#!/bin/sh

## ---  --
##  --- -
##   ---  fts(2) [fts(2) xploit division]
##  - ---  http://benz.i1.net/fts/xploit
## --  ---
##   lsekure version one (lsekure.v1-fts.tgz)
##        local sekurity auditing tool

# basic color definitions (crackrock/bitchx style.. heh)
blink="[5m"
cl="[0m"
blu="[34m"
mag="[35m"
cyn="[36m"
wht="[37m"
red="[31m"
grn="[32m"
yel="[33m"
hblk="[1;30m"
hgrn="[1;32m"
hblu="[1;34m"
hmag="[1;35m"
hcyn="[1;36m"
hwht="[1;37m"
hred="[1;31m"
hyel="[1;33m"
bblu="[44m"
bblk="[40m"
bred="[41m"
bgrn="[42m"
byel="[43m"
bmag="[45m"
bcyn="[46m"
bwht="[47m"
bg="[44m"
lsver="${cl}${hblk}[${hcyn}l${cl}${cyn}sekure${hblk}]${mag}:${cl}${wht}"

clear
echo "${hwht}---  --"
echo "${hwht} --- -"
echo "${hwht}  ---${cl}  ${hcyn}f${cl}${cyn}ts${mag}(${cyn}2${mag}) ${hblk}[${cl}${wht}fts(2) xploit division${hblk}]"
echo "${hwht} - ---${cl}  ${wht}http://benz.i1.net/fts/xploit"
echo "${hwht}--  ---"
echo "${cl}${hblk}[${cl}${wht}lsekure version one ${cyn}(${wht}lsekure.v1-fts.tgz${cyn})${hblk}]"
echo ""
echo -n "$lsver press any key to set up our variables/etc for the scan.${hblk}.${cl}" 
read blah
echo ""
echo -n "$lsver checking for root priveledges.. "
if [ `whoami` != "root" ]; then
 echo " no."
 exit 0
fi
echo " yes."
echo -n "$lsver making sure were on a linux system.. "
if [ `uname` != "Linux" ]; then
 echo " no."
 exit 0
fi
echo " yes."

echo -n "$lsver checking for previous log files.. "
if [ -f lsekure.log ]; then
 mv lsekure.log lsekure.log.old
fi
echo " ok."
echo -n "$lsver setting required script variables.. "
l="lsekure.log"
lhost=`hostname`
ldate=`date`
lsys=`uname -sr`
shadow_char=`cat /etc/passwd | grep ":root" | cut -d: -f2`
srel="alpha three"
echo " done."

echo -n "$lsver setting up a new logfile.. "
echo " ---  --" >>$l
echo "  --- -" >>$l
echo "   ---  fts(2) [fts(2) xploit division]" >>$l
echo "  - ---  http://benz.i1.net/fts/xploit" >>$l
echo " --  ---" >>$l
echo "   lsekure version one (lsekure.v1-fts.tgz)" >>$l
echo "        local sekurity auditing tool" >>$l
echo "" >>$l
echo "-- logfile: $lhost [$lsys] @ $ldate --" >>$l
echo "" >>$l
echo " done."
echo ""
echo -n "$lsver systems ready. press any key to begin the scan.${hblk}.${cl}"
read blah
echo ""

echo -n "$lsver checking for un-passworded root accounts.. "
cat /etc/passwd | grep ::0 >/dev/null 2>&1
if [ $? -eq 0 ]; then
 echo " ${bred}${hwht}${blink}YES${cl}${wht}."
 echo ""
 echo "$lsver scan halting! the security hole found is listed in $l"
 echo ">>> security hole found @ `date` <<<" >>$l
 echo "Security Hole: un-password protected root accounts (listed below)" >>$l
 echo -n "[/etc/passwd]: " >>$l
 cat /etc/passwd | grep ::0 >>$l
 echo "Damage Possible: *ANYONE* can gain root access to your system!" >>$l
 echo "Commonly Affected Systems: *ix" >>$l
 echo "Quick Fix: edit /etc/passwd and remove the above line." >>$l
 echo "Long-Term Fix: n/a" >>$l
 echo "" >>$l
 exit 0
fi
echo " none."

echo -n "$lsver looking for /etc/shadow ${hblk}[${cl}${wht}shadowed /etc/passwd${hblk}]${cl}${wht}.. "
if [ ! -f /etc/shadow ]; then
 echo " ${bred}${hwht}${blink}no${cl}${wht}."
 echo ""
 echo "$lsver scan halting! the security hole found is listed in $l"
 echo ">>> security hole found @ `date` <<<" >>$l
 echo "Security Hole: un-shadowed passwd file" >>$l
 echo "Damage Possible: Any local may crack the systems passwords." >>$l
 echo "Commonly Affected Systems: Older Linux distrobutions" >>$l
 echo "Quick Fix: chmod -r /etc/passwd" >>$l
 echo "Long-Term Fix: obtain the shadow password suite from the url below." >>$l
 echo "[x]: ftp://sunsite.unc.edu/pub/Linux/system/admin/shadow-971215.tar.gz" >>$l
 echo "" >>$l
 exit 0
fi
echo " good."

echo -n "$lsver checking for ${hwht}any${cl}${wht} un-passworded accounts.. "
rm .passwd.tmp 1>/dev/null 2>/dev/null
cp /etc/passwd .passwd.tmp
while [ "`tail -1 .passwd.tmp`" != "" ]; do pwtmp=`tail -1 .passwd.tmp`
cat .passwd.tmp | grep -v "$pwtmp" 1>.passwd.tmp 2>.passwd.tmp
echo "$pwtmp" | cut -d: -f2 | grep $shadow_char >/dev/null 2>&1
if [ ! $? -eq 0 ]; then
 echo " ${bred}${hwht}${blink}yes${cl}${wht}."
 echo ""
 echo "$lsver scan halting! the security hole found is listed in $l"
 echo ">>> security hole found @ `date` <<<" >>$l
 echo "Security Hole: un-password protected system accounts (listed below)" >>$l
 echo -n "[/etc/passwd]: " >>$l
 cat /etc/passwd | grep :: >>$l
 echo "Damage Possible: *ANYONE* can gain local access to your system." >>$l
 echo "Commonly Affected Systems: *ix" >>$l
 echo "Quick Fix: edit /etc/passwd and remove the above line." >>$l
 echo "Long-Term Fix: regularly parse through /etc/passwd and use the 'passwd'" >>$l
 echo "               command to add passwords for un-password protected users." >>$l
 echo "" >>$l
 exit 0
fi
done
echo " none."

echo -n "$lsver looking for unnecessary inetd services ${hblk}[${cl}${wht}/etc/inetd.conf${hblk}]${cl}${wht}.. "
itmp="0"
if [ "$no_inetd" = "1" ]; then
 itmp="7"
fi
while [ "$itmp" != "7" ]; do itmp=`expr $itmp + 1`
if [ "$itmp" = "1" ]; then
 serv="in.telnetd"
fi
if [ "$itmp" = "2" ]; then
 serv="in.ftpd"
fi
if [ "$itmp" = "3" ]; then
 serv="in.fingerd"
fi
if [ "$itmp" = "4" ]; then
 serv="in.rshd"
fi
if [ "$itmp" = "5" ]; then
 serv="in.rlogind"
fi
if [ "$itmp" = "6" ]; then
 serv="imapd"
fi
cat /etc/inetd.conf | grep $serv >/dev/null 2>&1
if [ $? -eq 0 ]; then
 cat /etc/inetd.conf | grep $serv | grep "#" >/dev/null 2>&1
 if [ ! $? -eq 0 ]; then
  echo " ${bred}${hwht}${blink}yes${cl}${wht}."
  echo ""
  echo "$lsver scan halting! the security hole found is listed in $l"
  echo ">>> security hole found @ `date` <<<" >>$l
  echo "Security Hole: hazardous inetd service open ($serv)" >>$l
  echo "Damage Possible: passwords may be brute-forced, etc.. " >>$l
  echo "Commonly Affected Systems: Linux x.x.x" >>$l
  echo "Quick Fix: comment out the line containing $serv in /etc/inetd.conf" >>$l
  echo "Long-Term Fix: n/a" >>$l
  echo "NOTE: if you wish to leave this service open, add the line 'no_inetd="1"'" >>$l
  echo "      to this file ($0) somewhere towards the top." >>$l
  echo "" >>$l
  exit 0
 fi
fi
done
echo " done."

echo -n "$lsver checking for writable nfsd exports ${hblk}[${cl}${wht}/etc/exports${hblk}]${cl}${wht}.. "
etmp="rw"
if [ "$no_exports" = "1" ]; then
 etmp="unfunfunfunfsdsdflkjndsfsjdbf7234kjfsbd9832r"
fi
if [ ! -f /etc/exports ]; then
 echo "" >>/etc/exports
fi
cat /etc/exports | grep $etmp >/dev/null 2>&1
if [ $? -eq 0 ]; then
 echo " ${bred}${hwht}${blink}yes${cl}${wht}."
 echo ""
 echo "$lsver scan halting! the security hole found is listed in $l"
 echo ">>> security hole found @ `date` <<<" >>$l
 echo "Security Hole: /etc/exports contains writable filesystems" >>$l
 echo "Damage Possible: the system could possibly be compromised via nfsd" >>$l
 echo "Commonly Affected Systems: Linux (running rpc.nfsd)" >>$l
 echo "Quick Fix: rm /etc/exports" >> $l 
 echo "Long-Term Fix: n/a" >>$l
 echo "NOTE: if you are satisfied with your nfsd security, add the line" >>$l
 echo "      'no_exports="1"' to this file ($0) somewhere towards the top." >>$l
 exit 0
fi
echo " none."

echo -n "$lsver checking for existance of /root/.rhosts ${hblk}[${cl}${wht}remote login files${hblk}]${cl}${wht}.. "
ls /root/.rhosts >/dev/null 2>&1
if [ $? -eq 0 ]; then
 echo " ${bred}${hwht}${blink}yes${cl}${wht}."
 echo ""
 echo "$lsver scan halting! the security hole found is listed in $l"
 echo ">>> security hole found @ `date` <<<" >>$l
 echo "Security Hole: /root/.rhosts exploitable" >>$l
 echo "Damage Possible: the system can possible be compromised via rlogin" >>$l
 echo "Commonly Affected Systems: Linux (running rpc.nfsd)" >>$l
 echo "Quick Fix: rm /root/.rhosts" >>$l
 echo "Long-Term Fix: n/a" >>$l
 echo "" >>$l
 exit 0
fi
echo " none."

echo -n "$lsver checking for allowance of remote root logins ${hblk}[${cl}${wht}/etc/securetty${hblk}]${cl}${wht}.. "
if [ ! -f /etc/securetty ]; then
 echo " ${bred}${hwht}${blink}uhoh${cl}${wht}."
 echo ""
 echo "$lsver you dont *have* an /etc/securetty file ${hblk}[${cl}${wht}not good${hblk}]${cl}${wht}.. "
 exit 0
fi

cat /etc/securetty | grep ttyp >/dev/null 2>&1
if [ $? -eq 0 ]; then
 echo " ${bred}${hwht}${blink}yes${cl}${wht}."
 echo ""
 echo "$lsver scan halting! the security hole found is listed in $l"
 echo ">>> security hole found @ `date` <<<" >>$l
 echo "Security Hole: Remote root logins are allowed [/etc/securetty]" >>$l
 echo "Damage Possible: Anyone with the root password can remotely login." >>$l
 echo "Commonly Affected Systems: Linux x.x.x" >>$l
 echo "Quick Fix: cat /etc/securetty | grep -v ttyp 1>/etc/securetty 2>/etc/securetty" >>$l
 echo "Long-Term Fix: n/a" >>$l
 echo "" >>$l
 exit 0
fi
echo " no."

echo -n "$lsver checking permissions of /bin/su.. "
ls -al /bin/su | grep rws >/dev/null 2>&1
if [ $? -eq 0 ]; then
 echo " ${bred}${hwht}${blink}suid root${cl}${wht}."
 echo ""
 echo "$lsver scan halting! the security hole found is listed in $l"
 echo ">>> security hole found @ `date` <<<" >>$l
 echo "Security Hole: /bin/su is suid root (+s)" >>$l
 echo "Damage Possible: local users can obtain root access (with root password)" >>$l
 echo "Commonly Affected Systems: Linux (unsecured)" >>$l
 echo "Quick Fix: chmod -s /bin/su" >>$l
 echo "Long-Term Fix: rm /bin/su (not recommended)" >>$l
 echo "" >>$l
 exit 0
fi
echo " ok."

echo -n "$lsver looking for vuln. root.c in /usr/src/linux/fs/autofs.. "
if [ ! -f /usr/src/linux ]; then
 ln -s /usr/src/linux-`uname -r` /usr/src/linux 1>/dev/null 2>/dev/null
fi
if [ -f /usr/src/linux/fs/autofs/root.c ]; then
 cat /usr/src/linux/fs/autofs/root.c | grep "if (dentry->d_name.len > 255)" >/dev/null 2>&1
 if [ ! $? -eq 0 ]; then
  echo " ${bred}${hwht}${blink}yes${cl}${wht}."
  echo ""
  echo "$lsver scan halting! the security hole found is listed in $l"
  echo ">>> security hole found @ `date` <<<" >>$l
  echo "Security Hole: kernel `uname -r` vulnerable to autofs overflow" >>$l
  echo "Damage Possible: possible root compromise / kernel can be crashed" >>$l
  echo "Commonly Affected Systems: Linux 2.0.35 - 2.2.1" >>$l
  echo "Quick Fix: n/a" >>$l
  echo "Long-Term Fix: follow the attached lsekure documentation (./doc/patches/autofs)" >>$l
  echo "" >>$l
  exit 0
 fi
fi
echo " ok."

echo -n "$lsver looking for remotely exploitable daemons ${hblk}[${cl}${wht}netstat -a${hblk}]${cl}${wht}.."
netstat -a | grep ":domain" >/dev/null 2>&1
if [ $? -eq 0 ]; then
 netmp=`./bin/binfo-udp localhost`
 echo "$netmp" | grep 4.9 >/dev/null 2>&1
 if [ $? -eq 0 ]; then
  bvuln="1"
 fi
 echo "$netmp" | grep 8.1.1 >/dev/null 2>&1
 if [ $? -eq 0 ]; then
  bvuln="1"
 fi
 echo "$netmp" | grep 8.1-REL >/dev/null 2>&1
 if [ $? -eq 0 ]; then
  bvuln="1"
 fi
 if [ "$bvuln" = "1" ]; then
  echo " ${bred}${hwht}${blink}YES${cl}${wht}."
  echo ""
  echo "$lsver scan halting! the security hole found is listed in $l"
  echo ">>> security hole found @ `date` <<<" >>$l
  echo "Security Hole: A vulnerable version of BIND is running" >>$l
  echo "Damage Possible: root priveledges can be obtained REMOTELY!" >>$l
  echo "Commonly Affected Systems: x86 Linux 2.0.x / FreeBSD 3.x (nameservers)" >>$l
  echo "Quick Fix: killall -9 named" >>$l
  echo "Long-Term Fix: Install the latest stable release of BIND from the URL below:" >>$l
  echo "[x]: ftp://ftp.isc.org/isc/bind/src/testing/" >>$l
  echo "" >>$l
  exit 0
 fi
fi
netstat -a | grep ":ftp" >/dev/null 2>&1
if [ $? -eq 0 ]; then
 telnet localhost 21 1>.ftp.tmp 2>.ftp.tmp &
 sleep 1
 cat .ftp.tmp | grep "wu-2.4.2-academ[BETA-18]" >/dev/null 2>&1
 if [ $? -eq 0 ]; then
  echo " ${bred}${hwht}${blink}YES${cl}${wht}."
  echo ""
  echo "$lsver scan halting! the security hole found is listed in $l"
  echo ">>> security hole found @ `date` <<<" >>$l
  echo "Security Hole: A vulnerable version of wu-ftpd is running" >>$l
  echo "Damage Possible: root priveledges may be obtained REMOTELY!" >>$l
  echo "Commonly Affected Systems: *ix ftp servers" >>$l
  echo "Quick Fix: cat /etc/inetd.conf | grep -v in.ftpd 1>/etc/inetd.conf" >>$l
  echo "Long-Term Fix: Install the latest stable release of wu-ftpd from the URL below:" >>$l
  echo "[x]: ftp://ftp.academ.com/pub/wu-ftpd/" >>$l
  echo "" >>$l
  rm .ftp.tmp
  exit 0
 fi
 rm .ftp.tmp  
fi
echo " none."

rm .passwd.tmp 1>/dev/null 2>/dev/null

echo ""
echo "$lsver lsekure $srel scan complete.. ${hblk}[${cl}${wht}eof${hblk}]${cl}"
echo ">>> security report @ `date` <<<" >>$l
echo "System: $lhost [`uname -sr`]" >>$l
echo "Uptime: `uptime`" >>$l
echo "Sekurity Status: decent.." >>$l
echo ">>> eof <<<" >>$l 
exit 0


