Update 2_container.sh

added CVE-2022-2588; reduced CVE color

build_lists/sensitive_files.yaml

@@ -413,7 +413,7 @@ search:
             exec:
             - 'echo "Apache version: $(warn_exec apache2 -v 2>/dev/null; warn_exec httpd -v 2>/dev/null)"'
             - 'echo "Nginx version: $(warn_exec nginx -v 2>/dev/null)"'
-            - if [ -d "/etc/apache2" ] && [ -r "/etc/apache2" ]; then 'grep -R -B1 "httpd-php" /etc/apache2 2>/dev/null'; fi
+            - if [ -d "/etc/apache2" ] && [ -r "/etc/apache2" ]; then grep -R -B1 "httpd-php" /etc/apache2 2>/dev/null; fi
             - if [ -d "/usr/share/nginx/modules" ] && [ -r "/usr/share/nginx/modules" ]; then print_3title 'Nginx modules'; ls /usr/share/nginx/modules | sed -${E} "s,$NGINX_KNOWN_MODULES,${SED_GREEN},g"; fi
             - "print_3title 'PHP exec extensions'"
             
@@ -442,11 +442,33 @@ search:
               value: 
                 bad_regex: "On"
                 remove_regex: "^;"
-                line_grep: '"allow_"'
+                line_grep: "allow_"
                 type: f
                 search_in: 
                     - common
             
+            - name: "nginx.conf"
+              value: 
+                bad_regex: "location.*.php$|$uri|$document_uri|proxy_intercept_errors.*on|proxy_hide_header.*|merge_slashes.*on|resolver.*|proxy_pass|internal|location.+[a-zA-Z0-9][^/]\\s+\\{|map|proxy_set_header.*Upgrade.*http_upgrade|proxy_set_header.*Connection.*http_connection"
+                remove_regex: "#"
+                type: f
+                remove_empty_lines: True
+                search_in: 
+                    - common
+            
+            - name: "nginx"
+              value: 
+                type: d
+                files:
+                    - name: "*.conf"
+                      value:
+                        bad_regex: "location.*.php$|$uri|$document_uri|proxy_intercept_errors.*on|proxy_hide_header.*|merge_slashes.*on|resolver.*|proxy_pass|internal|location.+[a-zA-Z0-9][^/]\\s+\\{|map|proxy_set_header.*Upgrade.*http_upgrade|proxy_set_header.*Connection.*http_connection"
+                        remove_empty_lines: True
+                        remove_regex: '#'
+                        remove_path: "nginx.conf"
+                search_in: 
+                    - common
+  
   - name: PHP Sessions
     value:
         config:

linPEAS/README.md

@@ -106,25 +106,36 @@ This script has **several lists** included inside of it to be able to **color th
 ```
 Enumerate and search Privilege Escalation vectors.
 This tool enum and search possible misconfigurations (known vulns, user, processes and file permissions, special file permissions, readable/writable files, bruteforce other users(top1000pwds), passwords...) inside the host and highlight possible misconfigurations with colors.
-      -h To show this message
+        Checks:
-      -q Do not show banner
+            -o Only execute selected checks (system_information,container,cloud,procs_crons_timers_srvcs_sockets,network_information,users_information,software_information,interesting_files,api_keys_regex). Select a comma separated list.
+            -s Stealth & faster (don't check some time consuming checks)
             -e Perform extra enumeration
-      -s SuperFast (don't check some time consuming checks) - Stealth mode
+            -t Automatic network scan & Internet conectivity checks - This option writes to files
-      -a All checks except regexes - Noisy mode, for CTFs mainly
+            -r Enable Regexes (this can take from some mins to hours)
-      -r Activate Regexes (this can take from some mins to several hours)
-      -f </FOLDER/PATH> Execute linpeas to search passwords/file permissions misconfigs inside a folder
-      -w Wait execution between big blocks of checks
-      -N Do not use colours
-      -D Debug mode
             -P Indicate a password that will be used to run 'sudo -l' and to bruteforce other users accounts via 'su'
-      -o Only execute selected checks (system_information,container,procs_crons_timers_srvcs_sockets,network_information,users_information,software_information,interesting_files,api_keys_regex). Select a comma separated list.
+	    -D Debug mode
-      -L Force linpeas execution.
+
-      -M Force macpeas execution.
+        Network recon:
+            -t Automatic network scan & Internet conectivity checks - This option writes to files
 	    -d <IP/NETMASK> Discover hosts using fping or ping. Ex: -d 192.168.0.1/24
             -p <PORT(s)> -d <IP/NETMASK> Discover hosts looking for TCP open ports (via nc). By default ports 22,80,443,445,3389 and another one indicated by you will be scanned (select 22 if you don't want to add more). You can also add a list of ports. Ex: -d 192.168.0.1/24 -p 53,139
             -i <IP> [-p <PORT(s)>] Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead. Ex: -i 127.0.0.1 -p 53,80,443,8000,8080
-      -t Automatic network scan (host discovery and port scanning) - This option writes to files
              Notice that if you specify some network scan (options -d/-p/-i but NOT -t), no PE check will be performed
+
+        Port forwarding:
+            -F LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT Execute linpeas to forward a port from a local IP to a remote IP
+
+        Firmware recon:
+            -f </FOLDER/PATH> Execute linpeas to search passwords/file permissions misconfigs inside a folder
+
+        Misc:
+            -h To show this message
+	    -w Wait execution between big blocks of checks
+            -L Force linpeas execution
+            -M Force macpeas execution
+	    -q Do not show banner
+            -N Do not use colours
+
 ```
 
 ## Hosts Discovery and Port Scanning

linPEAS/builder/linpeas_parts/1_system_information.sh

@@ -42,8 +42,17 @@ fi
 #-- https://stackoverflow.com/a/37939589
 kernelversion=$(uname -r | awk -F"-" '{print $1}')
 kernelnumber=$(echo $kernelversion | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }')
-if [ $kernelnumber -ge 5008000000 ] && [ $kernelnumber -lt 5017000000 ]; then # if kernel version beteen 5.8 and 5.17
+if [ $kernelnumber -ge 5008000000 ] && [ $kernelnumber -lt 5017000000 ]; then # if kernel version between 5.8 and 5.17
-    echo "Vulnerable to CVE-2022-0847" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+    echo "Potentially Vulnerable to CVE-2022-0847" | sed -${E} "s,.*,${SED_RED},"
+    echo ""
+fi
+
+#-- SY) CVE-2022-2588
+#-- https://github.com/Markakd/CVE-2022-2588
+kernelversion=$(uname -r | awk -F"-" '{print $1}')
+kernelnumber=$(echo $kernelversion | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }')
+if [ $kernelnumber -ge 3017000000 ] && [ $kernelnumber -lt 5019000000 ]; then # if kernel version between 3.17 and 5.19
+    echo "Potentially Vulnerable to CVE-2022-2588" | sed -${E} "s,.*,${SED_RED},"
     echo ""
 fi
 echo ""
@@ -162,7 +171,7 @@ if [ "$(command -v perl 2>/dev/null)" ]; then
     print_2title "Executing Linux Exploit Suggester 2"
     print_info "https://github.com/jondonas/linux-exploit-suggester-2"
     les2_b64="peass{LES2}"
-    echo $les2_b64 | base64 -d | perl | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -i "CVE" -B 1 -A 10 | grep -Ev "^\-\-$" | sed -${E} "s,CVE-[0-9]+-[0-9]+,${SED_RED},g"
+    echo $les2_b64 | base64 -d | perl 2>/dev/null | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -i "CVE" -B 1 -A 10 | grep -Ev "^\-\-$" | sed -${E} "s,CVE-[0-9]+-[0-9]+,${SED_RED},g"
     echo ""
 fi
 

linPEAS/builder/linpeas_parts/2_container.sh

@@ -77,7 +77,7 @@ enumerateDockerSockets() {
   dockerVersion="$(echo_not_found)"
   if ! [ "$SEARCHED_DOCKER_SOCKETS" ]; then
     SEARCHED_DOCKER_SOCKETS="1"
-    for int_sock in $(find / ! -path "/sys/*" -type s -name "docker.sock" -o -name "docker.socket" -o -name "dockershim.sock" -n -name "containerd.sock" -o -name "crio.sock" -o -name "frakti.sock" -o -name "rktlet.sock" 2>/dev/null); do
+    for int_sock in $(find / ! -path "/sys/*" -type s -name "docker.sock" -o -name "docker.socket" -o -name "dockershim.sock" -o -name "containerd.sock" -o -name "crio.sock" -o -name "frakti.sock" -o -name "rktlet.sock" 2>/dev/null); do
       if ! [ "$IAMROOT" ] && [ -w "$int_sock" ]; then
         if echo "$int_sock" | grep -Eq "docker"; then
           dock_sock="$int_sock"
@@ -285,26 +285,26 @@ if [ "$inContainer" ]; then
     print_list "uevent_helper breakout ......... $uevent_helper_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
     print_list "core_pattern breakout .......... $core_pattern_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
     print_list "is modprobe present ............ $modprobe_present\n" | sed -${E} "s,/.*,${SED_RED},"
-    print_list "DoS via panic_on_oom ........... $panic_on_oom_dos\n"
+    print_list "DoS via panic_on_oom ........... $panic_on_oom_dos\n" | sed -${E} "s,/Yes,${SED_RED},"
-    print_list "DoS via panic_sys_fs ........... $panic_sys_fs_dos\n"
+    print_list "DoS via panic_sys_fs ........... $panic_sys_fs_dos\n" | sed -${E} "s,/Yes,${SED_RED},"
-    print_list "DoS via sysreq_trigger_dos ..... $sysreq_trigger_dos\n"
+    print_list "DoS via sysreq_trigger_dos ..... $sysreq_trigger_dos\n" | sed -${E} "s,/Yes,${SED_RED},"
-    print_list "/proc/config.gz readable ....... $proc_configgz_readable\n"
+    print_list "/proc/config.gz readable ....... $proc_configgz_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
-    print_list "/proc/sched_debug readable ..... $sched_debug_readable\n"
+    print_list "/proc/sched_debug readable ..... $sched_debug_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
-    print_list "/proc/*/mountinfo readable ..... $mountinfo_readable\n"
+    print_list "/proc/*/mountinfo readable ..... $mountinfo_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
-    print_list "/sys/kernel/security present ... $security_present\n"
+    print_list "/sys/kernel/security present ... $security_present\n" | sed -${E} "s,/Yes,${SED_RED},"
-    print_list "/sys/kernel/security writable .. $security_writable\n"
+    print_list "/sys/kernel/security writable .. $security_writable\n" | sed -${E} "s,/Yes,${SED_RED},"
     if [ "$EXTRA_CHECKS" ]; then
-      print_list "/proc/kmsg readable ............ $kmsg_readable\n"
+      print_list "/proc/kmsg readable ............ $kmsg_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
-      print_list "/proc/kallsyms readable ........ $kallsyms_readable\n"
+      print_list "/proc/kallsyms readable ........ $kallsyms_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
-      print_list "/proc/self/mem readable ........ $sched_debug_readable\n"
+      print_list "/proc/self/mem readable ........ $sched_debug_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
-      print_list "/proc/kcore readable ........... $kcore_readable\n"
+      print_list "/proc/kcore readable ........... $kcore_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
-      print_list "/proc/kmem readable ............ $kmem_readable\n"
+      print_list "/proc/kmem readable ............ $kmem_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
-      print_list "/proc/kmem writable ............ $kmem_writable\n"
+      print_list "/proc/kmem writable ............ $kmem_writable\n" | sed -${E} "s,/Yes,${SED_RED},"
-      print_list "/proc/mem readable ............. $mem_readable\n"
+      print_list "/proc/mem readable ............. $mem_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
-      print_list "/proc/mem writable ............. $mem_writable\n"
+      print_list "/proc/mem writable ............. $mem_writable\n" | sed -${E} "s,/Yes,${SED_RED},"
-      print_list "/sys/kernel/vmcoreinfo readable  $vmcoreinfo_readable\n"
+      print_list "/sys/kernel/vmcoreinfo readable  $vmcoreinfo_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
-      print_list "/sys/firmware/efi/vars writable  $efi_vars_writable\n"
+      print_list "/sys/firmware/efi/vars writable  $efi_vars_writable\n" | sed -${E} "s,/Yes,${SED_RED},"
-      print_list "/sys/firmware/efi/efivars writable $efi_efivars_writable\n"
+      print_list "/sys/firmware/efi/efivars writable $efi_efivars_writable\n" | sed -${E} "s,/Yes,${SED_RED},"
     fi
     
     echo ""

linPEAS/builder/linpeas_parts/3_cloud.sh

@@ -187,11 +187,11 @@ if [ "$is_aws_ecs" = "Yes" ]; then
 
     if [ "$aws_ecs_metadata_uri" ]; then
         print_3title "Container Info"
-        exec_with_jq $aws_ecs_req "$aws_ecs_metadata_uri"
+        exec_with_jq eval $aws_ecs_req "$aws_ecs_metadata_uri"
         echo ""
         
         print_3title "Task Info"
-        exec_with_jq $aws_ecs_req "$aws_ecs_metadata_uri/task"
+        exec_with_jq eval $aws_ecs_req "$aws_ecs_metadata_uri/task"
         echo ""
     else
         echo "I couldn't find ECS_CONTAINER_METADATA_URI env var to get container info"
@@ -199,7 +199,7 @@ if [ "$is_aws_ecs" = "Yes" ]; then
 
     if [ "$aws_ecs_service_account_uri" ]; then
         print_3title "IAM Role"
-        exec_with_jq $aws_ecs_req "$aws_ecs_service_account_uri"
+        exec_with_jq eval $aws_ecs_req "$aws_ecs_service_account_uri"
         echo ""
     else
         echo "I couldn't find AWS_CONTAINER_CREDENTIALS_RELATIVE_URI env var to get IAM role info (the task is running without a task role probably)"
@@ -214,52 +214,52 @@ if [ "$is_aws_ec2" = "Yes" ]; then
     
     aws_req=""
     if [ "$(command -v curl)" ]; then
-        aws_req='curl -s -f -H "$HEADER"'
+        aws_req="curl -s -f -H '$HEADER'"
     elif [ "$(command -v wget)" ]; then
-        aws_req='wget -q -O - -H "$HEADER"'
+        aws_req="wget -q -O - -H '$HEADER'"
     else 
         echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
     fi
   
     if [ "$aws_req" ]; then
-        printf "ami-id: "; $aws_req "$URL/ami-id"; echo ""
+        printf "ami-id: "; eval $aws_req "$URL/ami-id"; echo ""
-        printf "instance-action: "; $aws_req "$URL/instance-action"; echo ""
+        printf "instance-action: "; eval $aws_req "$URL/instance-action"; echo ""
-        printf "instance-id: "; $aws_req "$URL/instance-id"; echo ""
+        printf "instance-id: "; eval $aws_req "$URL/instance-id"; echo ""
-        printf "instance-life-cycle: "; $aws_req "$URL/instance-life-cycle"; echo ""
+        printf "instance-life-cycle: "; eval $aws_req "$URL/instance-life-cycle"; echo ""
-        printf "instance-type: "; $aws_req "$URL/instance-type"; echo ""
+        printf "instance-type: "; eval $aws_req "$URL/instance-type"; echo ""
-        printf "region: "; $aws_req "$URL/placement/region"; echo ""
+        printf "region: "; eval $aws_req "$URL/placement/region"; echo ""
 
         echo ""
         print_3title "Account Info"
-        exec_with_jq $aws_req "$URL/identity-credentials/ec2/info"; echo ""
+        exec_with_jq eval $aws_req "$URL/identity-credentials/ec2/info"; echo ""
 
         echo ""
         print_3title "Network Info"
-        for mac in $($aws_req "$URL/network/interfaces/macs/" 2>/dev/null); do 
+        for mac in $(eval $aws_req "$URL/network/interfaces/macs/" 2>/dev/null); do 
           echo "Mac: $mac"
-          printf "Owner ID: "; $aws_req "$URL/network/interfaces/macs/$mac/owner-id"; echo ""
+          printf "Owner ID: "; eval $aws_req "$URL/network/interfaces/macs/$mac/owner-id"; echo ""
-          printf "Public Hostname: "; $aws_req "$URL/network/interfaces/macs/$mac/public-hostname"; echo ""
+          printf "Public Hostname: "; eval $aws_req "$URL/network/interfaces/macs/$mac/public-hostname"; echo ""
-          printf "Security Groups: "; $aws_req "$URL/network/interfaces/macs/$mac/security-groups"; echo ""
+          printf "Security Groups: "; eval $aws_req "$URL/network/interfaces/macs/$mac/security-groups"; echo ""
-          echo "Private IPv4s:"; $aws_req "$URL/network/interfaces/macs/$mac/ipv4-associations/"; echo ""
+          echo "Private IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv4-associations/"; echo ""
-          printf "Subnet IPv4: "; $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv4-cidr-block"; echo ""
+          printf "Subnet IPv4: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv4-cidr-block"; echo ""
-          echo "PrivateIPv6s:"; $aws_req "$URL/network/interfaces/macs/$mac/ipv6s"; echo ""
+          echo "PrivateIPv6s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv6s"; echo ""
-          printf "Subnet IPv6: "; $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv6-cidr-blocks"; echo ""
+          printf "Subnet IPv6: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv6-cidr-blocks"; echo ""
-          echo "Public IPv4s:"; $aws_req "$URL/network/interfaces/macs/$mac/public-ipv4s"; echo ""
+          echo "Public IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/public-ipv4s"; echo ""
           echo ""
         done
 
         echo ""
         print_3title "IAM Role"
-        exec_with_jq $aws_req "$URL/iam/info"; echo ""
+        exec_with_jq eval $aws_req "$URL/iam/info"; echo ""
-        for role in $($aws_req "$URL/iam/security-credentials/" 2>/dev/null); do 
+        for role in $(eval $aws_req "$URL/iam/security-credentials/" 2>/dev/null); do 
           echo "Role: $role"
-          exec_with_jq $aws_req "$URL/iam/security-credentials/$role"; echo ""
+          exec_with_jq eval $aws_req "$URL/iam/security-credentials/$role"; echo ""
           echo ""
         done
         
         echo ""
         print_3title "User Data"
-        $aws_req "http://169.254.169.254/latest/user-data"
+        eval $aws_req "http://169.254.169.254/latest/user-data"
     fi
 fi
 

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets.sh

@@ -3,17 +3,18 @@
 #-----) Processes & Cron & Services & Timers (-----#
 ####################################################
 
-#-- PCS) Cleaned proccesses
+if ! [ "$SEARCH_IN_FOLDER" ]; then
-print_2title "Cleaned processes"
+  #-- PCS) Cleaned proccesses
-if [ "$NOUSEPS" ]; then
+  print_2title "Cleaned processes"
+  if [ "$NOUSEPS" ]; then
     printf ${BLUE}"[i]$GREEN Looks like ps is not finding processes, going to read from /proc/ and not going to monitor 1min of processes\n"$NC
-fi
+  fi
-print_info "Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes"
+  print_info "Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes"
 
-if [ "$NOUSEPS" ]; then
+  if [ "$NOUSEPS" ]; then
     print_ps | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED},"
     pslist=$(print_ps)
-else
+  else
     (ps fauxwww || ps auxwww | sort ) 2>/dev/null | grep -v "\[" | grep -v "%CPU" | while read psline; do
       echo "$psline"  | sed -${E} "s,$Wfolders,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED}," | sed -${E} "s,$processesVB,${SED_RED_YELLOW},g" | sed "s,$processesB,${SED_RED}," | sed -${E} "s,$processesDump,${SED_RED},"
       if [ "$(command -v capsh)" ] && ! echo "$psline" | grep -q root; then
@@ -37,52 +38,67 @@ else
       fi
     done
     ps auxwww 2>/dev/null | awk '{print $11}' | xargs ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null | grep -v " root root " | grep -v " $USER " | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$binW,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed "s,root,${SED_GREEN},"
+  fi
+  echo ""
 fi
-echo ""
 
-#-- PCS) Files opened by processes belonging to other users
+if ! [ "$SEARCH_IN_FOLDER" ]; then
-if ! [ "$IAMROOT" ]; then
+  #-- PCS) Files opened by processes belonging to other users
+  if ! [ "$IAMROOT" ]; then
     print_2title "Files opened by processes belonging to other users"
     print_info "This is usually empty because of the lack of privileges to read other user processes information"
     lsof 2>/dev/null | grep -v "$USER" | grep -iv "permission denied" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
     echo ""
+  fi
 fi
 
-#-- PCS) Processes with credentials inside memory
+if ! [ "$SEARCH_IN_FOLDER" ]; then
-print_2title "Processes with credentials in memory (root req)"
+  #-- PCS) Processes with credentials inside memory
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory"
+  print_2title "Processes with credentials in memory (root req)"
-if echo "$pslist" | grep -q "gdm-password"; then echo "gdm-password process found (dump creds from memory as root)" | sed "s,gdm-password process,${SED_RED},"; else echo_not_found "gdm-password"; fi
+  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory"
-if echo "$pslist" | grep -q "gnome-keyring-daemon"; then echo "gnome-keyring-daemon process found (dump creds from memory as root)" | sed "s,gnome-keyring-daemon,${SED_RED},"; else echo_not_found "gnome-keyring-daemon"; fi
+  if echo "$pslist" | grep -q "gdm-password"; then echo "gdm-password process found (dump creds from memory as root)" | sed "s,gdm-password process,${SED_RED},"; else echo_not_found "gdm-password"; fi
-if echo "$pslist" | grep -q "lightdm"; then echo "lightdm process found (dump creds from memory as root)" | sed "s,lightdm,${SED_RED},"; else echo_not_found "lightdm"; fi
+  if echo "$pslist" | grep -q "gnome-keyring-daemon"; then echo "gnome-keyring-daemon process found (dump creds from memory as root)" | sed "s,gnome-keyring-daemon,${SED_RED},"; else echo_not_found "gnome-keyring-daemon"; fi
-if echo "$pslist" | grep -q "vsftpd"; then echo "vsftpd process found (dump creds from memory as root)" | sed "s,vsftpd,${SED_RED},"; else echo_not_found "vsftpd"; fi
+  if echo "$pslist" | grep -q "lightdm"; then echo "lightdm process found (dump creds from memory as root)" | sed "s,lightdm,${SED_RED},"; else echo_not_found "lightdm"; fi
-if echo "$pslist" | grep -q "apache2"; then echo "apache2 process found (dump creds from memory as root)" | sed "s,apache2,${SED_RED},"; else echo_not_found "apache2"; fi
+  if echo "$pslist" | grep -q "vsftpd"; then echo "vsftpd process found (dump creds from memory as root)" | sed "s,vsftpd,${SED_RED},"; else echo_not_found "vsftpd"; fi
-if echo "$pslist" | grep -q "sshd:"; then echo "sshd: process found (dump creds from memory as root)" | sed "s,sshd:,${SED_RED},"; else echo_not_found "sshd"; fi
+  if echo "$pslist" | grep -q "apache2"; then echo "apache2 process found (dump creds from memory as root)" | sed "s,apache2,${SED_RED},"; else echo_not_found "apache2"; fi
-echo ""
+  if echo "$pslist" | grep -q "sshd:"; then echo "sshd: process found (dump creds from memory as root)" | sed "s,sshd:,${SED_RED},"; else echo_not_found "sshd"; fi
+  echo ""
+fi
 
-#-- PCS) Different processes 1 min
+if ! [ "$SEARCH_IN_FOLDER" ]; then
-if ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then
+  #-- PCS) Different processes 1 min
+  if ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then
     print_2title "Different processes executed during 1 min (interesting is low number of repetitions)"
     print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#frequent-cron-jobs"
     temp_file=$(mktemp)
     if [ "$(ps -e -o command 2>/dev/null)" ]; then for i in $(seq 1 1250); do ps -e -o command >> "$temp_file" 2>/dev/null; sleep 0.05; done; sort "$temp_file" 2>/dev/null | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort -r -n | grep -E -v "\s*[1-9][0-9][0-9][0-9]"; rm "$temp_file"; fi
     echo ""
+  fi
 fi
 
-#-- PCS) Cron
+if ! [ "$SEARCH_IN_FOLDER" ]; then
-print_2title "Cron jobs"
+  #-- PCS) Cron
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs"
+  print_2title "Cron jobs"
-command -v crontab 2>/dev/null || echo_not_found "crontab"
+  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs"
-crontab -l 2>/dev/null | tr -d "\r" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
+  command -v crontab 2>/dev/null || echo_not_found "crontab"
-command -v incrontab 2>/dev/null || echo_not_found "incrontab"
+  crontab -l 2>/dev/null | tr -d "\r" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
-incrontab -l 2>/dev/null
+  command -v incrontab 2>/dev/null || echo_not_found "incrontab"
-ls -alR /etc/cron* /var/spool/cron/crontabs /var/spool/anacron 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g"
+  incrontab -l 2>/dev/null
-cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/* /etc/incron.d/* /var/spool/incron/* 2>/dev/null | tr -d "\r" | grep -v "^#" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE},"  | sed "s,root,${SED_RED},"
+  ls -alR /etc/cron* /var/spool/cron/crontabs /var/spool/anacron 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g"
-crontab -l -u "$USER" 2>/dev/null | tr -d "\r"
+  cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/* /etc/incron.d/* /var/spool/incron/* 2>/dev/null | tr -d "\r" | grep -v "^#" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE},"  | sed "s,root,${SED_RED},"
-ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /var/at/tabs/ /etc/periodic/ 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g" #MacOS paths
+  crontab -l -u "$USER" 2>/dev/null | tr -d "\r"
-atq 2>/dev/null
+  ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /var/at/tabs/ /etc/periodic/ 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g" #MacOS paths
+  atq 2>/dev/null
+else
+  print_2title "Cron jobs"
+  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs"
+  find "$SEARCH_IN_FOLDER" '(' -type d -or -type f ')' '(' -name "cron*" -or -name "anacron" -or -name "anacrontab" -or -name "incron.d" -or -name "incron" -or -name "at" -or -name "periodic" ')' -exec echo {} \; -exec ls -lR {} \;
+fi
 echo ""
 
-if [ "$MACPEAS" ]; then
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  if [ "$MACPEAS" ]; then
     print_2title "Third party LaunchAgents & LaunchDemons"
     print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#launchd"
     ls -l /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/ ~/Library/LaunchDaemons/ 2>/dev/null
@@ -119,30 +135,35 @@ if [ "$MACPEAS" ]; then
     print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#emond"
     ls -l /private/var/db/emondClients
     echo ""
+  fi
 fi
 
-#-- PCS) Services
+if ! [ "$SEARCH_IN_FOLDER" ]; then
-if [ "$EXTRA_CHECKS" ]; then
+  #-- PCS) Services
+  if [ "$EXTRA_CHECKS" ]; then
     print_2title "Services"
     print_info "Search for outdated versions"
     (service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl"
     echo ""
+  fi
 fi
 
-#-- PSC) systemd PATH
+if ! [ "$SEARCH_IN_FOLDER" ]; then
-print_2title "Systemd PATH"
+  #-- PSC) systemd PATH
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths"
+  print_2title "Systemd PATH"
-systemctl show-environment 2>/dev/null | grep "PATH" | sed -${E} "s,$Wfolders\|\./\|\.:\|:\.,${SED_RED_YELLOW},g"
+  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths"
-WRITABLESYSTEMDPATH=$(systemctl show-environment 2>/dev/null | grep "PATH" | grep -E "$Wfolders")
+  systemctl show-environment 2>/dev/null | grep "PATH" | sed -${E} "s,$Wfolders\|\./\|\.:\|:\.,${SED_RED_YELLOW},g"
-echo ""
+  WRITABLESYSTEMDPATH=$(systemctl show-environment 2>/dev/null | grep "PATH" | grep -E "$Wfolders")
+  echo ""
+fi
 
 #-- PSC) .service files
 #TODO: .service files in MACOS are folders
 print_2title "Analyzing .service files"
 print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services"
 printf "%s\n" "$PSTORAGE_SYSTEMD" | while read s; do
-  if [ ! -O "$s" ]; then #Remove services that belongs to the current user
+  if [ ! -O "$s" ] || [ "$SEARCH_IN_FOLDER" ]; then #Remove services that belongs to the current user or if firmware see everything
-    if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ]; then
+    if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
       echo "$s" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
     fi
     servicebinpaths=$(grep -Eo '^Exec.*?=[!@+-]*[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,') #Get invoked paths
@@ -165,17 +186,19 @@ done
 if [ ! "$WRITABLESYSTEMDPATH" ]; then echo "You can't write on systemd PATH" | sed -${E} "s,.*,${SED_GREEN},"; fi
 echo ""
 
-#-- PSC) Timers
+if ! [ "$SEARCH_IN_FOLDER" ]; then
-print_2title "System timers"
+  #-- PSC) Timers
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
+  print_2title "System timers"
-(systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | sed -${E} "s,$timersG,${SED_GREEN},") || echo_not_found
+  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
-echo ""
+  (systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | sed -${E} "s,$timersG,${SED_GREEN},") || echo_not_found
+  echo ""
+fi
 
 #-- PSC) .timer files
 print_2title "Analyzing .timer files"
 print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
 printf "%s\n" "$PSTORAGE_TIMER" | while read t; do
-  if ! [ "$IAMROOT" ] && [ -w "$t" ]; then
+  if ! [ "$IAMROOT" ] && [ -w "$t" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
     echo "$t" | sed -${E} "s,.*,${SED_RED},g"
   fi
   timerbinpaths=$(grep -Po '^Unit=*(.*?$)' $t 2>/dev/null | cut -d '=' -f2)
@@ -197,7 +220,7 @@ if ! [ "$IAMROOT" ]; then
   print_2title "Analyzing .socket files"
   print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets"
   printf "%s\n" "$PSTORAGE_SOCKET" | while read s; do
-    if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ]; then
+    if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
       echo "Writable .socket file: $s" | sed "s,/.*,${SED_RED},g"
     fi
     socketsbinpaths=$(grep -Eo '^(Exec).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,')
@@ -215,6 +238,7 @@ if ! [ "$IAMROOT" ]; then
   done
   echo ""
   
+  if ! [ "$SEARCH_IN_FOLDER" ]; then
     print_2title "Unix Sockets Listening"
     print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets"
     # Search sockets using netstat and ss
@@ -225,9 +249,14 @@ if ! [ "$IAMROOT" ]; then
     if ! [ "$unix_scks_list" ];then
       unix_scks_list=$(netstat -a -p --unix 2>/dev/null | grep -Ei "listen|PID" | grep -Eo "/[a-zA-Z0-9\._/\-]+" | tail -n +2)
     fi
+  fi
   
+  if ! [ "$SEARCH_IN_FOLDER" ]; then
     # But also search socket files
     unix_scks_list2=$(find / -type s 2>/dev/null)
+  else
+    unix_scks_list2=$(find "SEARCH_IN_FOLDER" -type s 2>/dev/null)
+  fi
 
   # Detele repeated dockets and check permissions
   (printf "%s\n" "$unix_scks_list" && printf "%s\n" "$unix_scks_list2") | sort | uniq | while read l; do
@@ -238,10 +267,20 @@ if ! [ "$IAMROOT" ]; then
     if [ -w "$l" ];then
       perms="${perms}Write"
     fi
+    
+    if [ "$EXTRA_CHECKS" ] && [ "$(command -v curl)" ]; then
+      CANNOT_CONNECT_TO_SOCKET="$(curl -v --unix-socket "$l" --max-time 1 http:/linpeas 2>&1 | grep -i 'Permission denied')"
+      if ! [ "$CANNOT_CONNECT_TO_SOCKET" ]; then
+        perms="${perms} - Can Connect"
+      else
+        perms="${perms} - Cannot Connect"
+      fi
+    fi
+    
     if ! [ "$perms" ]; then echo "$l" | sed -${E} "s,$l,${SED_GREEN},g";
     else 
       echo "$l" | sed -${E} "s,$l,${SED_RED},g"
-      echo "  └─(${RED}${perms}${NC})"
+      echo "  └─(${RED}${perms}${NC})" | sed -${E} "s,Cannot Connect,${SED_GREEN},g"
       # Try to contact the socket
       socketcurl=$(curl --max-time 2 --unix-socket "$s" http:/index 2>/dev/null)
       if [ $? -eq 0 ]; then
@@ -260,7 +299,7 @@ print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-b
 if [ "$PSTORAGE_DBUS" ]; then
   printf "%s\n" "$PSTORAGE_DBUS" | while read d; do
     for f in $d/*; do
-      if ! [ "$IAMROOT" ] && [ -w "$f" ]; then
+      if ! [ "$IAMROOT" ] && [ -w "$f" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
         echo "Writable $f" | sed -${E} "s,.*,${SED_RED},g"
       fi
 
@@ -282,10 +321,11 @@ if [ "$PSTORAGE_DBUS" ]; then
 fi
 echo ""
 
-print_2title "D-Bus Service Objects list"
+if ! [ "$SEARCH_IN_FOLDER" ]; then
-print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus"
+  print_2title "D-Bus Service Objects list"
-dbuslist=$(busctl list 2>/dev/null)
+  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus"
-if [ "$dbuslist" ]; then
+  dbuslist=$(busctl list 2>/dev/null)
+  if [ "$dbuslist" ]; then
     busctl list | while read line; do
       echo "$line" | sed -${E} "s,$dbuslistG,${SED_GREEN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$rootcommon,${SED_GREEN}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},";
       if ! echo "$line" | grep -qE "$dbuslistG"; then
@@ -296,5 +336,6 @@ if [ "$dbuslist" ]; then
         fi
       fi
     done
-else echo_not_found "busctl"
+  else echo_not_found "busctl"
+  fi
 fi

linPEAS/builder/linpeas_parts/5_network_information.sh

@@ -155,6 +155,10 @@ if [ "$AUTO_NETWORK_SCAN" ]; then
         echo ""
       fi
     done
+    
+    print_3title "Scanning top ports of host.docker.internal"
+    (tcp_port_scan "host.docker.internal" "" | grep -A 1000 "Ports going to be scanned" | grep -v "Ports going to be scanned" | sort | uniq) 2>/dev/null
+    echo ""
   fi
 fi
 

linPEAS/builder/linpeas_parts/7_software_information.sh

@@ -5,14 +5,14 @@
 NGINX_KNOWN_MODULES="ngx_http_geoip_module.so|ngx_http_xslt_filter_module.so|ngx_stream_geoip_module.so|ngx_http_image_filter_module.so|ngx_mail_module.so|ngx_stream_module.so"
 
 #-- SI) Useful software
-if ! [ "SEARCH_IN_FOLDER" ]; then
+if ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "Useful software"
   for tool in $USEFUL_SOFTWARE; do command -v "$tool"; done
   echo ""
 fi
 
 #-- SI) Search for compilers
-if ! [ "SEARCH_IN_FOLDER" ]; then
+if ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "Installed Compilers"
   (dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; command -v gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/");
   echo ""
@@ -221,20 +221,30 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   hostsdenied="$(ls /etc/hosts.denied 2>/dev/null)"
   hostsallow="$(ls /etc/hosts.allow 2>/dev/null)"
   writable_agents=$(find /tmp /etc /home -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or  '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)
+else
+  sshconfig="$(ls ${ROOT_FOLDER}etc/ssh/ssh_config 2>/dev/null)"
+  hostsdenied="$(ls ${ROOT_FOLDER}etc/hosts.denied 2>/dev/null)"
+  hostsallow="$(ls ${ROOT_FOLDER}etc/hosts.allow 2>/dev/null)"
+  writable_agents=$(find  ${ROOT_FOLDER} -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or  '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)
 fi
 
 peass{SSH}
 
 grep "PermitRootLogin \|ChallengeResponseAuthentication \|PasswordAuthentication \|UsePAM \|Port\|PermitEmptyPasswords\|PubkeyAuthentication\|ListenAddress\|ForwardAgent\|AllowAgentForwarding\|AuthorizedKeysFiles" /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | sed -${E} "s,PermitRootLogin.*es|PermitEmptyPasswords.*es|ChallengeResponseAuthentication.*es|FordwardAgent.*es,${SED_RED},"
 
-if [ "$TIMEOUT" ]; then
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  if [ "$TIMEOUT" ]; then
     privatekeyfilesetc=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null)
     privatekeyfileshome=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOMESEARCH 2>/dev/null)
     privatekeyfilesroot=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /root 2>/dev/null)
     privatekeyfilesmnt=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /mnt 2>/dev/null)
-else
+  else
     privatekeyfilesetc=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null) #If there is tons of files linpeas gets frozen here without a timeout
     privatekeyfileshome=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOME/.ssh 2>/dev/null)
+  fi
+else
+  # If $SEARCH_IN_FOLDER lets just search for private keys in the whole firmware
+  privatekeyfilesetc=$(timeout 120 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' "$ROOT_FOLDER" 2>/dev/null)
 fi
 
 if [ "$privatekeyfilesetc" ] || [ "$privatekeyfileshome" ] || [ "$privatekeyfilesroot" ] || [ "$privatekeyfilesmnt" ] ; then
@@ -267,7 +277,7 @@ if ssh-add -l 2>/dev/null | grep -qv 'no identities'; then
   ssh-add -l
   echo ""
 fi
-if gpg-connect-agent "keyinfo --list" /bye | grep "D - - 1"; then
+if gpg-connect-agent "keyinfo --list" /bye 2>/dev/null | grep "D - - 1"; then
   print_3title "Listing gpg keys cached in gpg-agent"
   gpg-connect-agent "keyinfo --list" /bye
   echo ""
@@ -284,29 +294,29 @@ fi
 if [ "$hostsdenied" ]; then
   print_3title "/etc/hosts.denied file found, read the rules:"
   printf "$hostsdenied\n"
-  cat "/etc/hosts.denied" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_GREEN},"
+  cat " ${ROOT_FOLDER}etc/hosts.denied" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_GREEN},"
   echo ""
 fi
 if [ "$hostsallow" ]; then
   print_3title "/etc/hosts.allow file found, trying to read the rules:"
   printf "$hostsallow\n"
-  cat "/etc/hosts.allow" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_RED},"
+  cat " ${ROOT_FOLDER}etc/hosts.allow" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_RED},"
   echo ""
 fi
 if [ "$sshconfig" ]; then
   echo ""
   echo "Searching inside /etc/ssh/ssh_config for interesting info"
-  grep -v "^#" /etc/ssh/ssh_config 2>/dev/null | grep -Ev "\W+\#|^#" 2>/dev/null | grep -Iv "^$" | sed -${E} "s,Host|ForwardAgent|User|ProxyCommand,${SED_RED},"
+  grep -v "^#"  ${ROOT_FOLDER}etc/ssh/ssh_config 2>/dev/null | grep -Ev "\W+\#|^#" 2>/dev/null | grep -Iv "^$" | sed -${E} "s,Host|ForwardAgent|User|ProxyCommand,${SED_RED},"
 fi
 echo ""
 
 peass{PAM Auth}
 
 #-- SI) Passwords inside pam.d
-pamdpass=$(grep -Ri "passwd" /etc/pam.d/ 2>/dev/null | grep -v ":#")
+pamdpass=$(grep -Ri "passwd"  ${ROOT_FOLDER}etc/pam.d/ 2>/dev/null | grep -v ":#")
 if [ "$pamdpass" ] || [ "$DEBUG" ]; then
   print_2title "Passwords inside pam.d"
-  grep -Ri "passwd" /etc/pam.d/ 2>/dev/null | grep -v ":#" | sed "s,passwd,${SED_RED},"
+  grep -Ri "passwd"  ${ROOT_FOLDER}etc/pam.d/ 2>/dev/null | grep -v ":#" | sed "s,passwd,${SED_RED},"
   echo ""
 fi
 
@@ -558,8 +568,9 @@ peass{Cache Vi}
 peass{Wget}
 
 ##-- SI) containerd installed
-containerd=$(command -v ctr)
+if ! [ "$SEARCH_IN_FOLDER" ]; then
-if [ "$containerd" ] || [ "$DEBUG" ]; then
+  containerd=$(command -v ctr)
+  if [ "$containerd" ] || [ "$DEBUG" ]; then
     print_2title "Checking if containerd(ctr) is available"
     print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation"
     if [ "$containerd" ]; then
@@ -567,17 +578,20 @@ if [ "$containerd" ] || [ "$DEBUG" ]; then
       ctr image list 2>&1
     fi
     echo ""
+  fi
 fi
 
 ##-- SI) runc installed
-runc=$(command -v runc)
+if ! [ "$SEARCH_IN_FOLDER" ]; then
-if [ "$runc" ] || [ "$DEBUG" ]; then
+  runc=$(command -v runc)
+  if [ "$runc" ] || [ "$DEBUG" ]; then
     print_2title "Checking if runc is available"
     print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation"
     if [ "$runc" ]; then
       echo "runc was found in $runc, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED},"
     fi
     echo ""
+  fi
 fi
 
 #-- SI) Docker

linPEAS/builder/linpeas_parts/8_interesting_files.sh

@@ -279,14 +279,25 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   fi
 fi
 
-##-- IF) Executable files added by user
+##-- IF) Date times inside firmware
-print_2title "Executable files added by user (limit 70)"
+if [ "$SEARCH_IN_FOLDER" ]; then
-if ! [ "$SEARCH_IN_FOLDER" ]; then
+  print_2title "FIles datetimes inside the firmware (limit 50)"
-  find / -type f -executable -printf "%T+ %p\n" 2>/dev/null | grep -Ev "000|/site-packages|/python|/node_modules|\.sample|/gems" | sort | tail -n 70
+  find "$SEARCH_IN_FOLDER" -type f -printf "%T+\n" 2>/dev/null | sort | uniq -c | sort | head -n 50
-else
+  echo "To find a file with an specific date execute: find \"$SEARCH_IN_FOLDER\" -type f -printf \"%T+ %p\n\" 2>/dev/null | grep \"<date>\""
-  find "$SEARCH_IN_FOLDER" -type f -executable -printf "%T+ %p\n" 2>/dev/null | grep -Ev "000|/site-packages|/python|/node_modules|\.sample|/gems" | sort | tail -n 70
+  echo ""
 fi
 
+##-- IF) Executable files added by user
+print_2title "Executable files potentially added by user (limit 70)"
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  find / -type f -executable -printf "%T+ %p\n" 2>/dev/null | grep -Ev "000|/site-packages|/python|/node_modules|\.sample|/gems" | sort -r | head -n 70
+else
+  find "$SEARCH_IN_FOLDER" -type f -executable -printf "%T+ %p\n" 2>/dev/null | grep -Ev "/site-packages|/python|/node_modules|\.sample|/gems" | sort -r | head -n 70
+fi
+echo ""
+
+
+
 if [ "$MACPEAS" ]; then
   print_2title "Unsigned Applications"
   macosNotSigned /System/Applications
@@ -454,7 +465,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
 
   ##-- IF) Mail applications
   print_2title "Searching installed mail applications"
-  ls /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /etc 2>/dev/null | grep -Ewi "$mail_apps"
+  ls /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /etc 2>/dev/null | grep -Ewi "$mail_apps" | sort | uniq
   echo ""
 
   ##-- IF) Mails

linPEAS/builder/linpeas_parts/linpeas_base.sh

@@ -65,6 +65,7 @@ DEBUG=""
 AUTO_NETWORK_SCAN=""
 EXTRA_CHECKS=""
 REGEXES=""
+PORT_FORWARD=""
 THREADS="$( ( (grep -c processor /proc/cpuinfo 2>/dev/null) || ( (command -v lscpu >/dev/null 2>&1) && (lscpu | grep '^CPU(s):' | awk '{print $2}')) || echo -n 2) | tr -d "\n")"
 [ -z "$THREADS" ] && THREADS="2" #If THREADS is empty, put number 2
 [ -n "$THREADS" ] && THREADS="2" #If THREADS is null, put number 2
@@ -87,6 +88,9 @@ ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user,
         ${YELLOW}    -i <IP> [-p <PORT(s)>]${BLUE} Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead.$DG Ex: -i 127.0.0.1 -p 53,80,443,8000,8080
         $GREEN     Notice${BLUE} that if you specify some network scan (options -d/-p/-i but NOT -t), no PE check will be performed
       
+      ${GREEN}  Port forwarding:
+        ${YELLOW}    -F LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT${BLUE} Execute linpeas to forward a port from a local IP to a remote IP
+      
       ${GREEN}  Firmware recon:
         ${YELLOW}    -f </FOLDER/PATH>${BLUE} Execute linpeas to search passwords/file permissions misconfigs inside a folder
 	
@@ -98,7 +102,7 @@ ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user,
 	${YELLOW}    -q${BLUE} Do not show banner
         ${YELLOW}    -N${BLUE} Do not use colours$NC"
 
-while getopts "h?asd:p:i:P:qo:LMwNDterf:" opt; do
+while getopts "h?asd:p:i:P:qo:LMwNDterf:F:" opt; do
   case "$opt" in
     h|\?) printf "%s\n\n" "$HELP$NC"; exit 0;;
     a)  FAST="";EXTRA_CHECKS="1";;
@@ -117,7 +121,15 @@ while getopts "h?asd:p:i:P:qo:LMwNDterf:" opt; do
     t)  AUTO_NETWORK_SCAN="1";;
     e)  EXTRA_CHECKS="1";;
     r)  REGEXES="1";;
-    f)  SEARCH_IN_FOLDER=$OPTARG; ROOT_FOLDER=$OPTARG; REGEXES="1"; CHECKS="software_information,interesting_files,api_keys_regex";;
+    f)  SEARCH_IN_FOLDER=$OPTARG;
+    	if ! [ "$(echo -n $SEARCH_IN_FOLDER | tail -c 1)" = "/" ]; then #Make sure firmware folder ends with "/"
+	  SEARCH_IN_FOLDER="${SEARCH_IN_FOLDER}/"; 
+	fi;
+    	ROOT_FOLDER=$SEARCH_IN_FOLDER;
+	REGEXES="1";
+	CHECKS="procs_crons_timers_srvcs_sockets,software_information,interesting_files,api_keys_regex";;
+	
+    F)  PORT_FORWARD=$OPTARG;;
     esac
 done
 
@@ -510,11 +522,11 @@ TIMEOUT="$(command -v timeout 2>/dev/null)"
 STRACE="$(command -v strace 2>/dev/null)"
 STRINGS="$(command -v strings 2>/dev/null)"
 
-shscripsG="/0trace.sh|/alsa-info.sh|amuFormat.sh|/blueranger.sh|/crosh.sh|/dnsmap-bulk.sh|/dockerd-rootless.sh|/dockerd-rootless-setuptool.sh|/get_bluetooth_device_class.sh|/gettext.sh|/go-rhn.sh|/gvmap.sh|/kernel_log_collector.sh|/lesspipe.sh|/lprsetup.sh|/mksmbpasswd.sh|/power_report.sh|/setuporamysql.sh|/setup-nsssysinit.sh|/readlink_f.sh|/rescan-scsi-bus.sh|/start_bluetoothd.sh|/start_bluetoothlog.sh|/testacg.sh|/testlahf.sh|/unix-lpr.sh|/url_handler.sh|/write_gpt.sh"
+shscripsG="/0trace.sh|/alsa-info.sh|amuFormat.sh|/blueranger.sh|/crosh.sh|/dnsmap-bulk.sh|/dockerd-rootless.sh|/dockerd-rootless-setuptool.sh|/get_bluetooth_device_class.sh|/gettext.sh|/go-rhn.sh|/gvmap.sh|/kernel_log_collector.sh|/lesspipe.sh|/lprsetup.sh|/mksmbpasswd.sh|/pm-utils-bugreport-info.sh|/power_report.sh|/setuporamysql.sh|/setup-nsssysinit.sh|/readlink_f.sh|/rescan-scsi-bus.sh|/start_bluetoothd.sh|/start_bluetoothlog.sh|/testacg.sh|/testlahf.sh|/unix-lpr.sh|/url_handler.sh|/write_gpt.sh"
 
 notBackup="/tdbbackup$|/db_hotbackup$"
 
-cronjobsG=".placeholder|0anacron|0hourly|110.clean-tmps|130.clean-msgs|140.clean-rwho|199.clean-fax|199.rotate-fax|200.accounting|310.accounting|400.status-disks|420.status-network|430.status-rwho|999.local|anacron|apache2|apport|apt|aptitude|apt-compat|bsdmainutils|certwatch|cracklib-runtime|debtags|dpkg|e2scrub_all|exim4-base|fake-hwclock|fstrim|john|locate|logrotate|man-db.cron|man-db|mdadm|mlocate|ntp|passwd|php|popularity-contest|raid-check|rwhod|samba|standard|sysstat|ubuntu-advantage-tools|update-notifier-common|upstart|"
+cronjobsG=".placeholder|0anacron|0hourly|110.clean-tmps|130.clean-msgs|140.clean-rwho|199.clean-fax|199.rotate-fax|200.accounting|310.accounting|400.status-disks|420.status-network|430.status-rwho|999.local|anacron|apache2|apport|apt|aptitude|apt-compat|bsdmainutils|certwatch|cracklib-runtime|debtags|dpkg|e2scrub_all|exim4-base|fake-hwclock|fstrim|john|locate|logrotate|man-db.cron|man-db|mdadm|mlocate|ntp|passwd|php|popularity-contest|raid-check|rwhod|samba|standard|sysstat|ubuntu-advantage-tools|update-motd|update-notifier-common|upstart|"
 cronjobsB="centreon"
 
 processesVB='jdwp|tmux |screen | inspect |--inspect[= ]|--inspect$|--inpect-brk|--remote-debugging-port'
@@ -577,7 +589,7 @@ elif [ -f "/bin/bash" ] && ! [ -L "/bin/bash" ]; then
   FOUND_BASH="/bin/bash";
 fi
 if [ "$FOUND_BASH" ]; then
-  SCAN_BAN_GOOD="$YELLOW[+] $GREEN$FOUND_BASH${BLUE} is available for network discovery & port scanning$LG ($SCRIPTNAME can discover hosts and scan ports, learn more with -h)\n"
+  SCAN_BAN_GOOD="$YELLOW[+] $GREEN$FOUND_BASH${BLUE} is available for network discovery, port scanning and port forwarding$LG ($SCRIPTNAME can discover hosts, scan ports, and forward ports. Learn more with -h)\n"
 fi
 
 FOUND_NC=$(command -v nc 2>/dev/null)
@@ -826,8 +838,8 @@ tcp_recon (){
   for port in $PORTS; do
     for j in $(seq 1 254)
     do
-      if [ "$FOUND_BASH" ] && [ "$$TIMEOUT" ]; then
+      if [ "$FOUND_BASH" ] && [ "$TIMEOUT" ]; then
-        $TIMEOUT 5 $FOUND_BASH -c "(echo </dev/tcp/$IP3.$j/$port) 2>/dev/null && echo -e \"\n[+] Open port at: $IP3.$j:$port\"" &
+        $TIMEOUT 2.5 $FOUND_BASH -c "(echo </dev/tcp/$IP3.$j/$port) 2>/dev/null && echo -e \"\n[+] Open port at: $IP3.$j:$port\"" &
       elif [ "$NC_SCAN" ]; then
         ($NC_SCAN "$IP3"."$j" "$port" 2>&1 | grep -iv "Connection refused\|No route\|Version\|bytes\| out" | sed -${E} "s,[0-9\.],${SED_RED},g") &
       fi
@@ -946,6 +958,24 @@ discovery_port_scan (){
 }
 
 
+port_forward (){
+  LOCAL_IP=$1
+  LOCAL_PORT=$2
+  REMOTE_IP=$3
+  REMOTE_PORT=$4
+
+  echo "In your local machine execute:"
+  echo "cd /tmp; rm backpipe; mknod backpipe p;"
+  echo "nc -lvnp $LOCAL_PORT 0<backpipe | nc -lvnp 9009 1>backpipe"
+  echo ""
+  echo "Press any key when you have executed the commands"
+  read -n 1
+
+  bash -c "exec 3<>/dev/tcp/$REMOTE_IP/$REMOTE_PORT; exec 4<>/dev/tcp/$LOCAL_IP/9009; cat <&3 >&4 & cat <&4 >&3 &"
+  echo "If not error was indicated, your local port $LOCAL_PORT should be forwarded to $REMOTE_IP:$REMOTE_PORT"
+}
+
+
 ###########################################
 #---) Exporting history env variables (---#
 ###########################################
@@ -1031,11 +1061,45 @@ elif [ "$IP" ]; then
   exit 0
 fi
 
+if [ "$PORT_FORWARD" ]; then
+  if ! [ "$FOUND_BASH" ]; then
+    printf $RED"[-] Err: Port forwarding not possible, no bash in PATH\n"$NC;
+    exit 0
+  fi
+
+  LOCAL_IP="$(echo -n $PORT_FORWARD | cut -d ':' -f 1)"
+  LOCAL_PORT="$(echo -n $PORT_FORWARD | cut -d ':' -f 2)"
+  REMOTE_IP="$(echo -n $PORT_FORWARD | cut -d ':' -f 3)"
+  REMOTE_PORT="$(echo -n $PORT_FORWARD | cut -d ':' -f 4)"
+
+  if ! [ "$LOCAL_IP" ] || ! [ "$LOCAL_PORT" ] || ! [ "$REMOTE_IP" ] || ! [ "$REMOTE_PORT" ]; then
+    printf $RED"[-] Err: Invalid port forwarding configuration: $PORT_FORWARD. The format is: LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT\nFor example: 10.10.14.8:7777:127.0.0.1:8000"$NC;
+    exit 0
+  fi
+
+  #Check if LOCAL_PORT is a number
+  if ! [ "$(echo $LOCAL_PORT | grep -E '^[0-9]+$')" ]; then
+    printf $RED"[-] Err: Invalid port forwarding configuration: $PORT_FORWARD. The format is: LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT\nFor example: 10.10.14.8:7777:127.0.0.1:8000"$NC;
+  fi
+
+  #Check if REMOTE_PORT is a number
+  if ! [ "$(echo $REMOTE_PORT | grep -E '^[0-9]+$')" ]; then
+    printf $RED"[-] Err: Invalid port forwarding configuration: $PORT_FORWARD. The format is: LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT\nFor example: 10.10.14.8:7777:127.0.0.1:8000"$NC;
+  fi
+
+  port_forward "$LOCAL_IP" "$LOCAL_PORT" "$REMOTE_IP" "$REMOTE_PORT"
+  exit 0
+fi
+
 
 #Get HOMESEARCH
-HOMESEARCH="/home/ /Users/ /root/ $(cat /etc/passwd 2>/dev/null | grep "sh$" | cut -d ":" -f 6 | grep -Ev "^/root|^/home|^/Users" | tr "\n" " ")"
+if [ "$SEARCH_IN_FOLDER" ]; then
-if ! echo "$HOMESEARCH" | grep -q "$HOME" && ! echo "$HOMESEARCH" | grep -qE "^/root|^/home|^/Users"; then #If not listed and not in /home, /Users/ or /root, add current home folder
+  HOMESEARCH="${ROOT_FOLDER}home/ ${ROOT_FOLDER}Users/ ${ROOT_FOLDER}root/ ${ROOT_FOLDER}var/www/"
+else
+  HOMESEARCH="/home/ /Users/ /root/ /var/www $(cat /etc/passwd 2>/dev/null | grep "sh$" | cut -d ":" -f 6 | grep -Ev "^/root|^/home|^/Users|^/var/www" | tr "\n" " ")"
+  if ! echo "$HOMESEARCH" | grep -q "$HOME" && ! echo "$HOMESEARCH" | grep -qE "^/root|^/home|^/Users|^/var/www"; then #If not listed and not in /home, /Users/, /root, or /var/www add current home folder
     HOMESEARCH="$HOME $HOMESEARCH"
+  fi
 fi
 GREPHOMESEARCH=$(echo "$HOMESEARCH" | sed 's/ *$//g' | tr " " "|") #Remove ending spaces before putting "|"
 

linPEAS/builder/src/linpeasBuilder.py

@@ -173,11 +173,11 @@ class LinpeasBuilder:
                     
                     if type == "d": 
                         find_line += "-type d "
-                        bash_find_var = f"FIND_DIR_{r[1:].replace('.','').replace('-','_').upper()}"
+                        bash_find_var = f"FIND_DIR_{r[1:].replace('.','').replace('-','_').replace('{ROOT_FOLDER}','').upper()}"
                         self.bash_find_d_vars.add(bash_find_var)
                         all_folder_regexes += regexes
                     else:
-                        bash_find_var = f"FIND_{r[1:].replace('.','').replace('-','_').upper()}"
+                        bash_find_var = f"FIND_{r[1:].replace('.','').replace('-','_').replace('{ROOT_FOLDER}','').upper()}"
                         self.bash_find_f_vars.add(bash_find_var)
                         all_file_regexes += regexes
 
@@ -275,7 +275,7 @@ class LinpeasBuilder:
         analise_line = ""
         if init:
             analise_line = 'if ! [ "`echo \\\"$PSTORAGE_'+precord.bash_name+'\\\" | grep -E \\\"'+real_regex+'\\\"`" ]; then if [ "$DEBUG" ]; then echo_not_found "'+frecord.regex+'"; fi; fi; '
-            analise_line += 'printf "%s" "$PSTORAGE_'+precord.bash_name+'" | grep -E "'+real_regex+'" | while read f; do if ! [ -d "$f" ]; then continue; fi; ls -ld "$f" | sed -${E} "s,'+real_regex+',${SED_RED},"; '
+            analise_line += 'printf "%s" "$PSTORAGE_'+precord.bash_name+'" | grep -E "'+real_regex+'" | while read f; do ls -ld "$f" 2>/dev/null | sed -${E} "s,'+real_regex+',${SED_RED},"; '
 
         #If just list, just list the file/directory
         if frecord.just_list_file:
@@ -393,13 +393,13 @@ class LinpeasBuilder:
 
                 # If custom folder to search in
                 regexes_search_section += 'if [ "$SEARCH_IN_FOLDER" ]; then\n'
-                regexes_search_section += "  timeout 120 find $SEARCH_IN_FOLDER -type f -exec grep -HnRiIE \""+regex+"\" '{}' \; 2>/dev/null "+extra_grep+" | sed '/^.\{150\}./d' | sort | uniq | head -n 50 &\n"
+                regexes_search_section += "  timeout 120 find \"$ROOT_FOLDER\" -type f -not -path \"*/node_modules/*\" -exec grep -HnRiIE \""+regex+"\" '{}' \; 2>/dev/null "+extra_grep+" | sed '/^.\{150\}./d' | sort | uniq | head -n 50 &\n"
                 
                 # If search in all the file system
                 regexes_search_section += 'else\n'
                 for path in paths_to_search:
                     grep_flags = "-HnRiIE" if caseinsensitive else "-HnRIE"
-                    regexes_search_section += "  timeout 120 find "+path+" -type f -exec grep "+grep_flags+" \""+regex+"\" '{}' \; 2>/dev/null "+extra_grep+" | sed '/^.\{150\}./d' | sort | uniq | head -n 50 &\n"
+                    regexes_search_section += "  timeout 120 find "+path+" -type f -not -path \"*/node_modules/*\" -exec grep "+grep_flags+" \""+regex+"\" '{}' \; 2>/dev/null "+extra_grep+" | sed '/^.\{150\}./d' | sort | uniq | head -n 50 &\n"
                 regexes_search_section += 'fi\n'
                 
                 regexes_search_section += "wait\n"

winPEAS/winPEASbat/README.md

@@ -2,7 +2,7 @@
 
 ![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/winPEAS/winPEASexe/images/winpeas.png)
 
-**WinPEAS is a script that searh for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)**
+**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)**
 
 Check also the **Local Windows Privilege Escalation checklist** from [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)
 

winPEAS/winPEASexe/winPEAS/Info/FilesInfo/McAfee/McAfee.cs

@@ -135,7 +135,8 @@ namespace winPEAS.Info.FilesInfo.McAfee
 
             SHA1 crypto = new SHA1CryptoServiceProvider();
 
-            var tDESKey = MyUtils.CombineArrays(crypto.ComputeHash(System.Text.Encoding.ASCII.GetBytes("<!@#$%^>")), new byte[] { 0x00, 0x00, 0x00, 0x00 });
+            //var tDESKey = MyUtils.CombineArrays(crypto.ComputeHash(System.Text.Encoding.ASCII.GetBytes("<!@#$%^>")), new byte[] { 0x00, 0x00, 0x00, 0x00 });
+            byte[] tDESKey = { 62, 241, 54, 184, 179, 59, 239, 188, 52, 38, 167, 181, 78, 196, 26, 55, 124, 211, 25, 155, 0, 0, 0, 0 };
             
             // set the options we need
             var tDESalg = new TripleDESCryptoServiceProvider();