Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Post::Linux::Kernel
9
  include Msf::Post::Linux::System
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'Linux Gather Protection Enumeration',
16
        'Description' => %q{
17
          This module checks whether popular system hardening mechanisms are
18
          in place, such as SMEP, SMAP, SELinux, PaX and grsecurity. It also
19
          tries to find installed applications that can be used to hinder,
20
          prevent, or detect attacks, such as tripwire, snort, and apparmor.
21

22
          This module is meant to identify Linux Secure Modules (LSM) in addition
23
          to various antivirus, IDS/IPS, firewalls, sandboxes and other security
24
          related software.
25
        },
26
        'License' => MSF_LICENSE,
27
        'Author' => 'ohdae <bindshell[at]live.com>',
28
        'Platform' => ['linux'],
29
        'SessionTypes' => ['shell', 'meterpreter']
30
      )
31
    )
32
  end
33

34
  def run
35
    distro = get_sysinfo
36

37
    print_status "Running module against #{session.session_host} [#{get_hostname}]"
38
    print_status 'Info:'
39
    print_status "\t#{distro[:version]}"
40
    print_status "\t#{distro[:kernel]}"
41

42
    print_status 'Finding system protections...'
43
    check_hardening
44

45
    print_status 'Finding installed applications...'
46
    find_apps
47

48
    if framework.db.active
49
      print_status 'System protections saved to notes.'
50
    end
51
  end
52

53
  def report(data)
54
    report_note(
55
      host: session,
56
      type: 'linux.protection',
57
      data: data,
58
      update: :unique_data
59
    )
60
  end
61

62
  def check_hardening
63
    if aslr_enabled?
64
      r = 'ASLR is enabled'
65
      print_good r
66
      report r
67
    end
68

69
    if exec_shield_enabled?
70
      r = 'Exec-Shield is enabled'
71
      print_good r
72
      report r
73
    end
74

75
    if kaiser_enabled?
76
      r = 'KAISER is enabled'
77
      print_good r
78
      report r
79
    end
80

81
    if smep_enabled?
82
      r = 'SMEP is enabled'
83
      print_good r
84
      report r
85
    end
86

87
    if smap_enabled?
88
      r = 'SMAP is enabled'
89
      print_good r
90
      report r
91
    end
92

93
    if lkrg_installed?
94
      r = 'LKRG is installed'
95
      print_good r
96
      report r
97
    end
98

99
    if grsec_installed?
100
      r = 'grsecurity is installed'
101
      print_good r
102
      report r
103
    end
104

105
    if pax_installed?
106
      r = 'PaX is installed'
107
      print_good r
108
      report r
109
    end
110

111
    if selinux_installed?
112
      if selinux_enforcing?
113
        r = 'SELinux is installed and enforcing'
114
      else
115
        r = 'SELinux is installed, but in permissive mode'
116
      end
117
      print_good r
118
      report r
119
    end
120

121
    if yama_installed?
122
      if yama_enabled?
123
        r = 'Yama is installed and enabled'
124
      else
125
        r = 'Yama is installed, but not enabled'
126
      end
127
      print_good r
128
      report r
129
    end
130
  end
131

132
  def find_apps
133
    apps = %w[
134
      truecrypt bulldog ufw iptables fw-settings logrotate logwatch
135
      chkrootkit clamav snort tiger firestarter avast lynis
136
      rkhunter tcpdump webmin jailkit pwgen proxychains bastille
137
      psad wireshark nagios apparmor oz-seccomp honeyd thpot
138
      aa-status gradm gradm2 getenforce aide tripwire paxctl
139
      paxctld paxtest firejail auditd
140
    ]
141

142
    apps.each do |app|
143
      next unless command_exists? app
144

145
      path = cmd_exec "command -v #{app}"
146
      next unless path.start_with? '/'
147

148
      print_good "#{app} found: #{path}"
149
      report path
150
    end
151
  end
152
end
153

154