Skip to content

Lin Enum

https://github.com/rebootuser/LinEnum

For more information visit www.rebootuser.com

Note: Export functionality is currently in the experimental stage.

General usage:

version 0.982

  • Example: ./LinEnum.sh -s -k keyword -r report -e /tmp/ -t

OPTIONS: * -k Enter keyword * -e Enter export location * -t Include thorough (lengthy) tests * -s Supply current user password to check sudo perms (INSECURE) * -r Enter report name * -h Displays this help text

Running with no options = limited scans/no output file

  • -e Requires the user enters an output location i.e. /tmp/export. If this location does not exist, it will be created.
  • -r Requires the user to enter a report name. The report (.txt file) will be saved to the current working directory.
  • -t Performs thorough (slow) tests. Without this switch default 'quick' scans are performed.
  • -s Use the current user with supplied password to check for sudo permissions - note this is insecure and only really for CTF use!
  • -k An optional switch for which the user can search for a single keyword within many files (documented below).

See CHANGELOG.md for further details

High-level summary of the checks/tasks performed by LinEnum:

  • Kernel and distribution release details
  • System Information:
  • Hostname
  • Networking details:
  • Current IP
  • Default route details
  • DNS server information
  • User Information:
  • Current user details
  • Last logged on users
  • Shows users logged onto the host
  • List all users including uid/gid information
  • List root accounts
  • Extracts password policies and hash storage method information
  • Checks umask value
  • Checks if password hashes are stored in /etc/passwd
  • Extract full details for ‘default’ uid’s such as 0, 1000, 1001 etc
  • Attempt to read restricted files i.e. /etc/shadow
  • List current users history files (i.e .bash_history, .nano_history etc.)
  • Basic SSH checks
  • Privileged access:
  • Which users have recently used sudo
  • Determine if /etc/sudoers is accessible
  • Determine if the current user has Sudo access without a password
  • Are known ‘good’ breakout binaries available via Sudo (i.e. nmap, vim etc.)
  • Is root’s home directory accessible
  • List permissions for /home/
  • Environmental:
  • Display current $PATH
  • Displays env information
  • Jobs/Tasks:
  • List all cron jobs
  • Locate all world-writable cron jobs
  • Locate cron jobs owned by other users of the system
  • List the active and inactive systemd timers
  • Services:
  • List network connections (TCP & UDP)
  • List running processes
  • Lookup and list process binaries and associated permissions
  • List inetd.conf/xined.conf contents and associated binary file permissions
  • List init.d binary permissions
  • Version Information (of the following):
  • Sudo
  • MYSQL
  • Postgres
  • Apache
    • Checks user config
    • Shows enabled modules
    • Checks for htpasswd files
    • View www directories
  • Default/Weak Credentials:
  • Checks for default/weak Postgres accounts
  • Checks for default/weak MYSQL accounts
  • Searches:
  • Locate all SUID/GUID files
  • Locate all world-writable SUID/GUID files
  • Locate all SUID/GUID files owned by root
  • Locate ‘interesting’ SUID/GUID files (i.e. nmap, vim etc)
  • Locate files with POSIX capabilities
  • List all world-writable files
  • Find/list all accessible *.plan files and display contents
  • Find/list all accessible *.rhosts files and display contents
  • Show NFS server details
  • Locate .conf and .log files containing keyword supplied at script runtime
  • List all *.conf files located in /etc
  • .bak file search
  • Locate mail
  • Platform/software specific tests:
  • Checks to determine if we're in a Docker container
  • Checks to see if the host has Docker installed
  • Checks to determine if we're in an LXC container