2012-03-17 13:28:31 -04:00
|
|
|
##
|
2017-07-24 06:26:21 -07:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2013-10-15 13:50:46 -05:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2012-03-17 13:28:31 -04:00
|
|
|
##
|
|
|
|
|
|
2016-03-08 14:02:44 +01:00
|
|
|
class MetasploitModule < Msf::Post
|
2013-09-05 13:41:25 -05:00
|
|
|
include Msf::Post::File
|
|
|
|
|
include Msf::Post::Linux::System
|
|
|
|
|
|
2018-04-29 06:52:47 +00:00
|
|
|
def initialize(info = {})
|
2013-09-05 13:41:25 -05:00
|
|
|
super( update_info( info,
|
|
|
|
|
'Name' => 'Linux Gather Protection Enumeration',
|
|
|
|
|
'Description' => %q{
|
|
|
|
|
This module tries to find certain installed applications that can be used
|
|
|
|
|
to prevent, or detect our attacks, which is done by locating certain
|
|
|
|
|
binary locations, and see if they are indeed executables. For example,
|
|
|
|
|
if we are able to run 'snort' as a command, we assume it's one of the files
|
|
|
|
|
we are looking for.
|
|
|
|
|
|
|
|
|
|
This module is meant to cover various antivirus, rootkits, IDS/IPS,
|
|
|
|
|
firewalls, and other software.
|
|
|
|
|
},
|
|
|
|
|
'License' => MSF_LICENSE,
|
2018-04-29 06:52:47 +00:00
|
|
|
'Author' => 'ohdae <bindshell[at]live.com>',
|
2014-07-08 16:23:57 -05:00
|
|
|
'Platform' => ['linux'],
|
2014-07-08 16:25:50 -05:00
|
|
|
'SessionTypes' => ['shell', 'meterpreter']
|
2013-09-05 13:41:25 -05:00
|
|
|
))
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def run
|
|
|
|
|
distro = get_sysinfo
|
|
|
|
|
|
2018-04-29 06:52:47 +00:00
|
|
|
print_status "Running module against #{session.session_host} [#{get_hostname}]"
|
|
|
|
|
print_status 'Info:'
|
|
|
|
|
print_status "\t#{distro[:version]}"
|
|
|
|
|
print_status "\t#{distro[:kernel]}"
|
2013-09-05 13:41:25 -05:00
|
|
|
|
2018-04-29 06:52:47 +00:00
|
|
|
print_status 'Finding installed applications...'
|
2013-09-05 13:41:25 -05:00
|
|
|
find_apps
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def which(env_paths, cmd)
|
2018-04-29 06:52:47 +00:00
|
|
|
env_paths.each do |path|
|
|
|
|
|
cmd_path = "#{path}/#{cmd}"
|
|
|
|
|
return cmd_path if file_exist? cmd_path
|
2013-09-05 13:41:25 -05:00
|
|
|
end
|
2018-04-29 06:52:47 +00:00
|
|
|
nil
|
2013-09-05 13:41:25 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def find_apps
|
2018-04-29 06:52:47 +00:00
|
|
|
apps = %w(
|
|
|
|
|
truecrypt bulldog ufw iptables logrotate logwatch
|
|
|
|
|
chkrootkit clamav snort tiger firestarter avast lynis
|
|
|
|
|
rkhunter tcpdump webmin jailkit pwgen proxychains bastille
|
|
|
|
|
psad wireshark nagios apparmor honeyd thpot
|
|
|
|
|
aa-status gradm2 getenforce tripwire
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
env_paths = get_path.split ':'
|
2013-09-05 13:41:25 -05:00
|
|
|
|
2018-04-29 06:52:47 +00:00
|
|
|
apps.each do |app|
|
|
|
|
|
next unless command_exists? app
|
2013-09-05 13:41:25 -05:00
|
|
|
|
2018-04-29 06:52:47 +00:00
|
|
|
path = which env_paths, app
|
|
|
|
|
next unless path
|
2013-09-05 13:41:25 -05:00
|
|
|
|
2018-04-29 06:52:47 +00:00
|
|
|
print_good "#{app} found: #{path}"
|
|
|
|
|
report_note(
|
|
|
|
|
:host => session,
|
|
|
|
|
:type => 'linux.protection',
|
|
|
|
|
:data => path,
|
|
|
|
|
:update => :unique_data
|
|
|
|
|
)
|
2013-09-05 13:41:25 -05:00
|
|
|
end
|
|
|
|
|
|
2018-04-29 06:52:47 +00:00
|
|
|
print_status 'Installed applications saved to notes.'
|
2013-09-05 13:41:25 -05:00
|
|
|
end
|
2012-03-18 00:07:27 -05:00
|
|
|
end
|
