Search...

Enumy - Linux Post Exploitation Privilege Escalation Enumeration

2020-06-01T12:30:08

ID KITPLOIT:6384515767173020709
Type kitploit
Reporter KitPloit
Modified 2020-06-01T12:30:08

Description

Enumy is portable executable that you drop on target Linux machine during a pentest or CTF in the post exploitation phase. Running enumy will enumerate the box for common security vulnerabilities. Enumy has a Htop like Ncurses interface or a standard interface for dumb reverse shells.

Installation
You can download the final binary from the release x86 or x64 tab. _ Statically linked to musl _ Transfer the final enumy binary to the target machine

latest release

./enumy

Who Should Use Enumy?

Pentester can run on a target machine raisable issues for their reports.
CTF players can use it identify things that they might have missed.
People who are curious to know how many isues enumy finds on their local machine?

Options

$ ./enumy64 -h

 ▄█▀─▄▄▄▄▄▄▄─▀█▄  _____
 ▀█████████████▀ |   __|___ _ _ _____ _ _
     █▄███▄█     |   __|   | | |     | | |
      █████      |_____|_|_|___|_|_|_|_  |
      █▀█▀█                          |___|

------------------------------------------

Enumy - Used to enumerate the target environment and look for common
security [vulnerabilities](&lt;https://www.kitploit.com/search/label/vulnerabilities&gt; "vulnerabilities" ) and hostspots

 -o &lt;loc&gt;     Save results to location
 -i &lt;loc&gt;     Ignore files in this directory (usefull for network shares)
 -w &lt;loc&gt;     Only walk files in thi   s directory (usefull for devlopment)
 -t &lt;num&gt;     Threads (default 4)
 -f           Run full scans
 -d           Display [debugging](&lt;https://www.kitploit.com/search/label/Debugging&gt; "debugging" ) information
 -n           Enabled ncurses
 -h           Show help

Compilation
To compile during _ devlopment _ , make libcap and the ncurses libary is all that is required.

make

To remove the glibc dependency and statically link all libaries/compile with musl do the following. _ Note to do this you will have to have docker installed to create the apline build environment. _

./build.sh 64bit  ./build.sh 32bit  ./build.sh all  cd output

Scans That've Been Implemented
Below is the ever growing list of scans that have been implemented.

Quck Scan

SUID/GUID scans
File capabilities
Interesting files scan
Coredump scan
Breakout binary scan

Full Scan

Quick Scan
Binary analysis

Scan Times
Changing the default number of threads is pretty pointless unless you're running a full scan. A full scan will do a lot more IO so more threads greatly decrease scan times. These are the scan times with a i7-8700k and 2 million files scanned.

Quick Scan Times

2 Thread -> system 70% cpu 54.093 total
2 Thread -> system 121% cpu 26.122 total
4 Thread -> system 289% cpu 15.657 total
8 Threads -> system 468% cpu 15.863 total
12 Thread -> system 420% cpu 20.548 total

Full Scan Times

1 Thread -> system 50% cpu 3:16.38 total
2 Thread -> system 86% cpu 1:33.95 total
4 Thread -> system 165% cpu 47.753 total
8 Threads -> system 366% cpu 29.768 total
12 Thread -> system 467% cpu 29.815 total

How To Contribute

If you can think of a scan idea that has not been implemented, raise it as an issue.
Make a pull request, make sure that.
- Each scan is given a unique ID
- Multiple related scans are in the same file.
- No more than one scan/test per function.

Download Enumy

JSON Vulners Source

Initial Source

{"id": "KITPLOIT:6384515767173020709", "bulletinFamily": "tools", "title": "Enumy - Linux Post Exploitation Privilege Escalation Enumeration", "description": "[ ![](https://1.bp.blogspot.com/-n_GKgqLlqFw/XsCE2zggfMI/AAAAAAAASn4/HRITC2CZR-Qj2bdOgDNIoQynwOrpLt3gwCNcBGAsYHQ/s1600/enumy.png) ](<https://1.bp.blogspot.com/-n_GKgqLlqFw/XsCE2zggfMI/AAAAAAAASn4/HRITC2CZR-Qj2bdOgDNIoQynwOrpLt3gwCNcBGAsYHQ/s1600/enumy.png>)\n\n \nEnumy is portable executable that you drop on target Linux machine during a [ pentest ](<https://www.kitploit.com/search/label/Pentest> \"pentest\" ) or CTF in the [ post exploitation ](<https://www.kitploit.com/search/label/Post%20Exploitation> \"post exploitation\" ) phase. Running enumy will enumerate the box for common security vulnerabilities. Enumy has a Htop like Ncurses interface or a standard interface for dumb reverse shells. \n \n** Installation ** \nYou can download the final binary from the release x86 or x64 tab. _ Statically linked to musl _ Transfer the final enumy binary to the target machine \n\n\n * [ latest release ](<https://github.com/luke-goddard/enumy/releases> \"latest release\" )\n \n \n ./enumy\n\n \n** Who Should Use Enumy? ** \n\n\n * Pentester can run on a target machine raisable issues for their reports. \n * CTF players can use it identify things that they might have missed. \n * People who are curious to know how many isues enumy finds on their local machine? \n \n** Options ** \n\n \n \n $ ./enumy64 -h\n \n \u2584\u2588\u2580\u2500\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2500\u2580\u2588\u2584 _____\n \u2580\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2580 | __|___ _ _ _____ _ _\n \u2588\u2584\u2588\u2588\u2588\u2584\u2588 | __| | | | | | |\n \u2588\u2588\u2588\u2588\u2588 |_____|_|_|___|_|_|_|_ |\n \u2588\u2580\u2588\u2580\u2588 |___|\n \n ------------------------------------------\n \n Enumy - Used to enumerate the target environment and look for common\n security [vulnerabilities](<https://www.kitploit.com/search/label/vulnerabilities> \"vulnerabilities\" ) and hostspots\n \n -o <loc> Save results to location\n -i <loc> Ignore files in this directory (usefull for network shares)\n -w <loc> Only walk files in thi s directory (usefull for devlopment)\n -t <num> Threads (default 4)\n -f Run full scans\n -d Display [debugging](<https://www.kitploit.com/search/label/Debugging> \"debugging\" ) information\n -n Enabled ncurses\n -h Show help\n\n \n** Compilation ** \nTo compile during _ devlopment _ , make libcap and the ncurses libary is all that is required. \n\n \n \n make\n\nTo remove the glibc dependency and statically link all libaries/compile with musl do the following. _ Note to do this you will have to have docker installed to create the apline build environment. _ \n\n \n \n ./build.sh 64bit ./build.sh 32bit ./build.sh all cd output \n\n \n** Scans That've Been Implemented ** \nBelow is the ever growing list of scans that have been implemented. \n \n** Quck Scan ** \n\n\n * SUID/GUID scans \n * File capabilities \n * Interesting files scan \n * Coredump scan \n * Breakout binary scan \n \n** Full Scan ** \n\n\n * Quick Scan \n * Binary analysis \n \n** Scan Times ** \nChanging the default number of threads is pretty pointless ** unless ** you're running a full scan. A full scan will do a lot more IO so more threads greatly decrease scan times. These are the scan times with a i7-8700k and 2 million files scanned. \n \n** Quick Scan Times ** \n\n\n * 2 Thread -> ` system 70% cpu 54.093 total `\n * 2 Thread -> ` system 121% cpu 26.122 total `\n * 4 Thread -> ` system 289% cpu 15.657 total `\n * 8 Threads -> ` system 468% cpu 15.863 total `\n * 12 Thread -> ` system 420% cpu 20.548 total `\n \n** Full Scan Times ** \n\n\n * 1 Thread -> ` system 50% cpu 3:16.38 total `\n * 2 Thread -> ` system 86% cpu 1:33.95 total `\n * 4 Thread -> ` system 165% cpu 47.753 total `\n * 8 Threads -> ` system 366% cpu 29.768 total `\n * 12 Thread -> ` system 467% cpu 29.815 total `\n \n** How To Contribute ** \n\n\n * If you can think of a scan idea that has not been implemented, raise it as an issue. \n * Make a pull request, make sure that. \n * Each scan is given a unique ID \n * Multiple related scans are in the same file. \n * No more than one scan/test per function. \n \n \n\n\n** [ Download Enumy ](<https://github.com/luke-goddard/enumy> \"Download Enumy\" ) **\n", "published": "2020-06-01T12:30:08", "modified": "2020-06-01T12:30:08", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "http://www.kitploit.com/2020/06/enumy-linux-post-exploitation-privilege.html", "reporter": "KitPloit", "references": ["https://github.com/luke-goddard/enumy", "https://github.com/luke-goddard/enumy/releases"], "cvelist": [], "type": "kitploit", "lastseen": "2020-06-01T17:24:48", "history": [], "edition": 1, "hashmap": [{"key": "bulletinFamily", "hash": "4a931512ce65bdc9ca6808adf92d8783"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "b4a6158c57965c1519b26e0d29518f27"}, {"key": "href", "hash": "7ba05897761df572f7572a4505e6c4df"}, {"key": "modified", "hash": "5ae4eab009d972d9aedb168d1dae7f8c"}, {"key": "published", "hash": "5ae4eab009d972d9aedb168d1dae7f8c"}, {"key": "references", "hash": "6083d31a8549cc553cc24e9a5ca9d089"}, {"key": "reporter", "hash": "aba454e3574969396c0dddcb45011dcc"}, {"key": "title", "hash": "aef7a75f4bdb8a54851c5ece17243d9d"}, {"key": "toolHref", "hash": "3e9086456211ab2b78b0a79e4a621a4d"}, {"key": "type", "hash": "4553be2119d862322dd6fec6bb385401"}], "hash": "ddba5ab9d4d4d9700e9f2e0c7d348dc50fb01d9a2e33b6a53dafa6b4dcabd5af", "viewCount": 74, "enchantments": {"dependencies": {"references": [], "modified": "2020-06-01T17:24:48", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2020-06-01T17:24:48", "rev": 2}, "vulnersScore": -0.1}, "objectVersion": "1.3", "toolHref": "https://github.com/luke-goddard/enumy"}