No products in the cart.
Installation
You can download the final binary from the release x86 or x64 tab. Statically linked to musl Transfer the final enumy binary to the target machine.
./enumy
Who Should Use Enumy
- Pentester can run on a target machine raisable issues for their reports.
- CTF players can use it to identify things that they might have missed.
- People, who are curious to know how many issues enumy finds on their local machine?
Options
$ ./enumy64 -h
▄█▀─▄▄▄▄▄▄▄─▀█▄ _____
▀█████████████▀ | __|___ _ _ _____ _ _
█▄███▄█ | __| | | | | | |
█████ |_____|_|_|___|_|_|_|_ |
█▀█▀█ |___|
------------------------------------------
Enumy - Used to enumerate the target environment and look for common
security vulnerabilities and hostspots
-o <loc> Save results to location
-i <loc> Ignore files in this directory (usefull for network shares)
-w <loc> Only walk files in this directory (usefull for devlopment)
-t <num> Threads (default 4)
-f Run full scans
-s Show missing shared libaries
-d Debug mode
-h Show help
Compilation
To compile during devlopment, make and libcap library is all that is required.
sudo apt-get install libcap-dev
make
To remove the glibc dependency and statically link all libraries/compile with musl do the following. Note to do this you will have to have docker installed to create the apline build environment.
./build.sh 64bit
./build.sh 32bit
./build.sh all
cd output
Scans That've Been Implemented
Below is the ever-growing list of scans that have been implemented.
| Scan Type | Quick scan | Full Scan | Implemented |
|---|---|---|---|
| SUID/GUID Scan | ✔️ | ✔️ | ✔️ |
| File Capabilities Scan | ✔️ | ✔️ | ✔️ |
| Intresting Files Scan | ✔️ | ✔️ | ✔️ |
| Coredump Scan | ✔️ | ✔️ | ✔️ |
| Breakout Binaries Scan | ✔️ | ✔️ | ✔️ |
| SSHD Configuration Scan | ✔️ | ✔️ | ✔️ |
| Sysctl Scan | ✔️ | ✔️ | ✔️ |
| Living Off The Land Scan | ✔️ | ✔️ | ✔️ |
| Current User Scan | ✔️ | ✔️ | ✔️ |
| *.so Injection Scan | ❌ | ✔️ | ✔️ |
| Permissions Scan | ❌ | ✔️ | ❌ |
| Docker Scan | ✔️ | ✔️ | ❌ |
| Environment Scan | ✔️ | ✔️ | ❌ |
| Privilaged Access Scan | ✔️ | ✔️ | ❌ |
| Networking Scan | ✔️ | ✔️ | ❌ |
| System Info Scan | ✔️ | ✔️ | ❌ |
| Verion Information Scan | ✔️ | ✔️ | ❌ |
| Default Weak Credentials Scan | ✔️ | ✔️ | ❌ |
| Weak Crypto Scan | ❌ | ✔️ | ❌ |
Scan Times
Changing the default number of threads is pretty pointless unless you're running a full scan. A full scan will do a lot more IO so more threads greatly decrease scan times. These are the scan times with a i7-8700k and 2 million files scanned. 🐂
Scan types
SUID GUID Scan
The idea of this scan is to enumerate the system looking for SUID/GUID binaries that are abnormal or have weak permissions that can be exploited.
File Capabilities Scan
Recently the Linux kernel supports capablities, this is the preferred way to give a file a subset of root's powers to mitigate risk. Although this is a much safer way of doing things, if you're lucky enough to find abnormal capabilities set on a file then it's quite possible that you can exploit the executable to gain higher access. Enumy will check the capabilities set on all executable files on the system.
Interesting Files Scan
This is more of a generic scan that will try and categorize a file-based off its contents, file extension, and file name. Enumy will look for files such as private keys, passwords, and backup files.
Coredump Scan
Coredump files are a type of ELF file that contains a process's address space when the program terminates unexpectedly. Now imagine if this process's memory was readable and contained sensitive information. Or even more exciting, this coredump could be for an internally developed tool that segfaulted, allowing you to develop a zero-day.
Breakout Binary Scan
Some files should never have SUID bit set, it quite common for a lazy sysadmin to give a file like a docker, ionice, hexdump SUID make a bash script work or there life easier. This scan tries to find some known bad SUID binaries.
Sysctl Parameter Hardening
Sysctl is used to modify kernel parameters at runtime. It's also possible to query these kernel parameters and check to see if important security measures like ASLR are enabled.
Living Off The Land scan
Living off the land is a technique used where attackers weaponize what's already on the system. They do this to remain stealthy amongst other reasons. This scan would enumerate the files that an attacker would be looking for.
Dynamic Shared Object Injection Scan
This scan will parse ELF files for their dependencies. If we have to write access to any of these dependencies or write access to any DT_RPATH and DT_RUNPATH values then we can create our own malicious shared object into that executable potentially compromising the system.
SSH Misconfiguration Scan
SSH is one of the most common services that you will find in the real world. It's also quite easy to misconfigure it. This scan will check to see if it can be hardened in any way.
Current User Scan
The current user can just parses /etc/passwd. With this information, we find root accounts, unprotected and missing home directories etc.
How To Contribute
- If you can think of a scan idea that has not been implemented, raise it as an issue.
- If you know how to program, make a pull request :)
Benchmarks
| Scan Type | Files Scanned | Threads | Time |
|---|---|---|---|
| Quick scan | 1.8 Million | 1 | 54 seconds |
| Quick scan | 1.8 Million | 2 | 26 seconds |
| Quick scan | 1.8 Million | 4 | 15 seconds |
| Quick scan | 1.8 Million | 6 | 15 seconds |
| Quick scan | 1.8 Million | 12 | 20 seconds |
| Full scan | 1.8 Million | 1 | 196 seconds |
| Full scan | 1.8 Million | 2 | 93 seconds |
| FUll scan | 1.8 Million | 4 | 47 seconds |
| Full scan | 1.8 Million | 6 | 30 seconds |
| Full scan | 1.8 Million | 12 | 29 seconds |