metasploit-framework/modules/post/linux/gather/enum_protections.rb

102 lines
2.6 KiB
Ruby
Raw Normal View History

2012-03-17 17:28:31 +00:00
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/post/common'
require 'msf/core/post/file'
require 'msf/core/post/linux/system'
class Metasploit3 < Msf::Post
include Msf::Post::Common
include Msf::Post::File
include Msf::Post::Linux::System
def initialize(info={})
super( update_info( info,
'Name' => 'Linux Gather Protection Enumeration',
'Description' => %q{
This module tries to find certain installed applications that can be used
to prevent, or detect our attacks, which is done by locating certain
binary locations, and see if they are indeed executables. For example,
if we are able to run 'snort' as a command, we assume it's one of the files
we are looking for.
This module is meant to cover various antivirus, rootkits, IDS/IPS,
firewalls, and other software.
},
'License' => MSF_LICENSE,
'Author' =>
[
'ohdae <bindshell[at]live.com>'
2012-03-17 17:28:31 +00:00
],
'Platform' => [ 'linux' ],
'SessionTypes' => [ 'shell' ]
))
end
def run
distro = get_sysinfo
h = get_host
print_status("Running module against #{h}")
print_status("Info:")
print_status("\t#{distro[:version]}")
print_status("\t#{distro[:kernel]}")
print_status("Finding installed applications...")
find_apps
end
def get_host
case session.type
when /meterpreter/
host = sysinfo["Computer"]
when /shell/
host = session.shell_command_token("hostname").chomp
end
return host
end
def which(env_paths, cmd)
for path in env_paths
2012-03-17 17:28:31 +00:00
if "#{cmd}" == cmd_exec("/bin/ls #{path} | /bin/grep '#{cmd}'")
return "#{path}/#{cmd}"
2012-03-17 17:28:31 +00:00
end
end
return nil
end
def find_apps
apps = [
"truecrypt", "bulldog", "ufw", "iptables", "logrotate", "logwatch",
"chkrootkit", "clamav", "snort", "tiger", "firestarter", "avast", "lynis",
"rkhunter", "tcpdump", "webmin", "jailkit", "pwgen", "proxychains", "bastille",
"psad", "wireshark", "nagios", "nagios", "apparmor", "honeyd", "thpot"
]
env_paths = cmd_exec("echo $PATH").split(":")
2012-03-17 17:28:31 +00:00
apps.each do |a|
output = which(env_paths, a)
if output
2012-03-17 17:28:31 +00:00
print_good("#{a} found: #{output}")
report_note(
:host_name => get_host,
:type => "linux.protection",
2012-03-17 17:28:31 +00:00
:data => output,
:update => :unique_data
)
end
end
print_status("Installed applications saved to notes.")
end
2012-03-18 05:07:27 +00:00
end