Top Related Projects
PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)
Linux privilege escalation auditing tool
Next-Generation Linux Kernel Exploit Suggester
Scripted Local Linux Enumeration & Privilege Escalation Checks
linuxprivchecker.py -- a Linux Privilege Escalation Check Script
Privilege Escalation Project - Windows / Linux / Mac
Quick Overview
Linux Exploit Suggester is a Perl script designed to identify potential security vulnerabilities in Linux systems. It analyzes the target system's kernel version and installed packages, then suggests possible exploits that could be used to escalate privileges or gain unauthorized access.
Pros
- Helps identify potential security vulnerabilities quickly
- Regularly updated with new exploit information
- Can be run without root privileges
- Lightweight and easy to use
Cons
- May produce false positives
- Requires manual verification of suggested exploits
- Limited to known vulnerabilities and exploits
- Effectiveness depends on the accuracy of its exploit database
Getting Started
To use Linux Exploit Suggester:
-
Download the script:
wget https://raw.githubusercontent.com/The-Z-Labs/linux-exploit-suggester/master/linux-exploit-suggester.sh -
Make the script executable:
chmod +x linux-exploit-suggester.sh -
Run the script:
./linux-exploit-suggester.sh
For more options, use the -h flag:
./linux-exploit-suggester.sh -h
Note: This tool should be used responsibly and only on systems you have permission to test.
Competitor Comparisons
PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)
Pros of PEASS-ng
- More comprehensive, covering both Linux and Windows systems
- Actively maintained with frequent updates
- Includes additional features like privilege escalation techniques and enumeration scripts
Cons of PEASS-ng
- Larger codebase, potentially more complex to use and maintain
- May have a steeper learning curve for beginners
- Could trigger more false positives due to its extensive checks
Code Comparison
PEASS-ng (LinPEAS):
if [ "$(command -v nmap)" ]; then
echo "nmap was found in PATH"
nmap_loc="$(command -v nmap)"
echo "nmap location: $nmap_loc"
nmap_version=$(nmap --version | grep "Nmap version" | cut -d " " -f3)
echo "nmap version: $nmap_version"
fi
linux-exploit-suggester:
if [ -x "$(command -v nmap)" ]; then
printf "%b" "$GREEN"
printf "nmap is installed\n"
printf "%b" "$RESET"
else
printf "%b" "$RED"
printf "nmap is not installed\n"
printf "%b" "$RESET"
fi
Both scripts check for the presence of nmap, but PEASS-ng provides more detailed information about its location and version, while linux-exploit-suggester focuses on a simple installed/not installed check.
Linux privilege escalation auditing tool
Pros of linux-exploit-suggester
- More actively maintained with recent updates
- Includes a wider range of exploits and vulnerabilities
- Offers better compatibility with modern Linux distributions
Cons of linux-exploit-suggester
- May have a steeper learning curve for beginners
- Potentially slower execution due to more comprehensive checks
Code Comparison
linux-exploit-suggester:
#!/bin/bash
VERSION=v1.1
# Parse command line arguments
while [[ $# -gt 0 ]]; do
key="$1"
linux-exploit-suggester>:
#!/bin/bash
VERSION=v0.9
# Parse command line arguments
while [[ $# -gt 0 ]]; do
key="$1"
The code snippets show that linux-exploit-suggester has a more recent version number, indicating more frequent updates and potentially improved features or bug fixes.
Both repositories serve similar purposes in identifying potential Linux vulnerabilities, but linux-exploit-suggester appears to be the more up-to-date and comprehensive option. However, users should consider their specific needs and skill level when choosing between the two tools.
Next-Generation Linux Kernel Exploit Suggester
Pros of linux-exploit-suggester-2
- More recent updates and active maintenance
- Improved performance and faster execution
- Enhanced detection capabilities for newer vulnerabilities
Cons of linux-exploit-suggester-2
- Less comprehensive documentation compared to the original
- Fewer configuration options and customization features
- Smaller community and fewer contributors
Code Comparison
linux-exploit-suggester:
#!/bin/bash
VERSION=v0.9
LAST_EDIT="2018-06-13"
linux-exploit-suggester-2:
#!/usr/bin/perl
$VERSION = "2.0";
The original linux-exploit-suggester is written in Bash, while linux-exploit-suggester-2 is implemented in Perl. This change in programming language may contribute to the performance improvements in the newer version.
linux-exploit-suggester-2 has a more streamlined codebase, which can lead to faster execution times. However, the original version offers more extensive comments and documentation within the code itself.
Both tools serve similar purposes, aiming to identify potential kernel vulnerabilities on Linux systems. The choice between them may depend on specific requirements, such as execution speed, compatibility, or the need for the latest vulnerability detections.
Scripted Local Linux Enumeration & Privilege Escalation Checks
Pros of LinEnum
- More comprehensive system enumeration, covering a wider range of system information
- Includes checks for sensitive files and potential misconfigurations
- Actively maintained with regular updates and contributions
Cons of LinEnum
- Larger script size, potentially slower execution on target systems
- May generate more noise in output, requiring more analysis to identify critical issues
- Less focused on specific exploit suggestions
Code Comparison
LinEnum:
#!/bin/bash
version="0.982"
# ... (extensive system checks and enumeration logic)
cat $report
linux-exploit-suggester:
#!/usr/bin/env bash
VERSION=v1.1 (2021-11-23)
# ... (focused on kernel version checks and exploit matching)
print_exploits
LinEnum provides a more comprehensive system analysis, while linux-exploit-suggester focuses specifically on identifying potential kernel exploits based on the system version. LinEnum's code is more extensive, covering various system aspects, whereas linux-exploit-suggester has a more targeted approach to exploit suggestion.
linuxprivchecker.py -- a Linux Privilege Escalation Check Script
Pros of linuxprivchecker
- More comprehensive system information gathering, including network configurations and installed packages
- Provides a detailed report of potential privilege escalation vectors
- Actively maintained with recent updates
Cons of linuxprivchecker
- Focuses more on information gathering rather than suggesting specific exploits
- May require more manual analysis of the output to identify vulnerabilities
- Larger script size, potentially less suitable for quick deployment in constrained environments
Code Comparison
linuxprivchecker:
def get_system_info():
print("[*] GETTING SYSTEM INFO...\n")
results = []
sysInfo = {"OS": execute("cat /etc/issue").strip('\n\r\t'),
"Kernel": execute("uname -r"),
"Hostname": execute("hostname")}
results.append(sysInfo)
return results
linux-exploit-suggester:
get_system_information() {
printf "\n[+] Collecting system information\n"
printf " Linux Kernel: "
uname -sr
printf " OS: "
[ -f /etc/os-release ] && cat /etc/os-release | grep -E "^(NAME|VERSION)=" | tr '\n' ' '
[ -f /etc/lsb-release ] && cat /etc/lsb-release | grep -E "^(DISTRIB_ID|DISTRIB_RELEASE)=" | tr '\n' ' '
printf "\n"
}
Both scripts gather system information, but linuxprivchecker uses Python and provides more structured output, while linux-exploit-suggester uses Bash and focuses on kernel and OS version information.
Privilege Escalation Project - Windows / Linux / Mac
Pros of BeRoot
- Multi-platform support (Windows, Linux, macOS)
- Comprehensive privilege escalation checks beyond kernel exploits
- Active development and regular updates
Cons of BeRoot
- Larger codebase, potentially slower execution
- Requires Python environment to run
- May produce more false positives due to broader scope
Code Comparison
BeRoot (Python):
def check_suid_bin():
suid = []
for path in os.environ['PATH'].split(':'):
for file in os.listdir(path):
try:
if os.stat(os.path.join(path, file)).st_mode & stat.S_ISUID:
suid.append(os.path.join(path, file))
except:
pass
return suid
linux-exploit-suggester (Bash):
version_compare() {
[ "$1" = "$2" ] && return 0
ver1front=$(echo "$1" | cut -d "." -f -1)
ver1back=$(echo "$1" | cut -d "." -f 2-)
ver2front=$(echo "$2" | cut -d "." -f -1)
ver2back=$(echo "$2" | cut -d "." -f 2-)
[ "$ver1front" -gt "$ver2front" ] && return 0
[ "$ver1front" -lt "$ver2front" ] && return 1
[ "$ver1back" ] || [ "$ver2back" ] || return 0
version_compare "$ver1back" "$ver2back"
}
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
LES: Linux privilege escalation auditing tool
Quick download:
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O les.sh
Details about LES usage and inner workings:
https://mzet-.github.io/2019/05/10/les-paper.html
Additional resources for the LES:
https://github.com/mzet-/les-res
Purpose
LES tool is designed to assist in detecting security deficiencies for a given Linux kernel/Linux-based machine. It provides following functionality:
Assessing kernel exposure on publicly known exploits
Tool assesses (using heuristics methods discussed in details here) exposure of the given kernel to publicly known Linux kernel exploits. Example of tool output:
$ ./linux-exploit-suggester.sh
...
[+] [CVE-2017-16995] eBPF_verifier
Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
Exposure: highly probable
Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,[ ubuntu=14.04 ]{kernel:4.4.0-89-generic},ubuntu=(16.04|17.04){kernel:4.(8|10).0-(19|28|45)-generic}
Download URL: https://www.exploit-db.com/download/45010
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
[+] [CVE-2017-1000112] NETIF_F_UFO
Details: http://www.openwall.com/lists/oss-security/2017/08/13/1
Exposure: probable
Tags: [ ubuntu=14.04{kernel:4.4.0-*} ],ubuntu=16.04{kernel:4.8.0-*}
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/cve-2017-1000112/CVE-2017-1000112/poc.c
Comments: CAP_NET_ADMIN cap or CONFIG_USER_NS=y needed. SMEP/KASLR bypass included. Modified version at 'ext-url' adds support for additional distros/kernels
[+] [CVE-2016-8655] chocobo_root
Details: http://www.openwall.com/lists/oss-security/2016/12/06/1
Exposure: probable
Tags: [ ubuntu=(14.04|16.04){kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic} ]
Download URL: https://www.exploit-db.com/download/40871
Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled
...
For each exploit, exposure is calculated. Following 'Exposure' states are possible:
-
Highly probable - assessed kernel is most probably affected and there's a very good chance that PoC exploit will work out of the box without any major modifications.
-
Probable - it's possible that exploit will work but most likely customization of PoC exploit will be needed to suit your target.
-
Less probable - additional manual analysis is needed to verify if kernel is affected.
-
Unprobable - highly unlikely that kernel is affected (exploit is not displayed in the tool's output)
Verifying state of kernel hardening security measures
LES can check for most of security settings available by your Linux kernel. It verifies not only the kernel compile-time configurations (CONFIGs) but also verifies run-time settings (sysctl) giving more complete picture of security posture for running kernel. This functionality is modern continuation of --kernel switch from checksec.sh tool by Tobias Klein. Example of tool output:
$ ./linux-exploit-suggester.sh --checksec
Mainline kernel protection mechanisms:
[ Disabled ] GCC stack protector support (CONFIG_HAVE_STACKPROTECTOR)
https://github.com/mzet-/les-res/blob/master/features/stackprotector-regular.md
[ Disabled ] GCC stack protector STRONG support (CONFIG_STACKPROTECTOR_STRONG)
https://github.com/mzet-/les-res/blob/master/features/stackprotector-strong.md
[ Enabled ] Low address space to protect from user allocation (CONFIG_DEFAULT_MMAP_MIN_ADDR)
https://github.com/mzet-/les-res/blob/master/features/mmap_min_addr.md
[ Disabled ] Restrict unprivileged access to kernel syslog (CONFIG_SECURITY_DMESG_RESTRICT)
https://github.com/mzet-/les-res/blob/master/features/dmesg_restrict.md
[ Enabled ] Randomize the address of the kernel image (KASLR) (CONFIG_RANDOMIZE_BASE)
https://github.com/mzet-/les-res/blob/master/features/kaslr.md
[ Disabled ] Hardened user copy support (CONFIG_HARDENED_USERCOPY)
https://github.com/mzet-/les-res/blob/master/features/hardened_usercopy.md
...
Usage
Assess exposure of the Linux box to publicly known exploits:
$ ./linux-exploit-suggester.sh
Show state of security features on the Linux box:
$ ./linux-exploit-suggester.sh --checksec
Assess exposure of Linux kernel on publicly known exploits based on the provided 'uname' string (i.e. output of uname -a command):
$ ./linux-exploit-suggester.sh --uname <uname-string>
For more usage examples, see here.
Getting involved
You hopefully now know what LES is and what it can do for you. Now see what you can do for LES:
- Add newly published Linux privilege escalation exploits to it.
- Test existing exploits on various Linux distributions with multiple kernel versions, then document your findings in a form of
Tagsin LES, e.g. of a tag:ubuntu=12.04{kernel:3.(2|5).0-(23|29)-generic}which states: tagged exploit was verifed to work correctly on Ubuntu 12.04 with kernels: 3.2.0-23-generic, 3.2.0-29-generic, 3.5.0-23-generic and 3.5.0-29-generic;. With this tag added LES will automatically highlight and bump dynamicRankof the exploit when run on Ubuntu 12.04 with one of listed kernel versions. This will help you (and others) during pentests to rapidly identify critically vulnerable Linux machines. - Published exploits are often written only for PoC purposes only for one (or couple of) specific Linux distributions and/or kernel version(s). Pick sources of the exploit of choice and customize it to run on different kernel version(s). Then add your customized version of exploit as
ext-urlentry to LES and modifyTagsto reflect newly added targets. See this article for an excellent example of adapting specific PoC exploit to different kernel versions. - Conduct source code analysis of chosen kernel hardening security measure then add it to the
FEATURESarray (if not already there) and publish your analysis at:https://github.com/mzet-/les-res/blob/master/features/<feature-name>.md.
Acknowledgments
bcoles for his excellent and frequent contributions to LES.
Top Related Projects
PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)
Linux privilege escalation auditing tool
Next-Generation Linux Kernel Exploit Suggester
Scripted Local Linux Enumeration & Privilege Escalation Checks
linuxprivchecker.py -- a Linux Privilege Escalation Check Script
Privilege Escalation Project - Windows / Linux / Mac
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot