Note: Export functionality is currently in the experimental stage.
Additions
- Additional checks provided by @djhohnstein (https://github.com/djhohnstein/LinEnum/commit/bf4ce1ad3beb392cab5d388e364972373533c721#diff-679e8fbdcfe07231f5eda7a8b491511dR1350)
- Searches /home for private key files
- Searches /home for AWS keys
- Searches / for git credential files
Modifications
- SUID/SGID and capabilities checks moved from thorough to standard check
- False positive ssh-agent fix
- Output text/small code changes and clean-up
Additions
- Sudo/SUID/SGID binary list expanded to include entries from https://gtfobins.github.io/
- -s switch introduced. This allows you to supply the current user password for authenticated sudo 'checks'. Note; this is INSECURE and is really only for use in CTF environments
Modifications
- Sudo/suid/guid searches modified & bug in sudo parsing (when multiple entries are separated by commas) fixed
- Apache home dir output moved to thorough checks (due to extensive output)
Additions
- Prints contents of users .bash_history (if found)
- Looks for users that have used sudo
- Checks for htpasswd files
- Lists hidden files
- Further checks/output in regards to viewing files the user owns
- Additional checks using newer ip commands
- Added PHP search for keywords
Modifications
- Code/commands cleaned
- Added [+] and [-] to output, to aid in searching through the generated report
Additions
- LX Container checks
- Loaded Kernel Modules list
- adm group listing
- SELinux Presence
Modifications
- Code optimization: everything is in functions, cat grep awk pair optimized.
Additions
- ARP information added
- Shows users currently logged onto the host
- Added checks to show env information
- Displays enabled Apache modules
- Checks to see if we're in a Docker container
- Checks to see if we're hosting Docker services
Modifications
- Tweaked the SSH search as we were getting false negatives
- Tweaked the searches used for SUID, GUID binaries
- Fixed issues with some commands not, or incorrectly, redirecting to error
Additions
- Interface tweaks including the following additional switches: ** -e :export functionality ** -r :generate report output ** -t :perform thorough tests
- Thorough tests include lengthy checks, if the -t switch is absent, a default 'quick' scan is performed
- Export functionality copies 'interesting' files to a specified location for offline analysis
- Checks added for inetd.conf binary ownership
- Extracts password policy and hashing information from /etc/login.defs
- Checks umask value
Modifications
- Reporting functionality now has a dependency on 'tee'
- Fixed/modified user/group scan
- Tidied sudoer file extraction command
Additions
- Added basic usage details to display on start-up
- Added cron.deny/cron.allow checks
Modifications
- Fixed printing of scan start date when output is saved to file
- Tidied up output when output is saved to a file
Edited by Nikhil Sreekumar (@roo7break) Enhancements
- Support for multiple keywords for searching added (space separated)
- Search for keywords optimised
- Store output to file and pass seach keywords from command line (e.g. ./LinEnum.sh output.txt "password credential username"
Additions
- Date/time is displayed when the scan is started
- Checks for word-readable files in /home and displays positive matches
- Apache user config (user/group) details displayed (if applicable)
- Details all members of our users' current groups
- Lists available shells
- Performs basics SSH checks (i.e. what can be read/where is it stored and associated permissions)
- Locates and lists password hashes that may be found in /etc/passwd on old setups (big thanks to www.pentestmonkey.net)
- Locates credentials file and username/passwords in /etc/fstab
Modifications:
- ifconfig command simplified so 'br' & 'em' interfaces details are also shown
- Keyword search also includes *.ini files