching emails inside logs (limit 70)" + print_2title "Searching emails inside logs (limit 70)" "T1114.001" (find /var/log/ /var/logs/ /private/var/log -type f -exec grep -I -R -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" "{}" \;) 2>/dev/null | sort | uniq -c | sort -r -n | head -n 70 | sed -${E} "s,$knw_emails,${SED_GREEN},g" echo "" fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/27_Passwords_in_logs.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/27_Passwords_in_logs.sh index fe3cfc9..bea7eb5 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/27_Passwords_in_logs.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/27_Passwords_in_logs.sh @@ -5,6 +5,7 @@ # Description: Passwords inside logs # License: GNU GPL # Version: 1.0 +# Mitre: T1552.001 # Functions Used: print_2title # Global Variables: $SEARCH_IN_FOLDER # Initial Functions: @@ -14,7 +15,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Searching passwords inside logs (limit 70)" + print_2title "Searching passwords inside logs (limit 70)" "T1552.001" (find /var/log/ /var/logs/ /private/var/log -type f -exec grep -R -H -i "pwd\|passw" "{}" \;) 2>/dev/null | sed '/^.\{150\}./d' | sort | uniq | grep -v "File does not exist:\|modules-config/config-set-passwords\|config-set-passwords already ran\|script not found or unable to stat:\|\"GET /.*\" 404" | head -n 70 | sed -${E} "s,pwd|passw,${SED_RED}," echo "" fi diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/28_Files_with_passwords.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/28_Files_with_passwords.sh index a516895..331285d 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/28_Files_with_passwords.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/28_Files_with_passwords.sh @@ -5,6 +5,7 @@ # Description: Searching possible password variables inside key folders and config files # License: GNU GPL # Version: 1.0 +# Mitre: T1552.001 # Functions Used: print_2title # Global Variables: $HOMESEARCH,$ITALIC, $pwd_in_variables1, $pwd_in_variables2, $pwd_in_variables3, $pwd_in_variables4, $pwd_in_variables5, $pwd_in_variables6, $pwd_in_variables7, $pwd_in_variables8, $pwd_in_variables9, $pwd_in_variables10, $pwd_in_variables11, $SEARCH_IN_FOLDER, $TIMEOUT, $backup_folders_row # Initial Functions: @@ -16,7 +17,7 @@ if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ]; then ##-- IF) Find possible files with passwords - print_2title "Searching possible password variables inside key folders (limit 140)" + print_2title "Searching possible password variables inside key folders (limit 140)" "T1552.001" if ! [ "$SEARCH_IN_FOLDER" ]; then timeout 150 find $HOMESEARCH -exec grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" & timeout 150 find /var/www $backup_folders_row /tmp /etc /mnt /private -exec grep -HnRiIE "($pwd_in_variables1|$pwd_in_variables2|$pwd_in_variables3|$pwd_in_variables4|$pwd_in_variables5|$pwd_in_variables6|$pwd_in_variables7|$pwd_in_variables8|$pwd_in_variables9|$pwd_in_variables10|$pwd_in_variables11).*[=:].+" '{}' \; 2>/dev/null | sed '/^.\{150\}./d' | grep -Ev "^#" | grep -iv "linpeas" | sort | uniq | head -n 70 | sed -${E} "s,$pwd_in_variables1,${SED_RED},g" | sed -${E} "s,$pwd_in_variables2,${SED_RED},g" | sed -${E} "s,$pwd_in_variables3,${SED_RED},g" | sed -${E} "s,$pwd_in_variables4,${SED_RED},g" | sed -${E} "s,$pwd_in_variables5,${SED_RED},g" | sed -${E} "s,$pwd_in_variables6,${SED_RED},g" | sed -${E} "s,$pwd_in_variables7,${SED_RED},g" | sed -${E} "s,$pwd_in_variables8,${SED_RED},g" | sed -${E} "s,$pwd_in_variables9,${SED_RED},g" | sed -${E} "s,$pwd_in_variables10,${SED_RED},g" | sed -${E} "s,$pwd_in_variables11,${SED_RED},g" & @@ -27,7 +28,7 @@ if ! [ "$FAST" ] && ! [ "$SUPERFAST" ] && [ "$TIMEOUT" ]; then echo "" ##-- IF) Find possible conf files with passwords - print_2title "Searching possible password in config files (if k8s secrets are found you need to read the file)" + print_2title "Searching possible password in config files (if k8s secrets are found you need to read the file)" "T1552.001" if ! [ "$SEARCH_IN_FOLDER" ]; then ppicf=$(timeout 150 find $HOMESEARCH /var/www/ /usr/local/www/ /etc /opt /tmp /private /Applications /mnt -name "*.conf" -o -name "*.cnf" -o -name "*.config" -o -name "*.json" -o -name "*.yml" -o -name "*.yaml" 2>/dev/null) else diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/29_Interesting_environment_variables.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/29_Interesting_environment_variables.sh index e6fef21..bc84d86 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/29_Interesting_environment_variables.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/29_Interesting_environment_variables.sh @@ -5,6 +5,7 @@ # Description: Searching possible sensitive environment variables inside of /proc/*/environ # License: GNU GPL # Version: 1.0 +# Mitre: T1552.007,T1082 # Functions Used: print_2title # Global Variables: $MACPEAS, $NoEnvVars, $EnvVarsRed # Initial Functions: @@ -13,7 +14,7 @@ # Small linpeas: 1 if [ -z "$MACPEAS" ]; then - print_2title "Checking all env variables in /proc/*/environ removing duplicates and filtering out useless env vars" + print_2title "Checking all env variables in /proc/*/environ removing duplicates and filtering out useless env vars" "T1552.007,T1082" cat /proc/[0-9]*/environ 2>/dev/null | \ tr '\0' '\n' | \ grep -Eiv "$NoEnvVars" | \ diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/2_Date_in_firmware.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/2_Date_in_firmware.sh index 1c2a032..120a849 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/2_Date_in_firmware.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/2_Date_in_firmware.sh @@ -5,6 +5,7 @@ # Description: Date times inside firmware # License: GNU GPL # Version: 1.0 +# Mitre: T1082 # Functions Used: print_2title # Global Variables: $SEARCH_IN_FOLDER # Initial Functions: @@ -14,7 +15,7 @@ if [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Files datetimes inside the firmware (limit 50)" + print_2title "Files datetimes inside the firmware (limit 50)" "T1082" find "$SEARCH_IN_FOLDER" -type f -printf "%T+\n" 2>/dev/null | sort | uniq -c | sort | head -n 50 echo "To find a file with an specific date execute: find \"$SEARCH_IN_FOLDER\" -type f -printf \"%T+ %p\n\" 2>/dev/null | grep \"\"" echo "" diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/3_Executable_files_by_user.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/3_Executable_files_by_user.sh index 062caf3..01db493 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/3_Executable_files_by_user.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/3_Executable_files_by_user.sh @@ -5,6 +5,7 @@ # Description: Executable files potentially added by user # License: GNU GPL # Version: 1.0 +# Mitre: T1083 # Functions Used: print_2title # Global Variables: $SEARCH_IN_FOLDER # Initial Functions: @@ -13,7 +14,7 @@ # Small linpeas: 0 -print_2title "Executable files potentially added by user (limit 70)" +print_2title "Executable files potentially added by user (limit 70)" "T1083" if ! [ "$SEARCH_IN_FOLDER" ]; then find / -type f -executable -printf "%T+ %p\n" 2>/dev/null | grep -Ev "000|/site-packages|/python|/node_modules|\.sample|/gems|/cgroup/" | sort -r | head -n 70 else diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/4_Macos_unsigned_apps.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/4_Macos_unsigned_apps.sh index bf6d55e..c4e8333 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/4_Macos_unsigned_apps.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/4_Macos_unsigned_apps.sh @@ -5,6 +5,7 @@ # Description: Get the macOS unsigned applications # License: GNU GPL # Version: 1.0 +# Mitre: T1204.002 # Functions Used: macosNotSigned, print_2title # Global Variables: $MACPEAS # Initial Functions: @@ -14,6 +15,6 @@ if [ "$MACPEAS" ]; then - print_2title "Unsigned Applications" + print_2title "Unsigned Applications" "T1204.002" macosNotSigned /System/Applications fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/5_Unexpected_in_opt.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/5_Unexpected_in_opt.sh index a47fdcc..5a59b11 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/5_Unexpected_in_opt.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/5_Unexpected_in_opt.sh @@ -5,6 +5,7 @@ # Description: Unexpected in /opt # License: GNU GPL # Version: 1.0 +# Mitre: T1083 # Functions Used: print_2title # Global Variables: $SEARCH_IN_FOLDER # Initial Functions: @@ -14,7 +15,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then if [ "$(ls /opt 2>/dev/null)" ]; then - print_2title "Unexpected in /opt (usually empty)" + print_2title "Unexpected in /opt (usually empty)" "T1083" ls -la /opt echo "" fi diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/6_Unexpected_in_root.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/6_Unexpected_in_root.sh index 02686d4..097bfec 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/6_Unexpected_in_root.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/6_Unexpected_in_root.sh @@ -5,6 +5,7 @@ # Description: Unexpected folders in / # License: GNU GPL # Version: 1.0 +# Mitre: T1083 # Functions Used: echo_not_found, print_2title # Global Variables: $commonrootdirsG, $commonrootdirsMacG, $MACPEAS, $ROOT_FOLDER, $SEARCH_IN_FOLDER # Initial Functions: @@ -14,7 +15,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Unexpected in root" + print_2title "Unexpected in root" "T1083" if [ "$MACPEAS" ]; then (find $ROOT_FOLDER -maxdepth 1 | grep -Ev "$commonrootdirsMacG" | sed -${E} "s,.*,${SED_RED},") || echo_not_found else diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/7_Modified_last_5mins.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/7_Modified_last_5mins.sh index 7e94ec4..9873f35 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/7_Modified_last_5mins.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/7_Modified_last_5mins.sh @@ -5,6 +5,7 @@ # Description: Modified interesting files into specific folders in the last 5mins # License: GNU GPL # Version: 1.0 +# Mitre: T1083 # Functions Used: print_2title # Global Variables:$ROOT_FOLDER, $Wfolders # Initial Functions: @@ -13,6 +14,6 @@ # Small linpeas: 0 -print_2title "Modified interesting files in the last 5mins (limit 100)" +print_2title "Modified interesting files in the last 5mins (limit 100)" "T1083" find $ROOT_FOLDER -type f -mmin -5 ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/dev/*" ! -path "/var/lib/*" ! -path "/private/var/*" 2>/dev/null | grep -v "/linpeas" | head -n 100 | sed -${E} "s,$Wfolders,${SED_RED}," echo "" diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/8_Writable_log_files.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/8_Writable_log_files.sh index 271a465..6f650f9 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/8_Writable_log_files.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/8_Writable_log_files.sh @@ -5,6 +5,7 @@ # Description: Writable log files # License: GNU GPL # Version: 1.0 +# Mitre: T1070.002 # Functions Used: echo_not_found, print_2title, print_info # Global Variables: $IAMROOT, $ROOT_FOLDER, $Wfolders # Initial Functions: @@ -14,7 +15,7 @@ if command -v logrotate >/dev/null && logrotate --version | head -n 1 | grep -Eq "[012]\.[0-9]+\.|3\.[0-9]\.|3\.1[0-7]\.|3\.18\.0"; then #3.18.0 and below -print_2title "Writable log files (logrotten) (limit 50)" +print_2title "Writable log files (logrotten) (limit 50)" "T1070.002" print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#logrotate-exploitation" logrotate --version 2>/dev/null || echo_not_found "logrotate" lastWlogFolder="ImPOsSiBleeElastWlogFolder" @@ -31,7 +32,7 @@ print_2title "Writable log files (logrotten) (limit 50)" fi # Check syslog configuration -print_2title "Syslog configuration (limit 50)" +print_2title "Syslog configuration (limit 50)" "T1070.002" if [ -f "/etc/rsyslog.conf" ]; then grep -v "^#" /etc/rsyslog.conf 2>/dev/null | sed -${E} "s,.*,${SED_RED},g" | head -n 50 elif [ -f "/etc/syslog.conf" ]; then @@ -42,7 +43,7 @@ fi # Check auditd configuration -print_2title "Auditd configuration (limit 50)" +print_2title "Auditd configuration (limit 50)" "T1070.002" if [ -f "/etc/audit/auditd.conf" ]; then grep -v "^#" /etc/audit/auditd.conf 2>/dev/null | sed -${E} "s,.*,${SED_RED},g" | head -n 50 else @@ -50,7 +51,7 @@ else fi # Check for log files with weak permissions -print_2title "Log files with potentially weak perms (limit 50)" +print_2title "Log files with potentially weak perms (limit 50)" "T1070.002" find /var/log -type f -ls 2>/dev/null | grep -Ev "root\s+root|root\s+systemd-journal|root\s+syslog|root\s+utmp" | sed -${E} "s,.*,${SED_RED},g" | head -n 50 diff --git a/linPEAS/builder/linpeas_parts/9_interesting_files/9_My_home.sh b/linPEAS/builder/linpeas_parts/9_interesting_files/9_My_home.sh index 0274791..728e70f 100644 --- a/linPEAS/builder/linpeas_parts/9_interesting_files/9_My_home.sh +++ b/linPEAS/builder/linpeas_parts/9_interesting_files/9_My_home.sh @@ -5,6 +5,7 @@ # Description: Files inside HOME # License: GNU GPL # Version: 1.0 +# Mitre: T1083 # Functions Used: echo_not_found, print_2title # Global Variables: $HOME, $SEARCH_IN_FOLDER # Initial Functions: @@ -14,7 +15,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then - print_2title "Files inside $HOME (limit 20)" + print_2title "Files inside $HOME (limit 20)" "T1083" (ls -la $HOME 2>/dev/null | head -n 23) || echo_not_found echo "" fi \ No newline at end of file diff --git a/linPEAS/builder/linpeas_parts/linpeas_base/0_variables_base.sh b/linPEAS/builder/linpeas_parts/linpeas_base/0_variables_base.sh index 717efb1..1b1805c 100644 --- a/linPEAS/builder/linpeas_parts/linpeas_base/0_variables_base.sh +++ b/linPEAS/builder/linpeas_parts/linpeas_base/0_variables_base.sh @@ -8,7 +8,7 @@ # Functions Used: # Global Variables: # Initial Functions: -# Generated Global Variables: $VERSION, $ADVISORY, $IAMROOT, $MAXPATH_FIND_W, $C, $RED, $SED_RED, $GREEN, $SED_GREEN, $YELLOW, $SED_YELLOW, $RED_YELLOW, $SED_RED_YELLOW, $BLUE, $SED_BLUE, $ITALIC_BLUE, $LIGHT_MAGENTA, $SED_LIGHT_MAGENTA, $LIGHT_CYAN, $SED_LIGHT_CYAN, $LG, $SED_LG, $DG, $SED_DG, $NC, $UNDERLINED, $ITALIC, $MACPEAS, $FAST, $SUPERFAST, $DISCOVERY, $PORTS, $QUIET, $CHECKS, $SEARCH_IN_FOLDER, $ROOT_FOLDER, $WAIT, $PASSWORD, $NOCOLOR, $DEBUG, $AUTO_NETWORK_SCAN, $EXTRA_CHECKS, $REGEXES, $PORT_FORWARD, $E, $PING, $FPING, $DISCOVER_BAN_BAD, $DISCOVER_BAN_GOOD, $SCAN_BAN_GOOD, $NMAP_GOOD, $SCRIPTNAME, $FOUND_BASH, $FOUND_NC, $HOMESEARCH, $GREPHOMESEARCH, $SCAN_BAN_BAD, $HOME, $THREADS, $opt, $HELP, $USER, $TOTAL_T1_TIME, $END_T1_TIME, $START_T1_TIME, $title, $title_len, $max_title_len, $rest_len, $CONT_THREADS, $wgroups, $SEDOVERFLOW, $Wfolders, $Wfolder, $grp, $END_T2_TIME, $TOTAL_T2_TIME, $START_T2_TIME +# Generated Global Variables: $VERSION, $ADVISORY, $IAMROOT, $MAXPATH_FIND_W, $C, $RED, $SED_RED, $GREEN, $SED_GREEN, $YELLOW, $SED_YELLOW, $RED_YELLOW, $SED_RED_YELLOW, $BLUE, $SED_BLUE, $ITALIC_BLUE, $LIGHT_MAGENTA, $SED_LIGHT_MAGENTA, $LIGHT_CYAN, $SED_LIGHT_CYAN, $LG, $SED_LG, $DG, $SED_DG, $NC, $UNDERLINED, $ITALIC, $MACPEAS, $FAST, $SUPERFAST, $DISCOVERY, $PORTS, $QUIET, $CHECKS, $MITRE_FILTER, $SEARCH_IN_FOLDER, $ROOT_FOLDER, $WAIT, $PASSWORD, $NOCOLOR, $DEBUG, $AUTO_NETWORK_SCAN, $EXTRA_CHECKS, $REGEXES, $PORT_FORWARD, $E, $PING, $FPING, $DISCOVER_BAN_BAD, $DISCOVER_BAN_GOOD, $SCAN_BAN_GOOD, $NMAP_GOOD, $SCRIPTNAME, $FOUND_BASH, $FOUND_NC, $HOMESEARCH, $GREPHOMESEARCH, $SCAN_BAN_BAD, $HOME, $THREADS, $opt, $HELP, $USER, $TOTAL_T1_TIME, $END_T1_TIME, $START_T1_TIME, $title, $title_len, $max_title_len, $rest_len, $CONT_THREADS, $wgroups, $SEDOVERFLOW, $Wfolders, $Wfolder, $grp, $END_T2_TIME, $TOTAL_T2_TIME, $START_T2_TIME, $_mitre_tag, $_mitre_filter, $_mitre_base, $_mitre_tags_left, $_mitre_filters_left # Fat linpeas: 0 # Small linpeas: 1 @@ -73,6 +73,7 @@ DISCOVERY="" PORTS="" QUIET="" CHECKS="peass{CHECKS}" +MITRE_FILTER="" SEARCH_IN_FOLDER="" ROOT_FOLDER="/" WAIT="" @@ -92,6 +93,7 @@ ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user, ${GREEN} Checks: ${YELLOW} -a${BLUE} Perform all checks: 1 min of processes, su brute, and extra checks. ${YELLOW} -o${BLUE} Only execute selected checks (peass{CHECKS}). Select a comma separated list. + ${YELLOW} -T${BLUE} Only execute checks matching the specified MITRE ATT&CK technique(s).$DG Ex: -T T1057,T1082$BLUE ${YELLOW} -s${BLUE} Stealth & faster (don't check some time consuming checks) ${YELLOW} -e${BLUE} Perform extra enumeration ${YELLOW} -r${BLUE} Enable Regexes (this can take from some mins to hours) @@ -121,7 +123,7 @@ ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user, ${YELLOW} -N${BLUE} Do not use colours ${YELLOW} -z ${BLUE} Set number of threads for background checks (default: auto-detected CPU count, fallback: 2; must be >= 1)$NC" -while getopts "h?asd:p:i:P:qo:LMwNDterf:F:z:" opt; do +while getopts ":h?asd:p:i:P:qo:T:LMwNDterf:F:z:" opt; do case "$opt" in h|\?) printf "%s\n\n" "$HELP$NC"; exit 0;; a) FAST="";EXTRA_CHECKS="1";; @@ -133,6 +135,7 @@ while getopts "h?asd:p:i:P:qo:LMwNDterf:F:z:" opt; do n) NOT_CHECK_EXTERNAL_HOSTNAME="1";; q) QUIET=1;; o) CHECKS=$OPTARG;; + T) MITRE_FILTER=$OPTARG;; L) MACPEAS="";; M) MACPEAS="1";; w) WAIT=1;; @@ -151,6 +154,8 @@ while getopts "h?asd:p:i:P:qo:LMwNDterf:F:z:" opt; do F) PORT_FORWARD=$OPTARG;; z) if [ "$OPTARG" -eq "$OPTARG" ] 2>/dev/null && [ "$OPTARG" -ge 1 ] 2>/dev/null; then THREADS=$OPTARG; else echo "WARNING: -z requires an integer >= 1, ignoring." >&2; fi;; + :) echo "ERROR: -$OPTARG requires an argument (e.g. -T T1082,T1552)" >&2; printf "%s\n\n" "$HELP$NC"; exit 1;; + *) echo "ERROR: Unknown option -$OPTARG" >&2; printf "%s\n\n" "$HELP$NC"; exit 1;; esac done @@ -242,6 +247,29 @@ print_title(){ echo "" } +check_mitre_filter(){ + # $1 = comma-separated MITRE technique IDs for this check (e.g. "T1082,T1548.003") + # Returns 0 (run the check) when no filter is active OR when at least one ID matches. + # Parent filters match child techniques (e.g. T1552 matches T1552.001), + # but a child filter must not match a parent-only tag. + # Uses pure parameter-expansion loops — no subprocess forks, POSIX-compliant. + [ -z "$MITRE_FILTER" ] && return 0 + _mitre_tags_left="$1," + while [ -n "$_mitre_tags_left" ]; do + _mitre_tag="${_mitre_tags_left%%,*}" + _mitre_tags_left="${_mitre_tags_left#*,}" + _mitre_base=${_mitre_tag%%.*} + _mitre_filters_left="$MITRE_FILTER," + while [ -n "$_mitre_filters_left" ]; do + _mitre_filter="${_mitre_filters_left%%,*}" + _mitre_filters_left="${_mitre_filters_left#*,}" + [ "$_mitre_filter" = "$_mitre_tag" ] && return 0 + [ "$_mitre_filter" = "$_mitre_base" ] && return 0 + done + done + return 1 +} + print_2title(){ if [ "$DEBUG" ]; then END_T2_TIME=$(date +%s 2>/dev/null) @@ -254,11 +282,19 @@ print_2title(){ START_T2_TIME=$(date +%s 2>/dev/null) fi - printf ${BLUE}"╔══════════╣ $GREEN$1\n"$NC #There are 10 "═" + if [ -n "$2" ]; then + printf ${BLUE}"╔══════════╣ $GREEN$1 ${DG}($2)\n"$NC #There are 10 "═" + else + printf ${BLUE}"╔══════════╣ $GREEN$1\n"$NC #There are 10 "═" + fi } print_3title(){ - printf ${BLUE}"══╣ $GREEN$1\n"$NC #There are 2 "═" + if [ -n "$2" ]; then + printf ${BLUE}"══╣ $GREEN$1 ${DG}($2)\n"$NC #There are 2 "═" + else + printf ${BLUE}"══╣ $GREEN$1\n"$NC #There are 2 "═" + fi } print_3title_no_nl(){ diff --git a/linPEAS/builder/src/linpeasBaseBuilder.py b/linPEAS/builder/src/linpeasBaseBuilder.py index 9ea536f..65f76a2 100644 --- a/linPEAS/builder/src/linpeasBaseBuilder.py +++ b/linPEAS/builder/src/linpeasBaseBuilder.py @@ -63,18 +63,45 @@ class LinpeasBaseBuilder: for section_name, section_info in section_checks.items(): # Add 1 time the big section name to check_names to then put it inside linpeas in PEAS_CHECKS_MARKUP if not section_info['name_check'] in check_names: check_names.append(section_info['name_check']) - self.linpeas_base += f"\nif echo $CHECKS | grep -q {section_info['name_check']}; then\n" - self.linpeas_base += f'print_title "{section_name}"\n' - # Sort checks alphabetically to get them in the same order as they are in the folder + # Collect all MITRE IDs declared across every check in this section + section_mitre_ids = [] + for c in section_info["checks"]: + for mid in c.mitre_ids: + if mid not in section_mitre_ids: + section_mitre_ids.append(mid) + section_mitre_str = ",".join(section_mitre_ids) + + # Gate on both CHECKS name and (if MITRE_FILTER active) the section's MITRE IDs. + # check_mitre_filter already returns 0 when MITRE_FILTER is empty, so no extra guard needed. + if section_mitre_str: + self.linpeas_base += f"\nif echo $CHECKS | grep -q {section_info['name_check']}; then\n" + self.linpeas_base += f'if check_mitre_filter "{section_mitre_str}"; then\n' + extra_fi = True + else: + self.linpeas_base += f"\nif echo $CHECKS | grep -q {section_info['name_check']}; then\n" + extra_fi = False + + # Section title does not show MITRE IDs (too verbose); individual checks carry their own tags + self.linpeas_base += f'print_title "{section_name}"\n' section_info["checks"] = sorted(section_info["checks"], key=lambda x: int(os.path.basename(x.path).split('_')[0]) if os.path.basename(x.path).split('_')[0].isdigit() else 99) for check in section_info["checks"]: for func in check.initial_functions: if not func in initial_functions: self.linpeas_base += func + "\n" initial_functions.add(func) - - self.linpeas_base += check.sh_code.strip() + "\n\n" + + # Wrap individual check in MITRE filter if it declares technique IDs + if check.mitre_ids: + mitre_tag_str = ",".join(check.mitre_ids) + self.linpeas_base += f'if check_mitre_filter "{mitre_tag_str}"; then\n' + self.linpeas_base += check.sh_code.strip() + "\n\n" + self.linpeas_base += "fi\n\n" + else: + self.linpeas_base += check.sh_code.strip() + "\n\n" + + if extra_fi: + self.linpeas_base += "fi\n" self.linpeas_base += f"\nfi\necho ''\necho ''\n" self.linpeas_base += 'if [ "$WAIT" ]; then echo "Press enter to continue"; read "asd"; fi\n' diff --git a/linPEAS/builder/src/linpeasModule.py b/linPEAS/builder/src/linpeasModule.py index 29c5eed..f95c8c1 100644 --- a/linPEAS/builder/src/linpeasModule.py +++ b/linPEAS/builder/src/linpeasModule.py @@ -45,6 +45,7 @@ class LinpeasModule: self.last_update = None self.description = None self.version = None + self.mitre_ids = [] # list of MITRE ATT&CK technique IDs (e.g. ["T1082", "T1548.003"]) self.functions_used = None self.global_variables = None self.initial_functions = None @@ -81,7 +82,12 @@ class LinpeasModule: elif line.startswith("# Version:"): is_description = False self.version = line[11:].strip() - + + elif line.startswith("# Mitre:"): + is_description = False + raw = line[8:].strip() + self.mitre_ids = [t.strip() for t in raw.split(",") if t.strip()] + elif line.startswith("# Functions Used:"): is_description = False self.functions_used = line[17:].split(",") diff --git a/linPEAS/tests/test_builder.py b/linPEAS/tests/test_builder.py index 3dcfdbf..1e040b7 100644 --- a/linPEAS/tests/test_builder.py +++ b/linPEAS/tests/test_builder.py @@ -64,6 +64,72 @@ class LinpeasBuilderTests(unittest.TestCase): self.assertIn("-z ", content, "-z help entry is missing from the built script.") + def test_mitre_flag_present_in_getopts(self): + """The -T flag must appear in the getopts string so it is actually parsed.""" + with tempfile.TemporaryDirectory() as tmpdir: + output_path = Path(tmpdir) / "linpeas.sh" + self._run_builder(["--all-no-fat"], output_path) + content = output_path.read_text(encoding="utf-8", errors="ignore") + getopts_line = next( + (l for l in content.splitlines() + if re.match(r'\s*while\s+getopts\s+[\'"]', l)), + None + ) + self.assertIsNotNone(getopts_line, + "'while getopts' line not found in built script.") + self.assertIn("T:", getopts_line, + "-T: option is missing from the getopts string in the built script.") + + def test_mitre_flag_present_in_help_text(self): + """The -T flag must be documented in the help text of the built script.""" + with tempfile.TemporaryDirectory() as tmpdir: + output_path = Path(tmpdir) / "linpeas.sh" + self._run_builder(["--all-no-fat"], output_path) + content = output_path.read_text(encoding="utf-8", errors="ignore") + self.assertIn("-T", content, + "-T help entry is missing from the built script.") + + def test_mitre_filter_function_present(self): + """check_mitre_filter() must be emitted into the built script.""" + with tempfile.TemporaryDirectory() as tmpdir: + output_path = Path(tmpdir) / "linpeas.sh" + self._run_builder(["--all-no-fat"], output_path) + content = output_path.read_text(encoding="utf-8", errors="ignore") + self.assertIn("check_mitre_filter", content, + "check_mitre_filter function is missing from the built script.") + + def _run_base_mitre_filter(self, mitre_filter, check_ids): + base_file = self.linpeas_dir / "builder" / "linpeas_parts" / "linpeas_base" / "0_variables_base.sh" + result = subprocess.run( + [ + "bash", + "-lc", + ( + f'source "{base_file}" >/dev/null 2>&1 || true; ' + f'MITRE_FILTER="{mitre_filter}"; ' + f'check_mitre_filter "{check_ids}"; ' + 'echo $?' + ), + ], + capture_output=True, + text=True, + cwd=str(self.repo_root), + ) + self.assertEqual(result.returncode, 0, result.stderr) + return result.stdout.strip().splitlines()[-1] + + def test_mitre_parent_filter_matches_subtechnique(self): + """Regression: filtering by a base technique must include child sub-techniques.""" + exit_code = self._run_base_mitre_filter("T1552", "T1552.001") + self.assertEqual("0", exit_code, + "Parent MITRE filter T1552 should match sub-technique T1552.001.") + + def test_mitre_subtechnique_filter_does_not_match_parent(self): + """Regression: filtering by a sub-technique must not include a parent-only tag.""" + exit_code = self._run_base_mitre_filter("T1552.001", "T1552") + self.assertEqual("1", exit_code, + "Sub-technique MITRE filter T1552.001 should not match parent tag T1552.") + if __name__ == "__main__": unittest.main() diff --git a/scripts/add_mitre_tags.py b/scripts/add_mitre_tags.py new file mode 100644 index 0000000..1262160 --- /dev/null +++ b/scripts/add_mitre_tags.py @@ -0,0 +1,235 @@ +#!/usr/bin/env python3 +""" +Adds # Mitre: metadata and annotates print_2title/print_3title calls +in every LinPEAS check module with the appropriate MITRE ATT&CK technique IDs. +""" + +import os, re, sys + +BASE = os.path.join(os.path.dirname(__file__), "..", "linPEAS", "builder", "linpeas_parts") + +# Mapping: relative path from linpeas_parts → comma-separated MITRE technique IDs +MITRE_MAP = { + # ─── Section 1: System Information ──────────────────────────────────────── + "1_system_information/1_Operative_system.sh": "T1082", + "1_system_information/2_Sudo_version.sh": "T1548.003,T1068", + "1_system_information/3_USBCreator.sh": "T1548.003,T1068", + "1_system_information/4_Path.sh": "T1574.007", + "1_system_information/5_Date.sh": "T1082", + "1_system_information/6_CPU_info.sh": "T1082", + "1_system_information/7_Mounts.sh": "T1082,T1120", + "1_system_information/8_Disks.sh": "T1082", + "1_system_information/9_Disks_extra.sh": "T1082", + "1_system_information/10_Environment.sh": "T1082,T1552.007", + "1_system_information/11_Dmesg.sh": "T1082", + "1_system_information/12_Macos_os_checks.sh": "T1082", + "1_system_information/16_Protections.sh": "T1518.001", + "1_system_information/17_Kernel_Modules.sh": "T1547.006", + "1_system_information/19_Kernel_Exploit_Registry.sh":"T1068", + # ─── Section 2: Container ───────────────────────────────────────────────── + "2_container/1_Container_tools.sh": "T1613", + "2_container/2_List_mounted_tokens.sh": "T1528,T1552.007", + "2_container/3_Container_details.sh": "T1613,T1611", + "2_container/4_Docker_container_details.sh": "T1613", + "2_container/5_Container_breakout.sh": "T1611", + "2_container/7_RW_bind_mounts_nosuid.sh": "T1611", + # ─── Section 3: Cloud ───────────────────────────────────────────────────── + "3_cloud/1_Check_if_in_cloud.sh": "T1580", + "3_cloud/2_AWS_EC2.sh": "T1552.005,T1580", + "3_cloud/3_AWS_ECS.sh": "T1552.005,T1580", + "3_cloud/4_AWS_Lambda.sh": "T1552.005,T1580", + "3_cloud/5_AWS_Codebuild.sh": "T1552.005,T1580", + "3_cloud/6_Google_cloud_function.sh": "T1552.005,T1580", + "3_cloud/7_Google_cloud_vm.sh": "T1552.005,T1580", + "3_cloud/8_Azure_VM.sh": "T1552.005,T1580", + "3_cloud/9_Azure_app_service.sh": "T1552.005,T1580", + "3_cloud/10_Azure_automation_account.sh": "T1552.005,T1580", + "3_cloud/11_DO_Droplet.sh": "T1552.005,T1580", + "3_cloud/13_Ali_Cloud.sh": "T1552.005,T1580", + "3_cloud/14_IBM_Cloud.sh": "T1552.005,T1580", + "3_cloud/15_Tencent_Cloud.sh": "T1552.005,T1580", + # ─── Section 4: Processes / Crons / Timers / Services / Sockets ─────────── + "4_procs_crons_timers_srvcs_sockets/1_List_processes.sh": "T1057", + "4_procs_crons_timers_srvcs_sockets/2_Process_cred_in_memory.sh": "T1003.007", + "4_procs_crons_timers_srvcs_sockets/3_Process_binaries_perms.sh": "T1574,T1554", + "4_procs_crons_timers_srvcs_sockets/4_Processes_PPID_different_user.sh":"T1134.004", + "4_procs_crons_timers_srvcs_sockets/5_Files_open_process_other_user.sh":"T1083", + "4_procs_crons_timers_srvcs_sockets/6_Different_procs_1min.sh": "T1057", + "4_procs_crons_timers_srvcs_sockets/7_Cron_jobs.sh": "T1053.003", + "4_procs_crons_timers_srvcs_sockets/8_Macos_launch_agents_daemons.sh": "T1543.001", + "4_procs_crons_timers_srvcs_sockets/9_System_timers.sh": "T1053.003", + "4_procs_crons_timers_srvcs_sockets/10_Services.sh": "T1543.002,T1007", + "4_procs_crons_timers_srvcs_sockets/11_Systemd.sh": "T1543.002", + "4_procs_crons_timers_srvcs_sockets/12_Socket_files.sh": "T1559", + "4_procs_crons_timers_srvcs_sockets/13_Unix_sockets_listening.sh": "T1571,T1049", + "4_procs_crons_timers_srvcs_sockets/14_DBus_analysis.sh": "T1559.001", + "4_procs_crons_timers_srvcs_sockets/15_Rcommands_trust.sh": "T1021.004", + "4_procs_crons_timers_srvcs_sockets/16_Crontab_UI_misconfig.sh": "T1053.003", + "4_procs_crons_timers_srvcs_sockets/17_Deleted_open_files.sh": "T1083", + # ─── Section 5: Network Information ─────────────────────────────────────── + "5_network_information/1_Network_interfaces.sh": "T1016", + "5_network_information/2_Hostname_hosts_dns.sh": "T1016,T1018", + "5_network_information/3_Network_neighbours.sh": "T1018,T1040", + "5_network_information/4_Open_ports.sh": "T1049", + "5_network_information/5_Macos_network_capabilities.sh":"T1016", + "5_network_information/6_Macos_network_services.sh": "T1016", + "5_network_information/7_Tcpdump.sh": "T1040", + "5_network_information/8_Iptables.sh": "T1016", + "5_network_information/9_Inetdconf.sh": "T1049", + "5_network_information/10_Macos_hardware_ports.sh": "T1016", + "5_network_information/11_Internet_access.sh": "T1016,T1590", + # ─── Section 6: Users Information ───────────────────────────────────────── + "6_users_information/1_My_user.sh": "T1033", + "6_users_information/1_Macos_my_user_hooks.sh": "T1033,T1543.001", + "6_users_information/2_Macos_user_hooks.sh": "T1543.001", + "6_users_information/3_Macos_keychains.sh": "T1555.001", + "6_users_information/4_Macos_systemkey.sh": "T1555.001", + "6_users_information/5_Pgp_keys.sh": "T1552.004", + "6_users_information/6_Clipboard_highlighted_text.sh":"T1115", + "6_users_information/7_Sudo_l.sh": "T1548.003", + "6_users_information/8_Sudo_tokens.sh": "T1548.003", + "6_users_information/9_Doas.sh": "T1548.003", + "6_users_information/10_Pkexec.sh": "T1548.003,T1548.004,T1068", + "6_users_information/11_Superusers.sh": "T1087.001", + "6_users_information/12_Users_with_console.sh": "T1087.001", + "6_users_information/13_Users_groups.sh": "T1087.001,T1069.001", + "6_users_information/14_Login_now.sh": "T1033", + "6_users_information/15_Last_logons.sh": "T1033", + "6_users_information/17_Password_policy.sh": "T1201", + "6_users_information/18_Brute_su.sh": "T1110.001", + # ─── Section 7: Software Information ────────────────────────────────────── + "7_software_information/1_Useful_software.sh": "T1082", + "7_software_information/2_Compilers.sh": "T1587.001", + "7_software_information/3_Macos_writable_installed_apps.sh":"T1574", + "7_software_information/Apache_nginx.sh": "T1552.001", + "7_software_information/Awsvault.sh": "T1552.005", + "7_software_information/Browser_profiles.sh": "T1539,T1217", + "7_software_information/Cached_AD_hashes.sh": "T1003.003", + "7_software_information/Containerd.sh": "T1613", + "7_software_information/Docker.sh": "T1613", + "7_software_information/Dovecot.sh": "T1552.001", + "7_software_information/Extra_software.sh": "T1082", + "7_software_information/FreeIPA.sh": "T1552.001", + "7_software_information/Gitlab.sh": "T1552.001", + "7_software_information/Kcpassword.sh": "T1555.001", + "7_software_information/Kerberos.sh": "T1558.003", + "7_software_information/Log4shell.sh": "T1190", + "7_software_information/Logstash.sh": "T1552.001", + "7_software_information/Mysql.sh": "T1552.001", + "7_software_information/PGP_GPG.sh": "T1552.004", + "7_software_information/PHP_Sessions.sh": "T1552.001", + "7_software_information/Pamd.sh": "T1556.003", + "7_software_information/Postgresql.sh": "T1552.001", + "7_software_information/Postgresql_Event_Triggers.sh":"T1505.001", + "7_software_information/Runc.sh": "T1613,T1611", + "7_software_information/SKey.sh": "T1556", + "7_software_information/Screen_sessions.sh": "T1563", + "7_software_information/Splunk.sh": "T1552.001", + "7_software_information/Ssh.sh": "T1552.004,T1021.004", + "7_software_information/Tmux.sh": "T1563", + "7_software_information/Vault_ssh.sh": "T1552.004", + "7_software_information/YubiKey.sh": "T1556", + # ─── Section 8: Interesting Permissions / Files ──────────────────────────── + "8_interesting_perms_files/1_SUID.sh": "T1548.001", + "8_interesting_perms_files/2_SGID.sh": "T1548.001", + "8_interesting_perms_files/3_Files_ACLs.sh": "T1222", + "8_interesting_perms_files/4_Capabilities.sh": "T1548.001", + "8_interesting_perms_files/5_Users_with_capabilities.sh":"T1548.001", + "8_interesting_perms_files/6_Misconfigured_ldso.sh": "T1574.006", + "8_interesting_perms_files/7_Files_etc_profile_d.sh":"T1546.004", + "8_interesting_perms_files/8_Files_etc_init_d.sh": "T1543.002", + "8_interesting_perms_files/9_App_armour_profiles.sh":"T1518.001", + "8_interesting_perms_files/10_Read_creds_files.sh": "T1552.001", + "8_interesting_perms_files/11_Root_files_home_dir.sh":"T1083", + "8_interesting_perms_files/12_Others_files_in_my_dirs.sh":"T1083", + "8_interesting_perms_files/13_Root_readable_files_notworld_readeble.sh":"T1083", + "8_interesting_perms_files/14_Writable_files_owner_all.sh":"T1574.009,T1574.010", + "8_interesting_perms_files/15_Writable_files_group.sh":"T1574.009,T1574.010", + "8_interesting_perms_files/16_IGEL_OS_SUID.sh": "T1548.001", + "8_interesting_perms_files/16_Writable_root_execs.sh":"T1574.009,T1574.010", + # ─── Section 9: Interesting Files ───────────────────────────────────────── + "9_interesting_files/1_Sh_files_in_PATH.sh": "T1574.007", + "9_interesting_files/2_Date_in_firmware.sh": "T1082", + "9_interesting_files/3_Executable_files_by_user.sh": "T1083", + "9_interesting_files/4_Macos_unsigned_apps.sh": "T1204.002", + "9_interesting_files/5_Unexpected_in_opt.sh": "T1083", + "9_interesting_files/6_Unexpected_in_root.sh": "T1083", + "9_interesting_files/7_Modified_last_5mins.sh": "T1083", + "9_interesting_files/8_Writable_log_files.sh": "T1070.002", + "9_interesting_files/9_My_home.sh": "T1083", + "9_interesting_files/10_Others_homes.sh": "T1552.001", + "9_interesting_files/11_Mail_apps.sh": "T1114.001", + "9_interesting_files/12_Mails.sh": "T1114.001", + "9_interesting_files/13_Backup_folders.sh": "T1552.001", + "9_interesting_files/14_Backup_files.sh": "T1552.001", + "9_interesting_files/15_Db_files.sh": "T1005", + "9_interesting_files/16_Macos_downloaded_files.sh": "T1005", + "9_interesting_files/17_Web_files.sh": "T1005", + "9_interesting_files/18_Hidden_files.sh": "T1564.001", + "9_interesting_files/19_Readable_files_tmp_backups.sh":"T1552.001", + "9_interesting_files/20_Passwords_history_cmd.sh": "T1552.001", + "9_interesting_files/21_Passwords_history_files.sh": "T1552.001", + "9_interesting_files/22_Passwords_php_files.sh": "T1552.001", + "9_interesting_files/23_Passwords_files_home.sh": "T1552.001", + "9_interesting_files/24_Passwords_TTY.sh": "T1552.001", + "9_interesting_files/25_IPs_logs.sh": "T1083", + "9_interesting_files/26_Mails_addr_inside_logs.sh": "T1114.001", + "9_interesting_files/27_Passwords_in_logs.sh": "T1552.001", + "9_interesting_files/28_Files_with_passwords.sh": "T1552.001", + "9_interesting_files/29_Interesting_environment_variables.sh": "T1552.007,T1082", + # ─── Section 10: API Keys Regex ─────────────────────────────────────────── + "10_api_keys_regex/regexes.sh": "T1552.001,T1528", +} + +VERSION_RE = re.compile(r'^(# Version:.*)', re.MULTILINE) +PRINT2_RE = re.compile(r'''(print_2title\s+"[^"]*")(\s*)$''', re.MULTILINE) +PRINT3_RE = re.compile(r'''(print_3title\s+"[^"]*")(\s*)$''', re.MULTILINE) + +changed = 0 +skipped = 0 + +for rel_path, mitre_ids in MITRE_MAP.items(): + abs_path = os.path.normpath(os.path.join(BASE, rel_path)) + if not os.path.isfile(abs_path): + print(f" SKIP (not found): {rel_path}") + skipped += 1 + continue + + with open(abs_path, "r", encoding="utf-8") as f: + original_text = f.read() + + text = original_text + + # 1. Insert # Mitre: after # Version: if missing, otherwise refresh the existing tag. + if "# Mitre:" not in text: + text = VERSION_RE.sub(rf'\1\n# Mitre: {mitre_ids}', text, count=1) + else: + text = re.sub(r'^# Mitre:.*$', f'# Mitre: {mitre_ids}', text, count=1, flags=re.MULTILINE) + + # 2. Annotate print_2title calls that don't already have a 2nd argument + def add_mitre_to_title2(m): + call = m.group(1) + # Skip if already has a 2nd quoted arg after the first + full_line = m.group(0) + if re.search(r'print_2title\s+"[^"]*"\s+"', full_line): + return full_line + return call + f' "{mitre_ids}"' + + text = PRINT2_RE.sub(add_mitre_to_title2, text) + + # 3. Annotate print_3title calls similarly + def add_mitre_to_title3(m): + call = m.group(1) + full_line = m.group(0) + if re.search(r'print_3title\s+"[^"]*"\s+"', full_line): + return full_line + return call + f' "{mitre_ids}"' + + text = PRINT3_RE.sub(add_mitre_to_title3, text) + + if text != original_text: + with open(abs_path, "w", encoding="utf-8") as f: + f.write(text) + changed += 1 + +print(f"\nDone: {changed} files updated, {skipped} skipped.") diff --git a/winPEAS/winPEASexe/Tests/ArgumentParsingTests.cs b/winPEAS/winPEASexe/Tests/ArgumentParsingTests.cs index f510a0c..6c6213a 100644 --- a/winPEAS/winPEASexe/Tests/ArgumentParsingTests.cs +++ b/winPEAS/winPEASexe/Tests/ArgumentParsingTests.cs @@ -16,6 +16,23 @@ namespace winPEAS.Tests return (bool)method.Invoke(null, new object[] { arg }); } + private static bool InvokePassesMitreFilter(string[] checkIds) + { + // Build a minimal ISystemCheck stub whose MitreAttackIds returns checkIds. + var stub = new MitreCheckStub(checkIds); + var method = typeof(winPEAS.Checks.Checks).GetMethod("PassesMitreFilter", BindingFlags.NonPublic | BindingFlags.Static); + Assert.IsNotNull(method, "PassesMitreFilter method not found."); + return (bool)method.Invoke(null, new object[] { stub }); + } + + /// Minimal ISystemCheck stub for PassesMitreFilter reflection tests. + private sealed class MitreCheckStub : winPEAS.Checks.ISystemCheck + { + public MitreCheckStub(string[] ids) { MitreAttackIds = ids; } + public string[] MitreAttackIds { get; } + public void PrintInfo(bool isDebug) { } + } + /// /// Resets all public static Checks fields that arg parsing can mutate, then /// invokes Program.Main with the supplied args followed by "--help" so execution @@ -37,6 +54,7 @@ namespace winPEAS.Tests winPEAS.Checks.Checks.PortScannerPorts = null; winPEAS.Checks.Checks.LinpeasUrl = "https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh"; winPEAS.Checks.Checks.MaxRegexFileSize = 1000000; + winPEAS.Checks.Checks.MitreFilter.Clear(); var argsWithHelp = args.Concat(new[] { "--help" }).ToArray(); Program.Main(argsWithHelp); @@ -101,5 +119,126 @@ namespace winPEAS.Tests Assert.IsNotNull(ports, "PortScannerPorts should not be null"); CollectionAssert.AreEquivalent(new List { 80, 443 }, ports); } + + [TestMethod] + public void MitreFlag_SingleTechnique_ParsedIntoFilter() + { + ParseOnly("mitre=T1082"); + Assert.AreEqual(1, winPEAS.Checks.Checks.MitreFilter.Count, + "mitre=T1082 should add exactly one technique to MitreFilter"); + Assert.IsTrue(winPEAS.Checks.Checks.MitreFilter.Contains("T1082"), + "MitreFilter should contain T1082"); + } + + [TestMethod] + public void MitreFlag_MultipleIds_AllParsedIntoFilter() + { + ParseOnly("mitre=T1082,T1548.002,T1057"); + Assert.AreEqual(3, winPEAS.Checks.Checks.MitreFilter.Count, + "mitre=T1082,T1548.002,T1057 should add three techniques to MitreFilter"); + Assert.IsTrue(winPEAS.Checks.Checks.MitreFilter.Contains("T1082")); + Assert.IsTrue(winPEAS.Checks.Checks.MitreFilter.Contains("T1548.002")); + Assert.IsTrue(winPEAS.Checks.Checks.MitreFilter.Contains("T1057")); + } + + [TestMethod] + public void MitreFlag_CaseInsensitive_IsRecognised() + { + ParseOnly("MITRE=t1082"); + Assert.AreEqual(1, winPEAS.Checks.Checks.MitreFilter.Count, + "MITRE= (upper-case) should be accepted case-insensitively"); + // HashSet uses OrdinalIgnoreCase so both casing variants should be found + Assert.IsTrue(winPEAS.Checks.Checks.MitreFilter.Contains("T1082") || + winPEAS.Checks.Checks.MitreFilter.Contains("t1082")); + } + + [TestMethod] + public void PassesMitreFilter_EmptyFilter_AllChecksPass() + { + winPEAS.Checks.Checks.MitreFilter.Clear(); + Assert.IsTrue(InvokePassesMitreFilter(new[] { "T1082" }), + "An empty MitreFilter should pass every check."); + Assert.IsTrue(InvokePassesMitreFilter(new string[0]), + "An empty MitreFilter should pass a check with no IDs."); + } + + [TestMethod] + public void PassesMitreFilter_ExactMatch_Passes() + { + winPEAS.Checks.Checks.MitreFilter.Clear(); + winPEAS.Checks.Checks.MitreFilter.Add("T1082"); + Assert.IsTrue(InvokePassesMitreFilter(new[] { "T1082" }), + "A check tagged T1082 should pass when filter contains T1082."); + } + + [TestMethod] + public void PassesMitreFilter_NoMatch_Fails() + { + winPEAS.Checks.Checks.MitreFilter.Clear(); + winPEAS.Checks.Checks.MitreFilter.Add("T1082"); + Assert.IsFalse(InvokePassesMitreFilter(new[] { "T1057" }), + "A check tagged T1057 should not pass when filter only contains T1082."); + } + + [TestMethod] + public void PassesMitreFilter_PrefixMatch_Passes() + { + // Filter on base technique T1552 should match sub-technique T1552.001 + winPEAS.Checks.Checks.MitreFilter.Clear(); + winPEAS.Checks.Checks.MitreFilter.Add("T1552"); + Assert.IsTrue(InvokePassesMitreFilter(new[] { "T1552.001" }), + "Filter on T1552 should match a check tagged T1552.001 (prefix match)."); + Assert.IsTrue(InvokePassesMitreFilter(new[] { "T1552.005" }), + "Filter on T1552 should match a check tagged T1552.005 (prefix match)."); + } + + [TestMethod] + public void PassesMitreFilter_SubtechniqueDoesNotMatchDifferentBase_Fails() + { + winPEAS.Checks.Checks.MitreFilter.Clear(); + winPEAS.Checks.Checks.MitreFilter.Add("T1548"); + Assert.IsFalse(InvokePassesMitreFilter(new[] { "T1552.001" }), + "Filter on T1548 must not match T1552.001."); + } + + [TestMethod] + public void PassesMitreFilter_NullMitreAttackIds_PassesThrough() + { + // A check with null MitreAttackIds should NOT be silently excluded + // when a filter is active — it simply has no metadata to match against. + winPEAS.Checks.Checks.MitreFilter.Clear(); + winPEAS.Checks.Checks.MitreFilter.Add("T1082"); + Assert.IsTrue(InvokePassesMitreFilter(null), + "A check with null MitreAttackIds should pass through (return true) when a filter is active."); + } + + [TestMethod] + public void PassesMitreFilter_EmptyMitreAttackIds_PassesThrough() + { + // A check that declares string[0] should also pass through, not be silently excluded. + winPEAS.Checks.Checks.MitreFilter.Clear(); + winPEAS.Checks.Checks.MitreFilter.Add("T1082"); + Assert.IsTrue(InvokePassesMitreFilter(new string[0]), + "A check with empty MitreAttackIds should pass through (return true) when a filter is active."); + } + + [TestMethod] + public void PassesMitreFilter_SubtechniqueFilter_DoesNotMatchParentOnlyTag() + { + // filter=T1552.001 (child) must NOT match a check tagged only with T1552 (parent). + // Parent filters may broaden to children, but never the reverse. + winPEAS.Checks.Checks.MitreFilter.Clear(); + winPEAS.Checks.Checks.MitreFilter.Add("T1552.001"); + Assert.IsFalse(InvokePassesMitreFilter(new[] { "T1552" }), + "A sub-technique filter (T1552.001) must not match a check tagged with only the parent (T1552)."); + } + + [TestMethod] + public void MaxRegexFileSize_ArgParsed_Correctly() + { + ParseOnly("max-regex-file-size=500000"); + Assert.AreEqual(500000, winPEAS.Checks.Checks.MaxRegexFileSize, + "max-regex-file-size=500000 should set MaxRegexFileSize to 500000."); + } } } diff --git a/winPEAS/winPEASexe/winPEAS/Checks/ActiveDirectoryInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/ActiveDirectoryInfo.cs index 79dded0..6de2010 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/ActiveDirectoryInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/ActiveDirectoryInfo.cs @@ -14,9 +14,11 @@ namespace winPEAS.Checks // Lightweight AD-oriented checks for common escalation paths (gMSA readable password, AD CS template control) internal class ActiveDirectoryInfo : ISystemCheck { + public string[] MitreAttackIds { get; } = new[] { "T1018", "T1087.002", "T1558.003", "T1484.001", "T1649", "T1003" }; + public void PrintInfo(bool isDebug) { - Beaprint.GreatPrint("Active Directory Quick Checks"); + Beaprint.GreatPrint("Active Directory Quick Checks", "T1018,T1087.002,T1558.003,T1484.001,T1649,T1003"); new List { @@ -79,7 +81,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("AD object control surfaces"); + Beaprint.MainPrint("AD object control surfaces", "T1484.001,T1087.002,T1018"); Beaprint.LinkPrint( "https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/index.html#acl-abuse", "Look for objects where you have GenericAll/GenericWrite/attribute rights for ACL abuse (password reset, SPN/UAC/RBCD, sidHistory, delegation, DCSync)."); @@ -669,7 +671,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("gMSA readable managed passwords"); + Beaprint.MainPrint("gMSA readable managed passwords", "T1003"); Beaprint.LinkPrint( "https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/gmsa.html", "Look for Group Managed Service Accounts you can read (msDS-ManagedPassword)"); @@ -757,7 +759,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Kerberoasting / service ticket risks"); + Beaprint.MainPrint("Kerberoasting / service ticket risks", "T1558.003"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/kerberoast.html", "Enumerate weak SPN accounts and legacy Kerberos crypto"); @@ -789,7 +791,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("AD CS misconfigurations for ESC"); + Beaprint.MainPrint("AD CS misconfigurations for ESC", "T1649"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/ad-certificates.html"); if (!Checks.IsPartOfDomain) diff --git a/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs index ac7d181..b95b653 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs @@ -7,9 +7,11 @@ namespace winPEAS.Checks { internal class ApplicationsInfo : ISystemCheck { + public string[] MitreAttackIds { get; } = new[] { "T1518", "T1547.001", "T1053.005", "T1010", "T1014" }; + public void PrintInfo(bool isDebug) { - Beaprint.GreatPrint("Applications Information"); + Beaprint.GreatPrint("Applications Information", "T1518,T1547.001,T1053.005,T1010,T1014"); new List { @@ -25,7 +27,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Current Active Window Application"); + Beaprint.MainPrint("Current Active Window Application", "T1010"); string title = ApplicationInfoHelper.GetActiveWindowTitle(); List permsFile = PermissionsHelper.GetPermissionsFile(title, Checks.CurrentUserSiDs); List permsFolder = PermissionsHelper.GetPermissionsFolder(title, Checks.CurrentUserSiDs); @@ -55,7 +57,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Installed Applications --Via Program Files/Uninstall registry--"); + Beaprint.MainPrint("Installed Applications --Via Program Files/Uninstall registry--", "T1518"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#applications", "Check if you can modify installed software"); SortedDictionary> installedAppsPerms = InstalledApps.GetInstalledAppsPerms(); string format = " ==> {0} ({1})"; @@ -101,7 +103,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Autorun Applications"); + Beaprint.MainPrint("Autorun Applications", "T1547.001"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html", "Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there)"); List> apps = AutoRuns.GetAutoRuns(Checks.CurrentUserSiDs); @@ -188,7 +190,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Scheduled Applications --Non Microsoft--"); + Beaprint.MainPrint("Scheduled Applications --Non Microsoft--", "T1053.005"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html", "Check if you can modify other users scheduled binaries"); List> scheduled_apps = ApplicationInfoHelper.GetScheduledAppsNoMicrosoft(); @@ -237,7 +239,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Device Drivers --Non Microsoft--"); + Beaprint.MainPrint("Device Drivers --Non Microsoft--", "T1014"); // this link is not very specific, but its the best on hacktricks Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#drivers", "Check 3rd party drivers for known vulnerabilities/rootkits."); diff --git a/winPEAS/winPEASexe/winPEAS/Checks/BrowserInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/BrowserInfo.cs index 0e7b2c3..254bcc7 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/BrowserInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/BrowserInfo.cs @@ -10,9 +10,11 @@ namespace winPEAS.Checks { internal class BrowserInfo : ISystemCheck { + public string[] MitreAttackIds { get; } = new[] { "T1217", "T1539", "T1555.003" }; + public void PrintInfo(bool isDebug) { - Beaprint.GreatPrint("Browsers Information"); + Beaprint.GreatPrint("Browsers Information", "T1217,T1539,T1555.003"); new List { diff --git a/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs b/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs index 7f3cdc6..3fc60b7 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs @@ -52,6 +52,9 @@ namespace winPEAS.Checks private static List _systemChecks; private static readonly HashSet _systemCheckSelectedKeysHashSet = new HashSet(); + /// MITRE ATT&CK technique IDs to filter checks (empty = run all). + public static readonly HashSet MitreFilter = new HashSet(StringComparer.OrdinalIgnoreCase); + // github url for Linpeas.sh public static string LinpeasUrl = "https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh"; @@ -206,7 +209,7 @@ namespace winPEAS.Checks SearchProgramFiles = true; } - if (string.Equals(arg, "max-regex-file-size", StringComparison.CurrentCultureIgnoreCase)) + if (arg.StartsWith("max-regex-file-size=", StringComparison.CurrentCultureIgnoreCase)) { var parts = arg.Split('='); if (parts.Length >= 2 && !string.IsNullOrEmpty(parts[1])) @@ -221,6 +224,17 @@ namespace winPEAS.Checks IsLolbas = true; } + if (arg.StartsWith("mitre=", StringComparison.OrdinalIgnoreCase)) + { + var mitreList = arg.Substring("mitre=".Length); + foreach (var t in mitreList.Split(',')) + { + var trimmed = t.Trim(); + if (!string.IsNullOrEmpty(trimmed)) + MitreFilter.Add(trimmed); + } + } + if (arg.StartsWith("-linpeas", StringComparison.CurrentCultureIgnoreCase)) { IsLinpeas = true; @@ -404,17 +418,43 @@ namespace winPEAS.Checks return false; } + private static bool PassesMitreFilter(ISystemCheck check) + { + if (MitreFilter.Count == 0) return true; + // No MITRE metadata declared → pass through (don't silently exclude untagged checks). + if (check.MitreAttackIds == null || check.MitreAttackIds.Length == 0) return true; + foreach (var id in check.MitreAttackIds) + { + if (MitreFilter.Contains(id)) return true; + // Also match on just the base technique (e.g. filter "T1552" matches "T1552.001") + var dot = id.IndexOf('.'); + if (dot > 0 && MitreFilter.Contains(id.Substring(0, dot))) return true; + } + return false; + } + private static void RunChecks(bool isAllChecks, bool wait) { + // Pre-compute how many checks will actually execute so we can prompt between + // each one and skip the prompt after the very last executed check. + int totalToRun = _systemChecks.Count(sc => + (_systemCheckSelectedKeysHashSet.Contains(sc.Key) || isAllChecks) && + PassesMitreFilter(sc.Check)); + + int runCount = 0; for (int i = 0; i < _systemChecks.Count; i++) { var systemCheck = _systemChecks[i]; - if (_systemCheckSelectedKeysHashSet.Contains(systemCheck.Key) || isAllChecks) + bool selectedByKey = _systemCheckSelectedKeysHashSet.Contains(systemCheck.Key) || isAllChecks; + bool selectedByMitre = PassesMitreFilter(systemCheck.Check); + + if (selectedByKey && selectedByMitre) { systemCheck.Check.PrintInfo(IsDebug); + runCount++; - if ((i < _systemCheckSelectedKeysHashSet.Count - 1) && wait) + if (wait && runCount < totalToRun) { WaitInput(); } diff --git a/winPEAS/winPEASexe/winPEAS/Checks/CloudInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/CloudInfo.cs index 553084c..47c63d3 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/CloudInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/CloudInfo.cs @@ -6,9 +6,11 @@ namespace winPEAS.Checks { internal class CloudInfo : ISystemCheck { + public string[] MitreAttackIds { get; } = new[] { "T1552.005", "T1580" }; + public void PrintInfo(bool isDebug) { - Beaprint.GreatPrint("Cloud Information"); + Beaprint.GreatPrint("Cloud Information", "T1552.005,T1580"); Dictionary colorsTraining = new Dictionary() { @@ -44,7 +46,7 @@ namespace winPEAS.Checks { if (cloudInfo.IsCloud) { - Beaprint.MainPrint(cloudInfo.Name + " Enumeration"); + Beaprint.MainPrint(cloudInfo.Name + " Enumeration", "T1552.005,T1580"); if (cloudInfo.IsAvailable) { diff --git a/winPEAS/winPEASexe/winPEAS/Checks/EventsInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/EventsInfo.cs index 04049eb..16d6055 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/EventsInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/EventsInfo.cs @@ -11,9 +11,11 @@ namespace winPEAS.Checks { internal class EventsInfo : ISystemCheck { + public string[] MitreAttackIds { get; } = new[] { "T1654", "T1078", "T1078.003", "T1552.001", "T1059.001", "T1082" }; + public void PrintInfo(bool isDebug) { - Beaprint.GreatPrint("Interesting Events information"); + Beaprint.GreatPrint("Interesting Events information", "T1654,T1078,T1078.003,T1552.001,T1059.001,T1082"); new List { @@ -29,7 +31,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("PowerShell events - script block logs (EID 4104) - searching for sensitive data.\n"); + Beaprint.MainPrint("PowerShell events - script block logs (EID 4104) - searching for sensitive data.\n", "T1552.001,T1059.001"); var powerShellEventInfos = PowerShell.GetPowerShellEventInfos(); foreach (var info in powerShellEventInfos) @@ -53,7 +55,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Process creation events - searching logs (EID 4688) for sensitive data.\n"); + Beaprint.MainPrint("Process creation events - searching logs (EID 4688) for sensitive data.\n", "T1654"); if (!MyUtils.IsHighIntegrity()) { @@ -82,7 +84,7 @@ namespace winPEAS.Checks try { var lastDays = 10; - Beaprint.MainPrint($"Printing Account Logon Events (4624) for the last {lastDays} days.\n"); + Beaprint.MainPrint($"Printing Account Logon Events (4624) for the last {lastDays} days.\n", "T1654,T1078"); if (!MyUtils.IsHighIntegrity()) { @@ -151,7 +153,7 @@ namespace winPEAS.Checks { var lastDays = 30; - Beaprint.MainPrint($"Printing Explicit Credential Events (4648) for last {lastDays} days - A process logged on using plaintext credentials\n"); + Beaprint.MainPrint($"Printing Explicit Credential Events (4648) for last {lastDays} days - A process logged on using plaintext credentials\n", "T1078.003"); if (!MyUtils.IsHighIntegrity()) { @@ -198,7 +200,7 @@ namespace winPEAS.Checks { var lastDays = 5; - Beaprint.MainPrint($"Displaying Power off/on events for last {lastDays} days\n"); + Beaprint.MainPrint($"Displaying Power off/on events for last {lastDays} days\n", "T1082"); var infos = Power.GetPowerEventInfos(lastDays); diff --git a/winPEAS/winPEASexe/winPEAS/Checks/FileAnalysis.cs b/winPEAS/winPEASexe/winPEAS/Checks/FileAnalysis.cs index ffc48d7..17106d5 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/FileAnalysis.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/FileAnalysis.cs @@ -16,9 +16,11 @@ namespace winPEAS.Checks { private const int ListFileLimit = 70; + public string[] MitreAttackIds { get; } = new[] { "T1552.001", "T1083" }; + public void PrintInfo(bool isDebug) { - Beaprint.GreatPrint("File Analysis"); + Beaprint.GreatPrint("File Analysis", "T1552.001,T1083"); new List { @@ -140,7 +142,7 @@ namespace winPEAS.Checks { if (!somethingFound) { - Beaprint.MainPrint($"Found {searchName} Files"); + Beaprint.MainPrint($"Found {searchName} Files", "T1552.001"); somethingFound = true; } @@ -501,7 +503,7 @@ namespace winPEAS.Checks if (item2.Value.Count > limit) msg += $" (limited to {limit})"; - Beaprint.MainPrint(msg); + Beaprint.MainPrint(msg, "T1552.001"); int cont = 0; foreach (KeyValuePair> item3 in item2.Value) diff --git a/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs index 0c4bc34..8fc784e 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs @@ -113,9 +113,11 @@ namespace winPEAS.Checks }; + public string[] MitreAttackIds { get; } = new[] { "T1083", "T1552.001", "T1552.002", "T1552.004", "T1552.006", "T1003.002", "T1564.001", "T1574.001", "T1059.004", "T1114.001", "T1218", "T1649" }; + public void PrintInfo(bool isDebug) { - Beaprint.GreatPrint("Interesting files and registry"); + Beaprint.GreatPrint("Interesting files and registry", "T1083,T1552.001,T1552.002,T1552.004,T1552.006,T1003.002,T1564.001,T1574.001,T1059.004,T1114.001,T1218,T1649"); new List { @@ -150,7 +152,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Cloud Credentials"); + Beaprint.MainPrint("Cloud Credentials", "T1552.001"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials"); List> could_creds = KnownFileCredsInfo.ListCloudCreds(); if (could_creds.Count != 0) @@ -175,7 +177,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Unattend Files"); + Beaprint.MainPrint("Unattend Files", "T1552.001"); //Beaprint.LinkPrint(""); List unattended_files = Unattended.GetUnattendedInstallFiles(); foreach (string path in unattended_files) @@ -195,7 +197,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Looking for common SAM & SYSTEM backups"); + Beaprint.MainPrint("Looking for common SAM & SYSTEM backups", "T1003.002"); List sam_files = InterestingFiles.InterestingFiles.GetSAMBackups(); foreach (string path in sam_files) { @@ -218,7 +220,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Looking for McAfee Sitelist.xml Files"); + Beaprint.MainPrint("Looking for McAfee Sitelist.xml Files", "T1552.001"); var sitelistFilesInfos = McAfee.GetMcAfeeSitelistInfos(); foreach (var sitelistFilesInfo in sitelistFilesInfos) @@ -266,7 +268,7 @@ namespace winPEAS.Checks void PrintWSLDistributions() { - Beaprint.MainPrint("Looking for Linux shells/distributions - wsl.exe, bash.exe"); + Beaprint.MainPrint("Looking for Linux shells/distributions - wsl.exe, bash.exe", "T1059.004"); List linuxShells = InterestingFiles.InterestingFiles.GetLinuxShells(); string hive = "HKCU"; string basePath = @"SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss"; @@ -353,7 +355,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Cached GPP Passwords"); + Beaprint.MainPrint("Cached GPP Passwords", "T1552.006"); Dictionary> gpp_passwords = GPP.GetCachedGPPPassword(); Dictionary gppColors = new Dictionary() @@ -381,7 +383,7 @@ namespace winPEAS.Checks string[] passRegHkcu = new string[] { @"Software\ORL\WinVNC3\Password", @"Software\TightVNC\Server", @"Software\SimonTatham\PuTTY\Sessions" }; string[] passRegHklm = new string[] { @"SYSTEM\CurrentControlSet\Services\SNMP" }; - Beaprint.MainPrint("Looking for possible regs with creds"); + Beaprint.MainPrint("Looking for possible regs with creds", "T1552.002"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#inside-the-registry"); string winVnc4 = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\RealVNC\WinVNC4", "password"); @@ -430,7 +432,7 @@ namespace winPEAS.Checks { pattern_color, Beaprint.ansi_color_bad }, }; - Beaprint.MainPrint("Looking for possible password files in users homes"); + Beaprint.MainPrint("Looking for possible password files in users homes", "T1552.001"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials"); var fileInfos = SearchHelper.SearchUserCredsFiles(); @@ -469,7 +471,7 @@ namespace winPEAS.Checks { _patternsFileCredsColor + "|.*password.*|.*credential.*", Beaprint.ansi_color_bad }, }; - Beaprint.MainPrint("Looking inside the Recycle Bin for creds files"); + Beaprint.MainPrint("Looking inside the Recycle Bin for creds files", "T1552.001"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials"); List> recy_files = InterestingFiles.InterestingFiles.GetRecycleBin(); @@ -505,7 +507,7 @@ namespace winPEAS.Checks { _patternsFileCredsColor, Beaprint.ansi_color_bad }, }; - Beaprint.MainPrint("Searching known files that can contain creds in home"); + Beaprint.MainPrint("Searching known files that can contain creds in home", "T1552.001"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials"); var files = SearchHelper.SearchUsersInterestingFiles(); @@ -522,7 +524,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Looking for documents --limit 100--"); + Beaprint.MainPrint("Looking for documents --limit 100--", "T1083"); List docFiles = InterestingFiles.InterestingFiles.ListUsersDocs(); Beaprint.ListPrint(MyUtils.GetLimitedRange(docFiles, 100)); } @@ -536,7 +538,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Recent files --limit 70--"); + Beaprint.MainPrint("Recent files --limit 70--", "T1083"); List> recFiles = KnownFileCredsInfo.GetRecentFiles(); Dictionary colorF = new Dictionary() @@ -566,7 +568,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Searching interesting files in other users home directories (can be slow)\n"); + Beaprint.MainPrint("Searching interesting files in other users home directories (can be slow)\n", "T1552.001"); // check if admin already, if yes, print a message, if not, try to enumerate all files if (MyUtils.IsHighIntegrity()) @@ -684,7 +686,7 @@ namespace winPEAS.Checks var systemDrive = Environment.GetEnvironmentVariable("SystemDrive"); - Beaprint.MainPrint($"Searching hidden files or folders in {systemDrive}\\Users home (can be slow)\n"); + Beaprint.MainPrint($"Searching hidden files or folders in {systemDrive}\\Users home (can be slow)\n", "T1564.001"); foreach (var file in SearchHelper.RootDirUsers) { @@ -726,7 +728,7 @@ namespace winPEAS.Checks private void PrintExecutablesInNonDefaultFoldersWithWritePermissions() { - Beaprint.MainPrint($"Searching executable files in non-default folders with write (equivalent) permissions (can be slow)"); + Beaprint.MainPrint($"Searching executable files in non-default folders with write (equivalent) permissions (can be slow)", "T1574.001"); var systemDrive = $"{Environment.GetEnvironmentVariable("SystemDrive")}\\"; @@ -785,7 +787,7 @@ namespace winPEAS.Checks private static void PrintOracleSQLDeveloperConfigFiles() { - Beaprint.MainPrint($"Searching for Oracle SQL Developer config files\n"); + Beaprint.MainPrint($"Searching for Oracle SQL Developer config files\n", "T1552.001"); var userFolders = User.GetUsersFolders(); @@ -817,7 +819,7 @@ namespace winPEAS.Checks private static void PrintMachineAndUserCertificateFiles() { - Beaprint.MainPrint($"Enumerating machine and user certificate files\n"); + Beaprint.MainPrint($"Enumerating machine and user certificate files\n", "T1649,T1552.004"); try { @@ -861,7 +863,7 @@ namespace winPEAS.Checks private static void PrintOutlookDownloads() { - Beaprint.MainPrint("Enumerating Outlook download files\n"); + Beaprint.MainPrint("Enumerating Outlook download files\n", "T1114.001"); try { @@ -897,7 +899,7 @@ namespace winPEAS.Checks { int limit = 50; - Beaprint.MainPrint($"Office Most Recent Files -- limit {limit}\n"); + Beaprint.MainPrint($"Office Most Recent Files -- limit {limit}\n", "T1083"); try { @@ -931,7 +933,7 @@ namespace winPEAS.Checks Beaprint.NoColorPrint($" {mpSub.Key,-40} {mpSub.Value,-50} {formattedDateString}"); } - Beaprint.MainPrint("Enumerating Office 365 endpoints synced by OneDrive.\n"); + Beaprint.MainPrint("Enumerating Office 365 endpoints synced by OneDrive.\n", "T1083"); try { @@ -1007,7 +1009,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Looking for LOL Binaries and Scripts (can be slow)"); + Beaprint.MainPrint("Looking for LOL Binaries and Scripts (can be slow)", "T1218"); Beaprint.LinkPrint("https://lolbas-project.github.io/"); if (!Checks.IsLolbas) diff --git a/winPEAS/winPEASexe/winPEAS/Checks/ISystemCheck.cs b/winPEAS/winPEASexe/winPEAS/Checks/ISystemCheck.cs index e0f409b..993178e 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/ISystemCheck.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/ISystemCheck.cs @@ -3,5 +3,11 @@ internal interface ISystemCheck { void PrintInfo(bool isDebug); + + /// + /// MITRE ATT&CK technique IDs associated with this check category + /// (e.g. new[] { "T1082", "T1548.002" }). + /// + string[] MitreAttackIds { get; } } } diff --git a/winPEAS/winPEASexe/winPEAS/Checks/NetworkInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/NetworkInfo.cs index 8ec4bc5..813907a 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/NetworkInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/NetworkInfo.cs @@ -25,9 +25,11 @@ namespace winPEAS.Checks { @"\[\:\:\]", Beaprint.ansi_color_bad }, }; + public string[] MitreAttackIds { get; } = new[] { "T1016", "T1049", "T1135", "T1046", "T1018", "T1090" }; + public void PrintInfo(bool isDebug) { - Beaprint.GreatPrint("Network Information"); + Beaprint.GreatPrint("Network Information", "T1016,T1049,T1135,T1046,T1018,T1090"); // Base checklist var checks = new List @@ -56,7 +58,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Network Shares"); + Beaprint.MainPrint("Network Shares", "T1135"); Dictionary colorsN = new Dictionary() { { commonShares, Beaprint.ansi_color_good }, @@ -85,7 +87,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Host File"); + Beaprint.MainPrint("Host File", "T1016"); string[] lines = File.ReadAllLines(@Path.GetPathRoot(Environment.SystemDirectory) + @"\windows\system32\drivers\etc\hosts"); foreach (string line in lines) @@ -106,7 +108,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Network Ifaces and known hosts"); + Beaprint.MainPrint("Network Ifaces and known hosts", "T1016,T1018"); Beaprint.LinkPrint("", "The masks are only for the IPv4 addresses"); foreach (Dictionary card in NetworkInfoHelper.GetNetCardInfo()) { @@ -138,7 +140,7 @@ namespace winPEAS.Checks private void PrintListeningPortsTcp(Dictionary processesByPid) { - Beaprint.MainPrint("Current TCP Listening Ports"); + Beaprint.MainPrint("Current TCP Listening Ports", "T1049"); Beaprint.LinkPrint("", "Check for services restricted from the outside"); PrintListeningPortsTcpIPv4(processesByPid); @@ -214,7 +216,7 @@ namespace winPEAS.Checks private void PrintListeningPortsUdp(Dictionary processesByPid) { - Beaprint.MainPrint("Current UDP Listening Ports"); + Beaprint.MainPrint("Current UDP Listening Ports", "T1049"); Beaprint.LinkPrint("", "Check for services restricted from the outside"); PrintListeningPortsUdpIPv4(processesByPid); @@ -298,7 +300,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Firewall Rules"); + Beaprint.MainPrint("Firewall Rules", "T1016"); Beaprint.LinkPrint("", "Showing only DENY rules (too many ALLOW rules always)"); Dictionary colorsN = new Dictionary() { @@ -345,7 +347,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("DNS cached --limit 70--"); + Beaprint.MainPrint("DNS cached --limit 70--", "T1016"); Beaprint.GrayPrint(string.Format(" {0,-38}{1,-38}{2}", "Entry", "Name", "Data")); List> DNScache = NetworkInfoHelper.GetDNSCache(); foreach (Dictionary entry in MyUtils.GetLimitedRange(DNScache, 70)) @@ -363,7 +365,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Enumerate Network Mapped Drives (WMI)"); + Beaprint.MainPrint("Enumerate Network Mapped Drives (WMI)", "T1135"); using (var wmiData = new ManagementObjectSearcher(@"root\cimv2", "SELECT * FROM win32_networkconnection")) { @@ -394,7 +396,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Enumerating Internet settings, zone and proxy configuration"); + Beaprint.MainPrint("Enumerating Internet settings, zone and proxy configuration", "T1090"); var info = InternetSettings.GetInternetSettingsInfo(); @@ -444,7 +446,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Internet Connectivity"); + Beaprint.MainPrint("Internet Connectivity", "T1016"); Beaprint.LinkPrint("", "Checking if internet access is possible via different methods"); var connectivityInfo = InternetConnectivity.CheckConnectivity(); @@ -499,7 +501,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Hostname Resolution"); + Beaprint.MainPrint("Hostname Resolution", "T1016"); Beaprint.LinkPrint("", "Checking if the hostname can be resolved externally"); var resolutionInfo = HostnameResolution.TryExternalCheck(); @@ -524,7 +526,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Network Scan"); + Beaprint.MainPrint("Network Scan", "T1046"); Beaprint.LinkPrint("", "Scanning for alive hosts and open TCP ports (this may take some time)"); var scanner = new NetworkScanner(Checks.NetworkScanOptions, Checks.PortScannerPorts); diff --git a/winPEAS/winPEASexe/winPEAS/Checks/NetworkScanCheck.cs b/winPEAS/winPEASexe/winPEAS/Checks/NetworkScanCheck.cs index 3cc3d8c..f6fe07e 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/NetworkScanCheck.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/NetworkScanCheck.cs @@ -12,6 +12,8 @@ namespace winPEAS.Checks /// internal class NetworkScanCheck : ISystemCheck { + public string[] MitreAttackIds { get; } = new[] { "T1046" }; + public void PrintInfo(bool isDebug) { if (!Checks.IsNetworkScan) diff --git a/winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs index b5179bf..69017ef 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs @@ -8,9 +8,11 @@ namespace winPEAS.Checks { internal class ProcessInfo : ISystemCheck { + public string[] MitreAttackIds { get; } = new[] { "T1057", "T1134.001" }; + public void PrintInfo(bool isDebug) { - Beaprint.GreatPrint("Processes Information"); + Beaprint.GreatPrint("Processes Information", "T1057,T1134.001"); new List { @@ -23,7 +25,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Interesting Processes -non Microsoft-"); + Beaprint.MainPrint("Interesting Processes -non Microsoft-", "T1057"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#running-processes", "Check if any interesting processes for memory dump or if you could overwrite some binary running"); List> processesInfo = ProcessesInfo.GetProcInfo(); @@ -92,7 +94,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Vulnerable Leaked Handlers"); + Beaprint.MainPrint("Vulnerable Leaked Handlers", "T1134.001"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#leaked-handlers"); List> vulnHandlers = new List>(); diff --git a/winPEAS/winPEASexe/winPEAS/Checks/RegistryInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/RegistryInfo.cs index 51761e3..b856643 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/RegistryInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/RegistryInfo.cs @@ -39,9 +39,11 @@ namespace winPEAS.Checks @"SYSTEM\ControlSet001\Control", }; + public string[] MitreAttackIds { get; } = new[] { "T1012", "T1574.011", "T1056.001" }; + public void PrintInfo(bool isDebug) { - Beaprint.GreatPrint("Registry permissions for hive exploitation"); + Beaprint.GreatPrint("Registry permissions for hive exploitation", "T1012,T1574.011,T1056.001"); new List { @@ -53,7 +55,7 @@ namespace winPEAS.Checks private void PrintTypingInsightsPermissions() { - Beaprint.MainPrint("Cross-user TypingInsights key (HKCU/HKU)"); + Beaprint.MainPrint("Cross-user TypingInsights key (HKCU/HKU)", "T1056.001"); var matches = new List(); var seen = new HashSet(StringComparer.OrdinalIgnoreCase); @@ -92,7 +94,7 @@ namespace winPEAS.Checks private void PrintKnownSystemWritableKeys() { - Beaprint.MainPrint("Known HKLM descendants writable by standard users"); + Beaprint.MainPrint("Known HKLM descendants writable by standard users", "T1574.011"); var matches = new List(); foreach (var path in KnownWritableSystemKeyCandidates) @@ -114,7 +116,7 @@ namespace winPEAS.Checks private void PrintHeuristicWritableKeys() { - Beaprint.MainPrint("Sample of additional writable HKLM keys (depth-limited scan)"); + Beaprint.MainPrint("Sample of additional writable HKLM keys (depth-limited scan)", "T1574.011"); var matches = RegistryAclScanner.ScanWritableKeys("HKLM", ScanBasePaths, maxDepth: 3, maxResults: 25); if (matches.Count == 0) diff --git a/winPEAS/winPEASexe/winPEAS/Checks/ServicesInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/ServicesInfo.cs index 2209ade..7e751d8 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/ServicesInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/ServicesInfo.cs @@ -12,9 +12,11 @@ namespace winPEAS.Checks { Dictionary modifiableServices = new Dictionary(); + public string[] MitreAttackIds { get; } = new[] { "T1007", "T1543.003", "T1574.001", "T1574.011", "T1014", "T1068" }; + public void PrintInfo(bool isDebug) { - Beaprint.GreatPrint("Services Information"); + Beaprint.GreatPrint("Services Information", "T1007,T1543.003,T1574.001,T1574.011,T1014,T1068"); /// Start finding Modifiable services so any function could use them @@ -46,7 +48,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Interesting Services -non Microsoft-"); + Beaprint.MainPrint("Interesting Services -non Microsoft-", "T1007"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services", "Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths"); List> services_info = ServicesInfoHelper.GetNonstandardServices(); @@ -125,7 +127,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Modifiable Services"); + Beaprint.MainPrint("Modifiable Services", "T1543.003"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services", "Check if you can modify any service"); if (modifiableServices.Count > 0) { @@ -162,7 +164,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Looking if you can modify any service registry"); + Beaprint.MainPrint("Looking if you can modify any service registry", "T1574.011"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services-registry-modify-permissions", "Check if you can modify the registry of a service"); List> regPerms = ServicesInfoHelper.GetWriteServiceRegs(Checks.CurrentUserSiDs); @@ -190,7 +192,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Checking write permissions in PATH folders (DLL Hijacking)"); + Beaprint.MainPrint("Checking write permissions in PATH folders (DLL Hijacking)", "T1574.001"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dll-hijacking", "Check for DLL Hijacking in PATH folders"); Dictionary path_dllhijacking = ServicesInfoHelper.GetPathDLLHijacking(); foreach (KeyValuePair entry in path_dllhijacking) @@ -215,7 +217,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("OEM privileged utilities & risky components"); + Beaprint.MainPrint("OEM privileged utilities & risky components", "T1068"); var findings = OemSoftwareHelper.GetPotentiallyVulnerableComponents(Checks.CurrentUserSiDs); if (findings.Count == 0) @@ -261,7 +263,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Kernel drivers with weak/legacy signatures"); + Beaprint.MainPrint("Kernel drivers with weak/legacy signatures", "T1014"); Beaprint.LinkPrint("https://research.checkpoint.com/2025/cracking-valleyrat-from-builder-secrets-to-kernel-rootkits/", "Legacy cross-signed drivers (pre-July-2015) can still grant kernel execution on modern Windows"); @@ -330,7 +332,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("KernelQuick / ValleyRAT rootkit indicators"); + Beaprint.MainPrint("KernelQuick / ValleyRAT rootkit indicators", "T1014"); bool found = false; diff --git a/winPEAS/winPEASexe/winPEAS/Checks/SoapClientInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/SoapClientInfo.cs index 4b3ce80..bb45164 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/SoapClientInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/SoapClientInfo.cs @@ -7,9 +7,11 @@ namespace winPEAS.Checks { internal class SoapClientInfo : ISystemCheck { + public string[] MitreAttackIds { get; } = new[] { "T1559", "T1071.001" }; + public void PrintInfo(bool isDebug) { - Beaprint.GreatPrint(".NET SOAP Client Proxies (SOAPwn)"); + Beaprint.GreatPrint(".NET SOAP Client Proxies (SOAPwn)", "T1559,T1071.001"); CheckRunner.Run(PrintSoapClientFindings, isDebug); } @@ -18,7 +20,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Potential SOAPwn / HttpWebClientProtocol abuse surfaces"); + Beaprint.MainPrint("Potential SOAPwn / HttpWebClientProtocol abuse surfaces", "T1559,T1071.001"); Beaprint.LinkPrint( "https://labs.watchtowr.com/soapwn-pwning-net-framework-applications-through-http-client-proxies-and-wsdl/", "Look for .NET services that let attackers control SoapHttpClientProtocol URLs or WSDL imports to coerce NTLM or drop files."); diff --git a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs index 75f2834..c8b9914 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs @@ -51,9 +51,11 @@ namespace winPEAS.Checks { "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" , "Block executable content from email client and webmail"}, }; + public string[] MitreAttackIds { get; } = new[] { "T1082", "T1068", "T1548.002", "T1003.001", "T1003.004", "T1003.005", "T1059.001", "T1552.001", "T1552.002", "T1562.001", "T1562.002", "T1518.001", "T1557.001", "T1558", "T1559", "T1134.001", "T1547.005", "T1484.001", "T1613", "T1654", "T1072", "T1187" }; + public void PrintInfo(bool isDebug) { - Beaprint.GreatPrint("System Information"); + Beaprint.GreatPrint("System Information", "T1082,T1068,T1548.002,T1003.001,T1003.004,T1003.005,T1059.001,T1552.001,T1552.002,T1562.001,T1562.002,T1518.001,T1557.001,T1558,T1559,T1134.001,T1547.005,T1484.001,T1613,T1654,T1072,T1187"); new List { @@ -104,7 +106,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Basic System Information"); + Beaprint.MainPrint("Basic System Information", "T1082"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#version-exploits", "Check if the Windows versions is vulnerable to some known exploit"); Dictionary basicDictSystem = Info.SystemInfo.SystemInfo.GetBasicOSInfo(); _basicSystemInfo = new Dictionary(basicDictSystem); @@ -126,7 +128,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Windows Version Vulnerabilities"); + Beaprint.MainPrint("Windows Version Vulnerabilities", "T1082,T1068"); var basicInfo = _basicSystemInfo ?? Info.SystemInfo.SystemInfo.GetBasicOSInfo(); var report = WindowsVersionVulns.GetVulnerabilityReport(basicInfo); @@ -187,7 +189,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Showing All Microsoft Updates"); + Beaprint.MainPrint("Showing All Microsoft Updates", "T1082"); var searcher = Type.GetTypeFromProgID("Microsoft.Update.Searcher"); var searcherObj = Activator.CreateInstance(searcher); @@ -247,7 +249,7 @@ namespace winPEAS.Checks { "PS history file: .+", Beaprint.ansi_color_bad }, { "PS history size: .+", Beaprint.ansi_color_bad } }; - Beaprint.MainPrint("PowerShell Settings"); + Beaprint.MainPrint("PowerShell Settings", "T1059.001"); Dictionary PSs = Info.SystemInfo.SystemInfo.GetPowerShellSettings(); Beaprint.DictPrint(PSs, colorsPSI, false); } @@ -261,7 +263,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("PS default transcripts history"); + Beaprint.MainPrint("PS default transcripts history", "T1552.001"); Beaprint.InfoPrint("Read the PS history inside these files (if any)"); string drive = Path.GetPathRoot(Environment.SystemDirectory); string transcriptsPath = drive + @"transcripts\"; @@ -330,7 +332,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Audit Settings"); + Beaprint.MainPrint("Audit Settings", "T1562.002"); Beaprint.LinkPrint("", "Check what is being logged"); Dictionary auditDict = Info.SystemInfo.SystemInfo.GetAuditSettings(); Beaprint.DictPrint(auditDict, false); @@ -345,7 +347,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Audit Policy Settings - Classic & Advanced"); + Beaprint.MainPrint("Audit Policy Settings - Classic & Advanced", "T1562.002"); var policies = AuditPolicies.GetAuditPoliciesInfos(); @@ -373,7 +375,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("WEF Settings"); + Beaprint.MainPrint("WEF Settings", "T1562.002"); Beaprint.LinkPrint("", "Windows Event Forwarding, is interesting to know were are sent the logs"); Dictionary weftDict = Info.SystemInfo.SystemInfo.GetWEFSettings(); Beaprint.DictPrint(weftDict, false); @@ -388,7 +390,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("LAPS Settings"); + Beaprint.MainPrint("LAPS Settings", "T1003.004"); Beaprint.LinkPrint("", "If installed, local administrator password is changed frequently and is restricted by ACL"); Dictionary lapsDict = Info.SystemInfo.SystemInfo.GetLapsSettings(); Dictionary colorsSI = new Dictionary() @@ -405,7 +407,7 @@ namespace winPEAS.Checks static void PrintWdigest() { - Beaprint.MainPrint("Wdigest"); + Beaprint.MainPrint("Wdigest", "T1003.001"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wdigest", "If enabled, plain-text crds could be stored in LSASS"); string useLogonCredential = RegistryHelper.GetRegValue("HKLM", @"SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest", "UseLogonCredential"); if (useLogonCredential == "1") @@ -416,7 +418,7 @@ namespace winPEAS.Checks static void PrintLSAProtection() { - Beaprint.MainPrint("LSA Protection"); + Beaprint.MainPrint("LSA Protection", "T1003.001"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#lsa-protection", "If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key)"); string useLogonCredential = RegistryHelper.GetRegValue("HKLM", @"SYSTEM\CurrentControlSet\Control\LSA", "RunAsPPL"); if (useLogonCredential == "1") @@ -427,7 +429,7 @@ namespace winPEAS.Checks static void PrintCredentialGuard() { - Beaprint.MainPrint("Credentials Guard"); + Beaprint.MainPrint("Credentials Guard", "T1003.001"); Beaprint.LinkPrint("https://book.hacktricks.wiki/windows-hardening/stealing-credentials/credentials-protections#credentials-guard", "If enabled, a driver is needed to read LSASS memory"); string lsaCfgFlags = RegistryHelper.GetRegValue("HKLM", @"System\CurrentControlSet\Control\LSA", "LsaCfgFlags"); @@ -452,7 +454,7 @@ namespace winPEAS.Checks static void PrintCachedCreds() { try{ - Beaprint.MainPrint("Cached Creds"); + Beaprint.MainPrint("Cached Creds", "T1003.005"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#cached-credentials", "If > 0, credentials will be cached in the registry and accessible by SYSTEM user"); string cachedlogonscount = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "CACHEDLOGONSCOUNT"); if (!string.IsNullOrEmpty(cachedlogonscount)) @@ -478,7 +480,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("User Environment Variables"); + Beaprint.MainPrint("User Environment Variables", "T1082"); Beaprint.LinkPrint("", "Check for some passwords or keys in the env variables"); Dictionary userEnvDict = Info.SystemInfo.SystemInfo.GetUserEnvVariables(); Dictionary colorsSI = new Dictionary() @@ -497,7 +499,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("System Environment Variables"); + Beaprint.MainPrint("System Environment Variables", "T1082"); Beaprint.LinkPrint("", "Check for some passwords or keys in the env variables"); Dictionary sysEnvDict = Info.SystemInfo.SystemInfo.GetSystemEnvVariables(); Dictionary colorsSI = new Dictionary() @@ -521,11 +523,11 @@ namespace winPEAS.Checks { "ProxyServer.*", Beaprint.ansi_color_bad } }; - Beaprint.MainPrint("HKCU Internet Settings"); + Beaprint.MainPrint("HKCU Internet Settings", "T1082"); Dictionary HKCUDict = Info.SystemInfo.SystemInfo.GetInternetSettings("HKCU"); Beaprint.DictPrint(HKCUDict, colorsSI, true); - Beaprint.MainPrint("HKLM Internet Settings"); + Beaprint.MainPrint("HKLM Internet Settings", "T1082"); Dictionary HKMLDict = Info.SystemInfo.SystemInfo.GetInternetSettings("HKLM"); Beaprint.DictPrint(HKMLDict, colorsSI, true); } @@ -539,7 +541,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Drives Information"); + Beaprint.MainPrint("Drives Information", "T1082"); Beaprint.LinkPrint("", "Remember that you should search more info inside the other drives"); Dictionary colorsSI = new Dictionary() { @@ -575,7 +577,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("AV Information"); + Beaprint.MainPrint("AV Information", "T1518.001"); Dictionary AVInfo = Info.SystemInfo.SystemInfo.GetAVInfo(); if (AVInfo.ContainsKey("Name") && AVInfo["Name"].Length > 0) Beaprint.GoodPrint(" Some AV was detected, search for bypasses"); @@ -594,7 +596,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("UAC Status"); + Beaprint.MainPrint("UAC Status", "T1548.002"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#from-administrator-medium-to-high-integrity-level--uac-bypasss", "If you are in the Administrators group check how to bypass the UAC"); Dictionary uacDict = Info.SystemInfo.SystemInfo.GetUACSystemPolicies(); @@ -627,7 +629,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Checking WSUS"); + Beaprint.MainPrint("Checking WSUS", "T1072,T1068"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wsus"); string policyPath = "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate"; string policyAUPath = "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU"; @@ -727,7 +729,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Checking KrbRelayUp"); + Beaprint.MainPrint("Checking KrbRelayUp", "T1187,T1558"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#krbrelayup"); if (Checks.CurrentAdDomainName.Length > 0) @@ -750,7 +752,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Checking If Inside Container"); + Beaprint.MainPrint("Checking If Inside Container", "T1613"); Beaprint.LinkPrint("", "If the binary cexecsvc.exe or associated service exists, you are inside Docker"); Dictionary regVal = RegistryHelper.GetRegValues("HKLM", @"System\CurrentControlSet\Services\cexecsvc"); bool cexecsvcExist = File.Exists(Environment.SystemDirectory + @"\cexecsvc.exe"); @@ -773,7 +775,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Checking AlwaysInstallElevated"); + Beaprint.MainPrint("Checking AlwaysInstallElevated", "T1548.002"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#alwaysinstallelevated"); string path = "Software\\Policies\\Microsoft\\Windows\\Installer"; string HKLM_AIE = RegistryHelper.GetRegValue("HKLM", path, "AlwaysInstallElevated"); @@ -804,7 +806,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Object Manager race-window amplification primitives"); + Beaprint.MainPrint("Object Manager race-window amplification primitives", "T1068"); Beaprint.LinkPrint("https://projectzero.google/2025/12/windows-exploitation-techniques.html", "Project Zero write-up:"); if (ObjectManagerHelper.TryCreateSessionEvent(out var objectName, out var error)) @@ -827,7 +829,7 @@ namespace winPEAS.Checks private static void PrintNtlmSettings() { - Beaprint.MainPrint($"Enumerating NTLM Settings"); + Beaprint.MainPrint($"Enumerating NTLM Settings", "T1557.001"); try { @@ -903,7 +905,7 @@ namespace winPEAS.Checks private static void PrintPrintNightmarePointAndPrint() { - Beaprint.MainPrint("PrintNightmare PointAndPrint Policies"); + Beaprint.MainPrint("PrintNightmare PointAndPrint Policies", "T1068"); Beaprint.LinkPrint("https://itm4n.github.io/printnightmare-exploitation/", "Check PointAndPrint policy hardening"); try @@ -936,7 +938,7 @@ namespace winPEAS.Checks private static void PrintPrintersWMIInfo() { - Beaprint.MainPrint("Enumerating Printers (WMI)"); + Beaprint.MainPrint("Enumerating Printers (WMI)", "T1082"); try { @@ -958,7 +960,7 @@ namespace winPEAS.Checks private static void PrintNamedPipes() { - Beaprint.MainPrint("Enumerating Named Pipes"); + Beaprint.MainPrint("Enumerating Named Pipes", "T1559"); try { @@ -985,7 +987,7 @@ namespace winPEAS.Checks private static void PrintNamedPipeAbuseCandidates() { - Beaprint.MainPrint("Named Pipes with Low-Priv Write Access to Privileged Servers"); + Beaprint.MainPrint("Named Pipes with Low-Priv Write Access to Privileged Servers", "T1134.001,T1559"); try { @@ -1026,7 +1028,7 @@ namespace winPEAS.Checks private void PrintAMSIProviders() { - Beaprint.MainPrint("Enumerating AMSI registered providers"); + Beaprint.MainPrint("Enumerating AMSI registered providers", "T1562.001"); try { @@ -1055,7 +1057,7 @@ namespace winPEAS.Checks private void PrintSysmonConfiguration() { - Beaprint.MainPrint("Enumerating Sysmon configuration"); + Beaprint.MainPrint("Enumerating Sysmon configuration", "T1518.001"); Dictionary colors = new Dictionary { @@ -1088,7 +1090,7 @@ namespace winPEAS.Checks private void PrintSysmonEventLogs() { - Beaprint.MainPrint("Enumerating Sysmon process creation logs (1)"); + Beaprint.MainPrint("Enumerating Sysmon process creation logs (1)", "T1654"); try { @@ -1114,7 +1116,7 @@ namespace winPEAS.Checks private static void PrintWindowsDefenderInfo() { - Beaprint.MainPrint("Windows Defender configuration"); + Beaprint.MainPrint("Windows Defender configuration", "T1518.001"); void DisplayDefenderSettings(WindowsDefenderSettings settings) { @@ -1213,7 +1215,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Installed .NET versions\n"); + Beaprint.MainPrint("Installed .NET versions\n", "T1082"); var info = DotNet.GetDotNetInfo(); @@ -1269,7 +1271,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("System Last Shutdown Date/time (from Registry)\n"); + Beaprint.MainPrint("System Last Shutdown Date/time (from Registry)\n", "T1082"); var shutdownBytes = RegistryHelper.GetRegValueBytes("HKLM", "SYSTEM\\ControlSet001\\Control\\Windows", "ShutdownTime"); if (shutdownBytes != null) @@ -1289,7 +1291,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Enumerate LSA settings - auth packages included\n"); + Beaprint.MainPrint("Enumerate LSA settings - auth packages included\n", "T1547.005"); var settings = RegistryHelper.GetRegValues("HKLM", "SYSTEM\\CurrentControlSet\\Control\\Lsa"); @@ -1342,7 +1344,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Display Local Group Policy settings - local users/machine"); + Beaprint.MainPrint("Display Local Group Policy settings - local users/machine", "T1082"); var infos = GroupPolicy.GetLocalGroupPolicyInfos(); @@ -1369,7 +1371,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Potential GPO abuse vectors (applied domain GPOs writable by current user)"); + Beaprint.MainPrint("Potential GPO abuse vectors (applied domain GPOs writable by current user)", "T1484.001"); if (!Checks.IsPartOfDomain) { @@ -1457,7 +1459,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Enumerating PowerShell Session Settings using the registry"); + Beaprint.MainPrint("Enumerating PowerShell Session Settings using the registry", "T1059.001"); if (!MyUtils.IsHighIntegrity()) { @@ -1488,7 +1490,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Enumerating saved credentials in Registry (CurrentPass)"); + Beaprint.MainPrint("Enumerating saved credentials in Registry (CurrentPass)", "T1552.002"); string currentPass = "CurrentPass"; var hive = "HKLM"; var path = "System"; diff --git a/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs index 0804ff4..2609831 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs @@ -34,9 +34,11 @@ namespace winPEAS.Checks static readonly string _badPasswd = "NotChange|NotExpi"; static readonly string _badPrivileges = "SeImpersonatePrivilege|SeAssignPrimaryPrivilege|SeTcbPrivilege|SeBackupPrivilege|SeRestorePrivilege|SeCreateTokenPrivilege|SeLoadDriverPrivilege|SeTakeOwnershipPrivilege|SeDebugPrivilege"; + public string[] MitreAttackIds { get; } = new[] { "T1087.001", "T1087.004", "T1033", "T1134.001", "T1115", "T1563.002", "T1083", "T1552.002", "T1201" }; + public void PrintInfo(bool isDebug) { - Beaprint.GreatPrint("Users Information"); + Beaprint.GreatPrint("Users Information", "T1087.001,T1087.004,T1033,T1134.001,T1115,T1563.002,T1083,T1552.002,T1201"); new List { @@ -77,7 +79,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Users"); + Beaprint.MainPrint("Users", "T1087.001"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#users--groups", "Check if you have some admin equivalent privileges"); List usersGrps = User.GetMachineUsers(false, false, false, false, true); @@ -108,7 +110,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Current Token privileges"); + Beaprint.MainPrint("Current Token privileges", "T1134.001"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#token-manipulation", "Check if you can escalate privilege using some enabled token"); Dictionary tokenPrivs = Token.GetTokenGroupPrivs(); Beaprint.DictPrint(tokenPrivs, ColorsU(), false); @@ -123,7 +125,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Clipboard text"); + Beaprint.MainPrint("Clipboard text", "T1115"); string clipboard = UserInfoHelper.GetClipboardText(); if (!string.IsNullOrEmpty(clipboard)) { @@ -140,7 +142,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Logged users"); + Beaprint.MainPrint("Logged users", "T1033"); List loggedUsers = User.GetLoggedUsers(); Beaprint.ListPrint(loggedUsers, ColorsU()); @@ -155,7 +157,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("RDP Sessions"); + Beaprint.MainPrint("RDP Sessions", "T1563.002"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/credentials-mgmt/rdp-sessions", "Disconnected high-privilege RDP sessions keep reusable tokens inside LSASS."); List> rdp_sessions = UserInfoHelper.GetRDPSessions(); if (rdp_sessions.Count > 0) @@ -230,7 +232,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Ever logged users"); + Beaprint.MainPrint("Ever logged users", "T1033"); List everLogged = User.GetEverLoggedUsers(); Beaprint.ListPrint(everLogged, ColorsU()); } @@ -244,7 +246,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Home folders found"); + Beaprint.MainPrint("Home folders found", "T1083"); List user_folders = User.GetUsersFolders(); foreach (string ufold in user_folders) { @@ -269,7 +271,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Looking for AutoLogon credentials"); + Beaprint.MainPrint("Looking for AutoLogon credentials", "T1552.002"); bool ban = false; Dictionary autologon = UserInfoHelper.GetAutoLogon(); if (autologon.Count > 0) @@ -307,7 +309,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Password Policies"); + Beaprint.MainPrint("Password Policies", "T1201"); Beaprint.LinkPrint("", "Check for a possible brute-force"); List> PPy = UserInfoHelper.GetPasswordPolicy(); Beaprint.DictPrint(PPy, ColorsU(), false); @@ -322,7 +324,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Print Logon Sessions"); + Beaprint.MainPrint("Print Logon Sessions", "T1033"); var logonSessions = LogonSessions.GetLogonSessions(); @@ -355,7 +357,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Current User Idle Time"); + Beaprint.MainPrint("Current User Idle Time", "T1033"); var lastInputInfo = new LastInputInfo(); lastInputInfo.Size = (uint)Marshal.SizeOf(lastInputInfo); @@ -380,7 +382,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Display information about local users"); + Beaprint.MainPrint("Display information about local users", "T1087.001"); var computerName = Environment.GetEnvironmentVariable("COMPUTERNAME"); @@ -433,7 +435,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Display Tenant information (DsRegCmd.exe /status)"); + Beaprint.MainPrint("Display Tenant information (DsRegCmd.exe /status)", "T1087.004"); var info = Tenant.GetTenantInfo(); diff --git a/winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs b/winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs index bd25970..01c9890 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs @@ -19,9 +19,11 @@ namespace winPEAS.Checks { internal class WindowsCreds : ISystemCheck { + public string[] MitreAttackIds { get; } = new[] { "T1552.001", "T1552.002", "T1555.003", "T1555.004", "T1558", "T1547.005", "T1563.002" }; + public void PrintInfo(bool isDebug) { - Beaprint.GreatPrint("Windows Credentials"); + Beaprint.GreatPrint("Windows Credentials", "T1552.001,T1552.002,T1555.003,T1555.004,T1558,T1547.005,T1563.002"); new List { @@ -47,7 +49,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Checking Windows Vault"); + Beaprint.MainPrint("Checking Windows Vault", "T1555.004"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#credentials-manager--windows-vault"); var vaultCreds = VaultCli.DumpVault(); @@ -67,7 +69,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Checking Credential manager"); + Beaprint.MainPrint("Checking Credential manager", "T1555.004"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#credentials-manager--windows-vault"); var colorsC = new Dictionary() @@ -113,7 +115,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Saved RDP connections"); + Beaprint.MainPrint("Saved RDP connections", "T1552.002"); List> rdps_info = RemoteDesktop.GetSavedRDPConnections(); if (rdps_info.Count > 0) @@ -138,7 +140,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Recently run commands"); + Beaprint.MainPrint("Recently run commands", "T1552.002"); Dictionary recentCommands = KnownFileCredsInfo.GetRecentRunCommands(); Beaprint.DictPrint(recentCommands, false); } @@ -152,7 +154,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Checking for DPAPI Master Keys"); + Beaprint.MainPrint("Checking for DPAPI Master Keys", "T1555.003"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi"); var masterKeys = KnownFileCredsInfo.ListMasterKeys(); @@ -180,7 +182,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Checking for DPAPI Credential Files"); + Beaprint.MainPrint("Checking for DPAPI Credential Files", "T1555.003"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi"); var credFiles = KnownFileCredsInfo.GetCredFiles(); Beaprint.DictPrint(credFiles, false); @@ -200,7 +202,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Checking for RDCMan Settings Files"); + Beaprint.MainPrint("Checking for RDCMan Settings Files", "T1552.001"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#remote-desktop-credential-manager", "Dump credentials from Remote Desktop Connection Manager"); var rdcFiles = RemoteDesktop.GetRDCManFiles(); @@ -221,7 +223,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Looking for Kerberos tickets"); + Beaprint.MainPrint("Looking for Kerberos tickets", "T1558"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-kerberos-88/index.html"); var kerberosTickets = Kerberos.ListKerberosTickets(); @@ -237,7 +239,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Looking for Kerberos TGT tickets"); + Beaprint.MainPrint("Looking for Kerberos TGT tickets", "T1558"); var kerberosTgts = Kerberos.GetKerberosTGTData(); Beaprint.DictPrint(kerberosTgts, false); } @@ -251,7 +253,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Looking for saved Wifi credentials"); + Beaprint.MainPrint("Looking for saved Wifi credentials", "T1552.001"); WlanClient wlanClient = new WlanClient(); @@ -306,7 +308,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Looking AppCmd.exe"); + Beaprint.MainPrint("Looking AppCmd.exe", "T1552.001"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#appcmdexe"); var appCmdPath = Environment.ExpandEnvironmentVariables(@"%systemroot%\system32\inetsrv\appcmd.exe"); @@ -367,7 +369,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Looking SSClient.exe"); + Beaprint.MainPrint("Looking SSClient.exe", "T1552.001"); Beaprint.LinkPrint("https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#scclient--sccm"); if (File.Exists(Environment.ExpandEnvironmentVariables(@"%systemroot%\Windows\CCM\SCClient.exe"))) @@ -389,7 +391,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Enumerating SSCM - System Center Configuration Manager settings"); + Beaprint.MainPrint("Enumerating SSCM - System Center Configuration Manager settings", "T1552.001"); var server = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Microsoft\CCMSetup", "LastValidMP"); var siteCode = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Microsoft\SMS\Mobile Client", "AssignedSiteCode"); @@ -412,7 +414,7 @@ namespace winPEAS.Checks private static void PrintSecurityPackagesCredentials() { - Beaprint.MainPrint("Enumerating Security Packages Credentials"); + Beaprint.MainPrint("Enumerating Security Packages Credentials", "T1547.005"); try { @@ -445,7 +447,7 @@ namespace winPEAS.Checks { try { - Beaprint.MainPrint("Remote Desktop Server/Client Settings"); + Beaprint.MainPrint("Remote Desktop Server/Client Settings", "T1563.002"); var info = Info.WindowsCreds.RemoteDesktop.GetRDPSettingsInfo(); diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs b/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs index e716166..ceebd2f 100644 --- a/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs +++ b/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs @@ -142,6 +142,7 @@ namespace winPEAS.Helpers Console.WriteLine(); Console.WriteLine(LCYAN + " quiet" + GRAY + " Do not print banner" + NOCOLOR); Console.WriteLine(LCYAN + " notcolor" + GRAY + " Don't use ansi colors (all white)" + NOCOLOR); + Console.WriteLine(LCYAN + " mitre=T1082,T1548" + GRAY + $" Only run checks matching the specified MITRE ATT&CK technique IDs (comma-separated)" + NOCOLOR); Console.WriteLine(LCYAN + " searchpf" + GRAY + " Search credentials via regex also in Program Files folders" + NOCOLOR); Console.WriteLine(LCYAN + " wait" + GRAY + " Wait for user input between checks" + NOCOLOR); Console.WriteLine(LCYAN + " debug" + GRAY + " Display debugging information - memory usage, method execution time" + NOCOLOR); @@ -166,25 +167,22 @@ namespace winPEAS.Helpers ///////////////////////////////// /// DIFFERENT PRINT FUNCTIONS /// ///////////////////////////////// - public static void GreatPrint(string toPrint) + public static void GreatPrint(string toPrint, string mitreIds = null) { // print_title - Console.WriteLine(); Console.WriteLine(); - int halfTotal = 60; - //Console.WriteLine(LCYAN + " " + new String('=', halfTotal - toPrint.Length) + "(" + NOCOLOR + YELLOW + toPrint + LCYAN + ")" + new String('=', halfTotal - toPrint.Length) + NOCOLOR); - Console.WriteLine($"{LCYAN}════════════════════════════════════╣ {GREEN}{toPrint}{LCYAN} ╠════════════════════════════════════{NOCOLOR}"); + string mitreSuffix = string.IsNullOrEmpty(mitreIds) ? "" : $" {DGRAY}({mitreIds}){LCYAN}"; + Console.WriteLine($"{LCYAN}════════════════════════════════════╣ {GREEN}{toPrint}{mitreSuffix}{LCYAN} ╠════════════════════════════════════{NOCOLOR}"); } - public static void MainPrint(string toPrint) + public static void MainPrint(string toPrint, string mitreIds = null) { // print_2title - Console.WriteLine(); - //Console.WriteLine(YELLOW + " [+] " + GREEN + toPrint + NOCOLOR); - Console.WriteLine($"{LCYAN}╔══════════╣ {GREEN}{toPrint}{NOCOLOR}"); + string mitreSuffix = string.IsNullOrEmpty(mitreIds) ? "" : $" {DGRAY}({mitreIds}){NOCOLOR}"; + Console.WriteLine($"{LCYAN}╔══════════╣ {GREEN}{toPrint}{mitreSuffix}{NOCOLOR}"); } public static void LinkPrint(string link, string comment = "")