Enumy - Linux Post Exploitation Privilege Escalation Enumeration


[![](https://1.bp.blogspot.com/-n_GKgqLlqFw/XsCE2zggfMI/AAAAAAAASn4/HRITC2CZR-Qj2bdOgDNIoQynwOrpLt3gwCNcBGAsYHQ/s1600/enumy.png)](<https://1.bp.blogspot.com/-n_GKgqLlqFw/XsCE2zggfMI/AAAAAAAASn4/HRITC2CZR-Qj2bdOgDNIoQynwOrpLt3gwCNcBGAsYHQ/s1600/enumy.png>) Enumy is portable executable that you drop on target Linux machine during a [pentest](<https://www.kitploit.com/search/label/Pentest> "pentest" ) or CTF in the [post exploitation](<https://www.kitploit.com/search/label/Post%20Exploitation> "post exploitation" ) phase. Running enumy will enumerate the box for common security vulnerabilities. Enumy has a Htop like Ncurses interface or a standard interface for dumb reverse shells. **Installation** You can download the final binary from the release x86 or x64 tab. _Statically linked to musl_ Transfer the final enumy binary to the target machine * [latest release](<https://github.com/luke-goddard/enumy/releases> "latest release" ) ./enumy **Who Should Use Enumy?** * Pentester can run on a target machine raisable issues for their reports. * CTF players can use it identify things that they might have missed. * People who are curious to know how many isues enumy finds on their local machine? **Options** $ ./enumy64 -h ▄█▀─▄▄▄▄▄▄▄─▀█▄ _____ ▀█████████████▀ | __|___ _ _ _____ _ _ █▄███▄█ | __| | | | | | | █████ |_____|_|_|___|_|_|_|_ | █▀█▀█ |___| ------------------------------------------ Enumy - Used to enumerate the target environment and look for common security [vulnerabilities](<https://www.kitploit.com/search/label/vulnerabilities> "vulnerabilities" ) and hostspots -o <loc> Save results to location -i <loc> Ignore files in this directory (usefull for network shares) -w <loc> Only walk files in thi s directory (usefull for devlopment) -t <num> Threads (default 4) -f Run full scans -d Display [debugging](<https://www.kitploit.com/search/label/Debugging> "debugging" ) information -n Enabled ncurses -h Show help **Compilation** To compile during _devlopment_, make libcap and the ncurses libary is all that is required. make To remove the glibc dependency and statically link all libaries/compile with musl do the following. _Note to do this you will have to have docker installed to create the apline build environment._ ./build.sh 64bit ./build.sh 32bit ./build.sh all cd output **Scans That've Been Implemented** Below is the ever growing list of scans that have been implemented. **Quck Scan** * SUID/GUID scans * File capabilities * Interesting files scan * Coredump scan * Breakout binary scan **Full Scan** * Quick Scan * Binary analysis **Scan Times** Changing the default number of threads is pretty pointless **unless** you're running a full scan. A full scan will do a lot more IO so more threads greatly decrease scan times. These are the scan times with a i7-8700k and 2 million files scanned. **Quick Scan Times** * 2 Thread -> `system 70% cpu 54.093 total` * 2 Thread -> `system 121% cpu 26.122 total` * 4 Thread -> `system 289% cpu 15.657 total` * 8 Threads -> `system 468% cpu 15.863 total` * 12 Thread -> `system 420% cpu 20.548 total` **Full Scan Times** * 1 Thread -> `system 50% cpu 3:16.38 total` * 2 Thread -> `system 86% cpu 1:33.95 total` * 4 Thread -> `system 165% cpu 47.753 total` * 8 Threads -> `system 366% cpu 29.768 total` * 12 Thread -> `system 467% cpu 29.815 total` **How To Contribute** * If you can think of a scan idea that has not been implemented, raise it as an issue. * Make a pull request, make sure that. * Each scan is given a unique ID * Multiple related scans are in the same file. * No more than one scan/test per function. **[Download Enumy](<https://github.com/luke-goddard/enumy> "Download Enumy" )**