adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6d9d9a70d410cc94de4d3d9afd7a75cd426d43be
metasploit-gs/modules/post/linux/gather/enum_protections.rb
T
adfoster-r7 1b3ad5050d Merge pull request #20093 from jvoisin/fix_typo 
Fix an unfortunate typo
2025-04-27 23:10:40 +01:00

310 lines
9.0 KiB
Ruby
Raw Blame History

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Post
include Msf::Post::File
include Msf::Post::Linux::Kernel
include Msf::Post::Linux::System
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Linux Gather Protection Enumeration',
'Description' => %q{
This module checks whether popular system hardening mechanisms are
in place, such as SMEP, SMAP, SELinux, PaX and grsecurity. It also
tries to find installed applications that can be used to hinder,
prevent, or detect attacks, such as tripwire, snort, and apparmor.
This module is meant to identify Linux Secure Modules (LSM) in addition
to various antivirus, IDS/IPS, firewalls, sandboxes and other security
related software.
},
'License' => MSF_LICENSE,
'Author' => 'ohdae <bindshell[at]live.com>',
'Platform' => ['linux'],
'SessionTypes' => ['shell', 'meterpreter'],
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [],
'Reliability' => []
}
)
)
end
def run
distro = get_sysinfo
print_status "Running module against #{session.session_host} [#{get_hostname}]"
print_status 'Info:'
print_status "\t#{distro[:version]}"
print_status "\t#{distro[:kernel]}"
print_status 'Finding system protections...'
check_hardening
print_status 'Finding installed applications via their executables...'
find_exes
print_status 'Finding installed applications via their configuration files...'
find_config
if framework.db.active
print_status 'System protections saved to notes.'
end
end
def report(data)
report_note(
host: session,
type: 'linux.protection',
data: data,
update: :unique_data
)
end
def check_hardening
begin
if aslr_enabled?
r = 'ASLR is enabled'
print_good r
report r
end
rescue RuntimeError => e
vprint_status(e.to_s)
end
begin
if exec_shield_enabled?
r = 'Exec-Shield is enabled'
print_good r
report r
end
rescue RuntimeError => e
vprint_status(e.to_s)
end
begin
if kaiser_enabled?
r = 'KAISER is enabled'
print_good r
report r
end
rescue RuntimeError => e
vprint_status(e.to_s)
end
begin
if smep_enabled?
r = 'SMEP is enabled'
print_good r
report r
end
rescue RuntimeError => e
vprint_status(e.to_s)
end
begin
if smap_enabled?
r = 'SMAP is enabled'
print_good r
report r
end
rescue RuntimeError => e
vprint_status(e.to_s)
end
begin
if lkrg_installed?
r = 'LKRG is installed'
print_good r
report r
end
rescue RuntimeError => e
vprint_status(e.to_s)
end
begin
if grsec_installed?
r = 'grsecurity is installed'
print_good r
report r
end
rescue RuntimeError => e
vprint_status(e.to_s)
end
begin
if pax_installed?
r = 'PaX is installed'
print_good r
report r
end
rescue RuntimeError => e
vprint_status(e.to_s)
end
begin
if selinux_installed?
if selinux_enforcing?
r = 'SELinux is installed and enforcing'
else
r = 'SELinux is installed, but in permissive mode'
end
print_good r
report r
end
rescue RuntimeError => e
vprint_status(e.to_s)
end
begin
if yama_installed?
if yama_enabled?
r = 'Yama is installed and enabled'
else
r = 'Yama is installed, but not enabled'
end
print_good r
report r
end
rescue RuntimeError => e
vprint_status(e.to_s)
end
end
def find_exes
apps = {
'aa-status' => 'AppArmor',
'aide' => 'Advanced Intrusion Detection Environment (AIDE)',
'apparmor' => 'AppArmor',
'auditd' => 'auditd',
'avast' => 'Avast',
'bastille' => 'Bastille',
'bulldog' => 'Bulldog',
'chkrootkit' => 'chkrootkit',
'clamav' => 'ClamAV',
'elastic-agent' => 'Elastic Security',
'firejail' => 'Firejail',
'firestarter' => 'Firestarted',
'fw-settings' => 'Uncomplicated FireWall (UFW)',
'getenforce' => 'SELinux',
'gradm' => 'grsecurity',
'gradm2' => 'grsecurity',
'honeyd' => 'Honeyd',
'iptables' => 'iptables',
'jailkit' => 'jailkit',
'logrotate' => 'logrotate',
'logwatch' => 'logwatch',
'lynis' => 'lynis',
'nagios' => 'nagios',
'oz-seccomp' => 'OZ',
'paxctl' => 'PaX',
'paxctld' => 'PaX',
'paxtest' => 'PaX',
'proxychains' => 'ProxyChains',
'psad' => 'psad',
'rkhunter' => 'rkhunter',
'snort' => 'snort',
'tcpdump' => 'tcpdump',
'thpot' => 'thpot',
'tiger' => 'tiger',
'tripwire' => 'tripwire',
'ufw' => 'Uncomplicated FireWall (UFW)',
'wireshark' => 'Wireshark'
}
apps.each do |app, appname|
next unless command_exists? app
path = cmd_exec "command -v #{app}"
next unless path.start_with? '/'
print_good "#{app} found: #{path}"
report "#{appname}: #{path}"
end
end
def find_config
apps = {
'/bin/logrhythm' => 'LogRhythm Axon',
'/etc/aide/aide.conf' => 'Advanced Intrusion Detection Environment (AIDE)',
'/etc/chkrootkit' => 'chkrootkit [chkrootkit -q]',
'/etc/clamd.d/scan.conf' => 'ClamAV',
'/etc/fluent-bit' => 'Fluent Bit Log Collector',
'/etc/freshclam.conf' => 'ClamAV',
'/etc/init.d/avast' => 'Avast',
'/etc/init.d/avgd' => 'AVG',
'/etc/init.d/ds_agent' => 'Trend Micro Deep Instinct',
'/etc/init.d/fortisiem-linux-agent' => 'Fortinet FortiSIEM',
'/etc/init.d/kics' => 'Kaspersky Industrial CyberSecurity',
'/etc/init.d/limacharlie' => 'LimaCharlie Agent',
'/etc/init.d/qualys-cloud-agent' => 'Qualys EDR Cloud Agent',
'/etc/init.d/scsm' => 'LogRhythm System Monitor',
'/etc/init.d/sisamdagent' => 'Symantec EDR',
'/etc/init.d/splx' => 'Trend Micro Server Protect',
'/etc/init.d/threatconnect-envsvr' => 'ThreatConnect',
'/etc/logrhythm' => 'LogRhythm Axon',
'/etc/opt/f-secure' => 'WithSecure (F-Secure)',
'/etc/otelcol-sumo/sumologic.yaml' => 'Sumo Logic OTEL Collector',
'/etc/rkhunter.conf' => 'rkhunter',
'/etc/safedog/sdsvrd.conf' => 'Safedog',
'/etc/safedog/server/conf/sdsvrd.conf' => 'Safedog',
'/etc/tripwire' => 'TripWire',
'/opt/COMODO' => 'Comodo AV',
'/opt/CrowdStrike' => 'CrowdStrike',
'/opt/FortiEDRCollector' => 'Fortinet FortiEDR',
'/opt/FortiEDRCollector/scripts/fortiedrconfig.sh' => 'Fortinet FortiEDR',
'/opt/McAfee' => 'FireEye/McAfee/Trellix Agent',
'/opt/SumoCollector' => 'Sumo Logic Cloud SIEM',
'/opt/Symantec' => 'Symantec EDR',
'/opt/Tanium' => 'Tanium',
'/opt/Trellix' => 'FireEye/McAfee/Trellix SIEM Collector',
'/opt/avg' => 'AVG',
'/opt/bitdefender-security-tools/bin/bdconfigure' => 'Bitdefender EDR',
'/opt/cisco/amp/bin/ampcli ' => 'Cisco Secure Endpoint',
'/opt/cisco/amp/bin/ampcli' => 'Cisco Secure Endpoint',
'/opt/cyberark' => 'CyberArk',
'/opt/ds_agent/dsa' => 'Trend Micro Deep Security Agent',
'/opt/f-secure' => 'WithSecure (F-Secure)',
'/opt/fireeye' => 'FireEye/Trellix EDR',
'/opt/fortinet/fortisiem' => 'Fortinet FortiSIEM',
'/opt/isec' => 'FireEye/Trellix Endpoint Security',
'/opt/kaspersky' => 'Kaspersky',
'/opt/logrhythm/scsm' => 'LogRhythm System Monitor',
'/opt/secureworks' => 'Secureworks',
'/opt/sentinelone/bin/sentinelctl' => 'SentinelOne',
'/opt/splunkforwarder' => 'Splunk',
'/opt/threatbook/OneAV' => 'threatbook.OneAV',
'/opt/threatconnect-envsvr/' => 'ThreatConnect',
'/opt/traps/bin/cytool' => 'Palo Alto Networks Cortex XDR',
'/sf/edr/agent/bin/edr_agent' => 'Sangfor EDR',
'/titan/agent/agent_update.sh' => 'Titan Agent',
'/usr/bin/linep' => 'Group-iB XDR Endpoint Agent',
'/usr/bin/oneav_start' => 'threatbook.OneAV',
'/usr/lib/Acronis' => 'Acronis Cyber Protect',
'/usr/lib/symantec/status.sh' => 'Symantec Linux Agent',
'/usr/local/bin/intezer-analyze' => 'Intezer',
'/usr/local/qualys' => 'Qualys EDR Cloud Agent',
'/usr/local/rocketcyber' => 'Kseya RocketCyber',
'/var/lib/avast/Setup/avast.vpsupdate' => 'Avast',
'/var/log/checkpoint' => 'Checkpoint',
'/var/pt' => 'PT Swarm'
}
apps.each do |path, appname|
next unless file_exist?(path) || directory?(path)
print_good "#{appname} found: #{path}"
report "#{appname}: #{path}"
rescue RuntimeError
print_bad("Unable to determine state of #{appname}")
next
end
end
end
Reference in New Issue View Git Blame Copy Permalink