On real (non-CTF) systems, lse.sh can be extremely slow, especially when the host's filesystem contains a huge amount of data.

To skip tasks that seem to hang for hours, currently one needs to specify all remaining tasks via -s. This is a bit cumbersome for such scenarios. I would like to propose an exclude flag, that allows to define which tasks to skip.

But looking at the list of tasks, this would still require a large amount of tasks to exclude manually. So alternatively (or better additionally?), an option like --skip-long-running-tasks (or --fast) could be useful. Such an option would skip a predefined list of tasks that take too long when the filesystem is large. (I guess basically everything that does find / ...)

What do you think?

you gradually reverted your fix for #11 (via commit f14477c and commit aa49197)

So I'm again getting declare: -g: invalid option on older bash versions.

lse finds lots of useful info but, it can some times be a bit hard to analyze when the reports big and there's lots their.

Having an option to create an html report with hyperlinks and cullers as well as minimizing or expanding sections, would make it easier to analyze the output.
Thanks

If I stopped the execution using ctrl c my shell retains the colora and other profiles of the script

Kindly check whether repositories like git or svn is present ?

find / -name .git
.svn

something like that

that would be awesome

It would be great if you can add more info about the linux version

eg:- Ubunt 16.014.1 LTS

This info is missing

And A line about if it is dirty cowable would be nice

Hi!
great work with this project!
as additional oneliners I would suggest you the followings:

bash <(wget -q -O - https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh) -l2 -i
bash <(curl -s https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh) -l2 -i

keep up the good work!

I encountered issues with the SSH files in home directories test. There are several ways to fix it, but I'm not sure about the best solution. So I open an issue instead of a PR and you can decide what's best.

First, I noticed the test returns duplicate entries, listing the same file several times. This is annoying and unnecessary so I wanted to fix that.

The reason this happens is because the test iterates over cut -d: -f6 /etc/passwd. There are system accounts having / as a home directory. So the test repeatedly scans the same directories (actually the whole file system). Furthermore, there are other accounts having something like /sbin as home, and so on.

This produces not only duplicate results, it is also unnecessarily slow because it scans the same directories multiple times.

A possible way to reduce duplicates and speed this up is to sort -u the cut -d: -f6 /etc/passwd first. But since some "home" can be a parent directory of another "home" (think of / again), this would still produce duplicates. Duplicates could be filtered by sort -u the end result again.

However, this solution still involves unnecessarily scanning the same directories. Maybe we want to exclude / if it is in the list. On the other hand, it is perfectly possible that some SSH key lies somewhere on the file system, not within a home. So this check can be handy. Alternatively the test could be changed from "in home directories" to "on the file system" and scan / and just /.

I am not sure if others would find this useful, but some users might want to save the output of this script somewhere. I consider this script to have two outputs: The text printed to the terminal and the output of the commands that are run. Using the -l2 shows both of these outputs, but if there was a way to print -l0 or -l1 information to the terminal but store the -l2 output (output of commands) to a file, then the user could have clean output that is fast to analyze and all the information they might need to reference is also available.

But this might take more effort than it is worth, depending on how useful others would find this.

Having a similar issue with the color as (#32) while running lse without explicitly running with bash on an older device. A screenshot with some details, not sure if it's enough information for you?

The machine i was trying it on was an old Fedora 4 (Linux 2.6.11-1369_FC4)

Since the script was made compatible with /bin/sh instead of relying on bash (which I think was a good step), I noticed some weird behaviour on some targets.

Specifically, the color escape sequences are not interpreted but remain in the output when /bin/sh is a not so recent version of dash.
Even more disturbing, passing -c to lse to suppress colors completely does not have any effect here.
Running explicitly with bash is no problem.

The issue occurs for example on Ubuntu 16.04 with dash 0.5.8-2.1ubuntu2 (and older).

The issue does no longer occur since Ubuntu 18.04 with dash 0.5.8-2.10.

This can most easily be verified in a Docker/Podman container:

podman run --rm -it ubuntu:16.04
apt update && apt install wget
wget "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" -O lse.sh
chmod 700 lse.sh
./lse.sh

too many /snap/core/ when scan for "Uncommon setuid binaries":
/snap/core/10958/bin/mount
/snap/core/10958/bin/ping
/snap/core/10958/bin/ping6
/snap/core/10958/bin/su
/snap/core/10958/bin/umount
/snap/core/10958/usr/bin/chfn
/snap/core/10958/usr/bin/chsh
/snap/core/10958/usr/bin/gpasswd
/snap/core/10958/usr/bin/newgrp
/snap/core/10958/usr/bin/passwd
/snap/core/10958/usr/bin/sudo
/snap/core/10958/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/10958/usr/lib/openssh/ssh-keysign
/snap/core/10958/usr/lib/snapd/snap-confine
/snap/core/10958/usr/sbin/pppd
/snap/core/8689/bin/mount
/snap/core/8689/bin/ping
/snap/core/8689/bin/ping6
/snap/core/8689/bin/su
/snap/core/8689/bin/umount
/snap/core/8689/usr/bin/chfn
/snap/core/8689/usr/bin/chsh
/snap/core/8689/usr/bin/gpasswd
/snap/core/8689/usr/bin/newgrp
/snap/core/8689/usr/bin/passwd
/snap/core/8689/usr/bin/sudo
/snap/core/8689/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/8689/usr/lib/openssh/ssh-keysign

Hello @diego-treitos ,

First thank you for this tool.

I was wondering if it would be a good addition to list running process per user instead of all running processes. Or maybe users with a shell.

I think this would help identify interesting running processes quicker.

Let me know if you would be interested by something like this and I'll see what I can do.

When running lse on Debian 10 without -i option, the following error occurs:

[!] sud030 Can we list sudo commands with a password?......................lse.sh: line 402: lse_sudo_commands: readonly variable
 nope

While it continues when running under bash, it aborts completely when running with /bin/sh.

You currently check for various default MySQL and PostgreSQL authentications. I suggest a check to see if you can authenticate to a local MongoDB instance anonymously.

The ticket you opened here showed up in my notification box. I took a moment to read what you had written there, and had a quick look at your source code. It's looking pretty neat so far.

Now the reason i wanted to open this ticket and get in touch is because i wrote a tool a while ago that automatically downloads and deploys several enumeration, privilege-escalation and other useful tools for when an initial compromise is made. The focus of my script is to make it as convenient as possible to deploy the best tooling for the job of getting root. My tool is called RootHelper and if you're interested you can find it in it's repo here.

Would i be correct in thinking that your project outclasses LinEnum in terms of sophistication and capabilities? Do you have any plans to further expand on the functionality of the tool?

Either way, i was thinking i might drop LinEnum as a downloadable asset from my RootHelper tool and replace it with your modernized and in many ways improved version. If and when i do you will be accredited for your work of course. Thoughts?

https://book.hacktricks.xyz/linux-unix/privilege-escalation#doas

Paths:

• /etc/doas.conf
• /usr/local/etc/doas.conf

Tried to use the serve "-S" option and it gets a netcat error nc: invalid option -- 'q'
Netcat version 7.92

I fixed my version of script on line 505

Hello,

I think a nice addition would be to list non-default directories in the root path.

I ran into this situation in a CTF where the interesting files were in /backup.

Presumably the purpose of the common setuid check is so that time is not wasted chasing down exploits in "default" and usually secure binaries. However I'm not aware that exim is installed by default on many systems, and even if it is, exim has a number of privilege escalation exploits. Might be worth removing it so it gets flagged on a default run.

Alternatively a list of setuid binaries with known exploits could be maintained and used as an additional check.

I suppose this tool is explicitly built for Linux, not Unix/macOS, but for some reason there's a UI element that renders as text rather than what it's supposed to render to.

All of the \e[### characters just show up as the raw text.

I'm using macOS 10.14.5 on a 2016 Macbook Pro with v 2.9.5 of Terminal.app

Great work so far! I think It would be cool if after running a default scan, you could expand or re-run a particular section or sections with a deeper verbose level. For example,

$ ./lse.sh --section 'sudo,security,file system' -l 2

If you log onto an active user and tmux is installed, they might have tmux sessions available that you are initially unable to see which might be useful if they had sensitive information available in one of them (Such as having switched users).

A tmux list-sessions would display any existing sessions and the number of windows in each session.

I recently came across a box that had the data of the su command (The users password) in the audit log which lse missed.

A simple grep -R 'comm="su"' /var/log/audit/audit.log* 2>/dev/null would have picked this up.

Might want to add this, and look for other commonly used log files that could also contain sensitive data in the future :)

viewuser SUID was not showing in the Irked machine

$ sh lse.sh
lse.sh: 87: lse.sh: Syntax error: "(" unexpected

Hi there,
as I wanted to test you script, I am unable to launch it. The error is:
lse.sh: 87: lse.sh: Syntax error: "(" unexpected

as in the following screen.

Code snippet:

I have looked into the code but as I am not as good as others in Bash I saw nothing bad there. Can you please look for a fix in the lse.sh script? Thank you.

Hi. :)

I use Kali in with the High Contrast style. When running lse.sh with colors, this causes the test descriptions to be "blank" because white is hard-coded as the foreground color.

I fixed the issue by deleting all instances of ${white} in the script. It's useful to have color highlighting.

Investigate ptrace_scope and its impact on security and privesc.

Also requested in the past for LinEnum: rebootuser/LinEnum#35

Hi Diego,
would be cool if you can add the feature that your script checks for unencrypted ssh-keys in memory (ssh-agent) by calling "ssh-add -l" and check if there are entries present or not.

Greets,
Barneee

I think /usr/bin/fusermount3 should be added to the list of common setuid binaries. I have that on my Fedora 35 system and I also saw it on a Debian- or Ubuntu-like box.

$ ls -lh $(which fusermount3)
-rwsr-xr-x. 1 root root 36K 16. Sep 17:59 /usr/bin/fusermount3

https://github.com/diego-treitos/linux-smart-enumeration/blob/master/screenshots/lse.gif
I was wondering what terminal you are using to show case your tool, it looks very nice and clean. I was going to use it to show case one of my tools with it too. Awesome tool and much love.

As it stands, the check for NFS shares is at level 2 - Which is current reserved for information checks more so than critical ones.

The thing is that NFS can easily be misconfigured

https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe

I suggest that either this be elevated to level 1, or an additional level 1 / level 0 check be added for cases where the NFS share specifically contains the no_root_squash permission.

Hi ,
I was trying this script on " Hostname: kioptrix.level2, Linux: 2.6.9-55.EL ,Distribution: CentOS release 4.5 (Final) " and I got the below error:
bash-3.00$ ./lse.sh
./lse.sh: line 166: syntax error near unexpected token newline' ./lse.sh: line 166: lse_common_setuid+=('
bash-3.00$

After commenting line number 166 to 169 , the scripts executes but no fruitful result - see error-log.txt attached . Quick help is really appreciated.
error-log.txt

Hi, I've had frequent issues with multiple unix systems where the exploit executes however no color formatting is working on these older machines whereas other scripts color coding still works.

Is there any guidance on this?

output:

expected:

Under "fst100 Useful binaries" you show Netcat as one of the options (nc)

There are several versions of Netcat - Not all of them with -e support (Inbound program to execute) which is quite a major factor when doing CTFs, specifically with reverse shells.

I suggest that if Netcat appears under the Useful binaries section, you add a display showing if the -e parameter is supported

For sud000 (Can we sudo without a password?), you currently check

sudo -nS id

Which only checks if the user can sudo without a password on the current host.

If the user has read-access to their own sudoers file, you can also go

cat "/etc/sudoers.d/$(whoami)"

Which displays commands that the user can sudo on any host by specifying the -h flag on sudo

checking if /etc/passwd is writable?

Hi diego,

Their seems to be a problem in "Uncommon setuid binaries" check if the uncommon suid binary names matches to that of in ${lse_common_setuid}
e.g.
┌──(kali㉿kali)-[/tmp]
└─$ cat test.sh
#!/bin/sh
setuidbin=sys
for cs in ping ping6;
do
setuidbin=printf "$setuidbin\n" | grep -Ev "$cs";
done;
printf "$setuidbin\n"

┌──(kali㉿kali)-[/tmp]
└─$ ./test.sh
sys <=========================== OK

= = = =
┌──(kali㉿kali)-[/tmp]
└─$ cat test.sh
#!/bin/sh
setuidbin=pingsys
for cs in ping ping6;
do
setuidbin=printf "$setuidbin\n" | grep -Ev "$cs";
done;
printf "$setuidbin\n"

┌──(kali㉿kali)-[/tmp]
└─$ ./test.sh
<=========================== NOT OK, was expecting pingsys

Was doing a room on THM where we have to do privesc using an uncommon suid binary named "pingsys" and to my surprise it was not picked up by lse in Uncommon setuid binaries.

Please have a look.

I noticed that even if -c is given, the output of the process monitor contains color codes.

Are we using this ?

ps aux | grep root

lse_procmon calls ps -ewwwo start_time,pid,user:50,args but this seems to be procps-ng compatible only.

The busybox implementation of ps has no -w and also lacks the output columns start_time and user:50.

So when running lse on a somewhat restricted system, it explodes with ps errors all over the screen.

Maybe there is no trivial fix for compatibility because lse_proc_print also makes assumptions about taking exactly this format. So perhaps just check whether ps -V is procps-ng and skip this task otherwise?

Thank you for the great script! Not sure if there's alternative for declare, but I'm getting these errors in older machines.

$ bash --version
GNU bash, version 3.1.17(1)-release (i486-pc-linux-gnu)
$ declare -g
bash: line 13: declare: -g: invalid option
declare: usage: declare [-afFirtx] [-p] [name[=value] ...]

===================================================================( sudo )=====
[!] sud000 Can we sudo without a password?................................. nope
[!] sud010 Can we list sudo commands without a password?..................../lse.sh: line 328: declare: -g: invalid option
declare: usage: declare [-afFirtx] [-p] [name[=value] ...]
nope
[] sud040 Can we read /etc/sudoers?....................................... nope
[] sud050 Do we know if any other users used sudo?........................ nope
============================================================( file system )=====
[] fst000 Writable files outside user's home.............................../lse.sh: line 328: declare: -g: invalid option
declare: usage: declare [-afFirtx] [-p] [name[=value] ...]
nope
[] fst010 Binaries with setuid bit........................................./lse.sh: line 328: declare: -g: invalid option
declare: usage: declare [-afFirtx] [-p] [name[=value] ...]