Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
529 lines (486 sloc) 14.7 KB
import getpass
import time
import os
import pexpect
from pexpect import pxssh
##############################
# GLOBAL VARIABLES
date = time.strftime("%Y-%m-%d-H%H-M%M")
##############################
def enum_system(hostname, user, password):
output = ("\n--- SYSTEM INFORMATION ---\n\n")
try:
print("Attempting to connect...")
s = pxssh.pxssh()
s.login(hostname, user, password)
print("Connected!")
output += ("\n--- HOSTNAME ---\n")
s.sendline("hostname")
s.prompt()
output += (s.before)
output += ("\n--- UNAME A ---\n")
s.sendline("uname -a")
s.prompt()
output += (s.before)
output += ("\n--- SYSTEM UPTIME ---\n")
s.sendline("uptime")
s.prompt()
output += (s.before)
output += ("\n--- MOUNT ---\n")
s.sendline("mount")
s.prompt()
output += (s.before)
s.logout()
s.close()
print (output)
option = raw_input("Do you want to append this to a file y/n?\n> ")
if option == "y":
f = open("system-"+date+"-"+hostname, "w")
f.write(output)
f.close()
print("system-"+date+"-"+hostname+" log file created!")
elif option == "n":
pass
else:
print("Invalid Option.")
except:
print("Could not connect. Check Host/Credentials.")
def enum_user(hostname, user, password):
output = ("--- USER INFORMATION ---\n")
try:
print("Attempting to connect...")
s = pxssh.pxssh()
s.login(hostname, user, password)
print("Connected!")
output += ("\n--- VIEW LOGGED IN USERS ---\n")
s.sendline("w")
s.prompt()
output += (s.before)
output += ("\n--- SHOW IF A USER HAS EVER LOGGED IN REMOTELY ---\n")
s.sendline("lastlog")
s.prompt()
output += (s.before)
s.sendline("last")
s.prompt()
output += (s.before)
output += ("\n--- VIEW FAILED LOGINS ---\n")
s.sendline("faillog -a")
s.prompt()
output += (s.before)
output += ("\n--- VIEW LOCAL USER ACCOUNTS ---\n")
s.sendline("cat /etc/password")
s.prompt()
output += (s.before)
s.sendline("cat /etc/shadow")
s.prompt()
output += (s.before)
output += ("\n--- VIEW LOCAL GROUPS ---\n")
s.sendline("cat /etc/groups")
s.prompt()
output += (s.before)
output += ("\n--- VIEW SUDO ACCESS ---\n")
s.sendline("cat /etc/sudoers")
s.prompt()
output += (s.before)
output += ("\n--- VIEW ACCOUNTS WITH UID 0 ---\n")
s.sendline("awk -F: '($3 == '0') {print}' /etc/passwd")
s.prompt()
output += (s.before)
s.sendline("egrep ':0+' /etc/passwd")
s.prompt()
output += (s.before)
output += ("\n--- VIEW ROOT AUTHORIZED SSH KEY AUTHENTICATIONS ---\n")
s.sendline("cat /root/.ssh/authorized_keys")
s.prompt()
output += ("\n--- LIST OF FILES OPENED BY ROOT ---\n")
s.sendline("lsof -u root")
s.prompt()
output += (s.before)
output += ("\n--- VIEW THE ROOT USER BASH HISTORY ---\n")
s.sendline("cat /root/.bash_history")
s.prompt()
output += (s.before)
s.logout()
s.close()
print(output)
option = raw_input("Do you want to append this to a file y/n?\n> ")
if option == "y":
f = open("user-"+date+"-"+hostname, "w")
f.write(output)
f.close()
print("user-"+date+"-"+hostname+" log file created!")
elif option == "n":
pass
else:
print("Invalid Option.")
except:
print("Could not connect. Check Host/Credentials.")
def enum_network(hostname, user, password):
output = ("--- NETWORK INFO ---\n\n")
try:
print("Attempting to connect...")
s = pxssh.pxssh()
s.login(hostname, user, password)
print("Connected!")
output += ("\n--- VIEW NETWORK INTERFACES ---\n")
s.sendline("ifconfig")
s.prompt()
output += (s.before)
output += ("\n--- VIEW NETWORK CONNECTIONS ---\n")
s.sendline("netstat -antup")
s.prompt()
output += (s.before)
s.sendline("netstat -plantux")
s.prompt()
output += (s.before)
output += ("\n--- VIEW LISTENING PORTS ---\n")
s.sendline("netstat -nap")
s.prompt()
output += (s.before)
output += ("\n--- VIEW ROUTES ---\n")
s.sendline("route")
s.prompt()
output += ("\n--- LIST OF PROCESSES LISTENING ON PORTS ---\n")
s.sendline("lsof -i")
s.prompt()
output += (s.before)
s.logout()
s.close()
print(output)
option = raw_input("Do you want to append this to a file y/n?\n> ")
if option == "y":
f = open("network-"+date+hostname, "w")
f.write(output)
f.close()
print("network-"+date+hostname+" log file created!")
elif option == "n":
pass
else:
print("Invalid Option.")
except:
print("Could not connect. Check Host/Credentials")
def enum_service(hostname, user, password):
output = ("--- SERVICE INFO ---\n\n")
try:
print("Attempting to connect...")
s = pxssh.pxssh()
s.login(hostname, user, password)
print("Connected!")
output += ("\n--- LIST OF OPEN FILES ---\n")
s.sendline("lsof")
s.prompt()
output += (s.before)
output += ("\n--- LIST OF OPEN FILES, USING THE NETWORK ---")
s.sendline("lsof -nPi | cut -f 1 -d ' ' | uniq | tail -n +2")
s.prompt()
output += (s.before)
output += ("\n--- LIST OF PROC DIR ---\n")
s.sendline("ls -lah /proc/*")
s.prompt()
output += (s.before)
output += ("\n--- PROCESS LIST ---\n")
s.sendline("ps -aux")
s.prompt()
output += (s.before)
s.logout()
s.close()
print(output)
option = raw_input("Do you want to append this to a file y/n?\n> ")
if option == "y":
f = open("service-"+date+"-"+hostname, "w")
f.write(output)
f.close()
print("service-"+date+"-"+hostname+" log file created!")
elif option == "n":
pass
else:
print("Invalid Option.")
except:
print("Could not connect. Check Host/Credentials")
def enum_pol_pat_set(hostname, user, password):
output = ("--- POLICY, PATCH AND SETTINGS INFORMATION ---\n\n")
try:
print("Attempting to connect...")
s = pxssh.pxssh()
s.login(hostname, user, password)
print("Connected!")
output += ("\n--- VIEW PAM.D FILES ---\n")
s.sendline("cat /etc/pam.d/common*")
s.prompt()
output += (s.before)
s.logout()
s.close()
print(output)
option = raw_input("Do you want to append this to a file y/n?\n> ")
if option == "y":
f = open("policy-"+date+"-"+hostname, "w")
f.write(output)
f.close()
print("policy-"+date+"-"+hostname+" log file created!")
elif option == "n":
pass
else:
print("Invalid Option.")
except:
print("Could not connect. Check Host/Credentials")
def enum_auto(hostname, user, password):
output = ("--- AUTORUN AND AUTOLOAD INFORMATION ---\n\n")
try:
print("Attempting to connect...")
s = pxssh.pxssh()
s.login(hostname, user, password)
print("Connected!")
output += ("\n--- LIST CRON JOBS ---\n")
s.sendline("crontab -l")
s.prompt()
output += (s.before)
output += ("\n--- LIST CRON JOBS BY ROOT AND OTHER UID 0 ACCOUNTS ---\n")
s.sendline("crontab -u root -l")
s.prompt()
output += (s.before)
output += ("\n--- REVIEW FOR UNUSUAL CRON JOBS ---\n")
s.sendline("cat /etc/crontab")
s.prompt()
output += (s.before)
s.sendline("ls /etc/cron.*")
s.prompt()
output += (s.before)
s.logout()
s.close()
print(output)
option = raw_input("Do you want to append this to a file y/n?\n> ")
if option == "y":
f = open("crons-"+date+"-"+hostname, "w")
f.write(output)
f.close()
print("crons-"+date+"-"+hostname+" log file created!")
elif option == "n":
pass
else:
print("Invalid Option.")
except:
print("Could not connect. Check Host/Credentials")
def enum_log(hostname, user, password):
output = ("--- LOGS ---\n")
try:
print("Attempting to connect...")
s = pxssh.pxssh()
s.login(hostname, user, password)
print("Connected!")
output += ("\n--- VIEW USER COMMAND HISTORY ---\n")
s.sendline("cat /root/.bash_history")
s.prompt()
output += (s.before)
s.sendline("cat /home/*/.bash_history")
s.prompt()
output += (s.before)
output += ("\n--- VIEW LAST LOGINS ---\n")
s.sendline("last")
s.prompt()
output += (s.before)
s.logout()
s.close()
print(s.before)
option = raw_input("Do you want to append this to a file y/n?\n> ")
if option == "y":
f = open("logs-"+date+"-"+hostname, "w")
f.write(output)
f.close()
print("logs-"+date+"-"+hostname+" log file created!")
elif option == "n":
pass
else:
print("Invalid Option.")
except:
print("Could not connect. Check Host/Credentials")
def enum_file_shares(hostname, user, password):
output = ("--- FILES, DRIVES AND SHARES INFORMATION ---\n")
try:
print("Attempting to connect...")
s = pxssh.pxssh()
s.login(hostname, user, password)
print("Connected!")
output += ("\n--- VIEW DISK SPACE ---\n")
s.sendline("df -ah")
s.prompt()
output += (s.before)
output += ("\n--- VIEW DIRECTORY LISTING FOR /etc/init.d ---\n")
s.sendline("ls -lah")
s.prompt()
output += (s.before)
output += ("\n--- LOOK FOR IMMUTABLE FILES ---\n")
s.sendline("lsattr -R / 2>/dev/null | grep '\\-i-'")
s.prompt()
output += (s.before)
output += ("\n--- VIEW DIRECTORY LISTING FOR /ROOT ---\n")
s.sendline("ls -lah /root")
s.prompt()
output += (s.before)
# Will need to think of directories where this is more applicable
output += ("\n--- LOOK FOR FILES RECENTLY MODIFIED IN INTERESTING DIRS ---\n")
s.sendline("ls -alt | head")
s.prompt()
output += (s.before)
output += ("\n--- LOOK FOR WORLD WRITABLE FILES ---\n")
s.sendline("find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print")
s.prompt()
output += (s.before)
s.logout()
s.close()
print(output)
option = raw_input("Do you want to append this to a file y/n?\n> ")
if option == "y":
f = open("files-"+date+"-"+hostname, "w")
f.write(output)
f.close()
print("files-"+date+"-"+hostname+" log file created!")
elif option == "n":
pass
else:
print("Invalid Option.")
except:
print("Could not connect. Check Host/Credentials")
# Custom command function that enables to user to run any command with logging features
def enum_cust(hostname, user, password):
output = ("--- CUSTOM COMMANDS ---\n\n")
# Start integer variable used in the While Loops as the condition to be used
# and compared against the stop integer variable
start = 0
stop = 1
# Try & Except; it will attempt to establish a connection if it fails at any stage it will resort
# to the except.
try:
# Establishing the object pxssh.pxssh this has to be declared after each closing
print("Attempting to connect...")
s = pxssh.pxssh()
# Establishes remote SSH connection to host with stored credentials
s.login(hostname, user, password)
print("Connected!")
# User input stored in option variable that is used against if conditional
# statements for if the user wishes to execute a logging loop or not
option = raw_input("Do you want to record session y/n?\n>")
if option == "y":
# While Loop that tests if start is equal to stop
while (start != stop):
# Stores user input to variable command
command = raw_input("Type x to quit\nCommand> ")
# Checks to see if user input is equal to x
if command == "x":
print("Goodbye.")
# Creates a file with date time format appended to start of file to prevent
# data de-duplication and assist with management & analysis
f = open("custom-"+date+"-"+hostname, "w")
f.write(output)
f.close()
# Prints to the user the name of the file that has been created
print("custom-"+date+"-"+hostname+" log file created!")
# Logouts and closes SSH session with remote host
s.logout()
s.close()
# Increments start by 1 to close the While Loop returning to the menu
start += 1
# If the IF condition of command equaling 'x' is not met the else statement will execute
# the else statement is the continual cmd execution and returned output being stored in
# the variable output.
else:
# Send user input to be executed via
s.sendline(command)
s.prompt()
print(s.before)
# Appending output to ... output.
output += (s.before)
# New lines for ease of reading
output += ("\n\n")
# If 'n' condition is met basically do the exact same as mentioned above but without
# appending output or writing output to a file.
elif option == "n":
while (start != stop):
command = raw_input("Type x to quit\nCommand> ")
if command == "x":
print("Goodbye.")
s.logout()
s.close()
start += 1
else:
s.sendline(command)
s.prompt()
print(s.before)
else:
print("Invalid Option.")
except:
print("Could not connect. Check Host/Credentials.")
def logo():
print('''
___ _ ___ ___ ____ _ _ _ _ _ _
|__] | | | |___ |\ | | | |\/|
| | | | |___ | \| |__| | |
--------------------------------------------------------------
Welcome to the Remote Linux SSH Enumeration Script!
--------------------------------------------------------------
www.ZeroAptitude.com - 'Z-APT' by Pitticus
--------------------------------------------------------------
''')
def options(hostname, user):
print('''
Enumerating Host: %s
User: %s
1). System Information
2). User Information
3). Network Information
4). Service Information
5). Policy, Patch and Settings Information
6). Autorun and Autoload Information
7). Logs (Root User CMD History & Last Logins)
8). Files, Drives and Shares Information
9). Custom Command Execution (Optional Logging)
10). Change Host & Credentials
q). Quit
''' % (hostname, user))
def menu(hostname, user, password):
# While True loop to continually bring the user back to the menu function after
# the execution of the sub-function that has been selected is complete.
while True:
# Prints menu options in the While True loop so continous display is provided
logo()
options(hostname, user)
# User input for menu selection
option = raw_input("> ")
# Switch menu of if_elif statements for selection of the function
if option == "1":
enum_system(hostname, user, password)
elif option == "2":
enum_user(hostname, user, password)
elif option == "3":
enum_network(hostname, user, password)
elif option == "4":
enum_service(hostname, user, password)
elif option == "5":
enum_pol_pat_set(hostname, user, password)
elif option == "6":
enum_auto(hostname, user, password)
elif option == "7":
enum_log(hostname, user, password)
elif option == "8":
enum_file_shares(hostname, user, password)
elif option == "9":
enum_cust(hostname, user, password)
elif option == "10":
main()
elif option == "q":
print("Goodbye.")
exit()
else:
print("Invalid Option")
# Main function the stores the credentials of the useraccount and the hostname
# Passed the variables throughout the rest of the script
def main():
logo()
hostname = raw_input("What host do you want to enumerate?\nHostname: ")
user = raw_input("Enter user for host\nUsername: ")
password = getpass.getpass("Enter password for %s\nPassword: " % (user))
os.system("clear")
# Passes variables to menu() function
menu(hostname, user, password)
# Ensures first function run is main()
if __name__ == '__main__':
main()
You can’t perform that action at this time.