Add initial support for history files parsing

ezesoler · May 23, 2017 · e48afa5 · e48afa5
1 parent c158bf1
commit e48afa5
Show file tree

Hide file tree

Showing 3 changed files with 132 additions and 2 deletions.
diff --git a/Linux/lazagne/config/manageModules.py b/Linux/lazagne/config/manageModules.py
@@ -13,6 +13,7 @@
 from lazagne.softwares.sysadmin.aws import Aws
 from lazagne.softwares.sysadmin.ssh import Ssh
 from lazagne.softwares.sysadmin.docker import Docker
+from lazagne.softwares.sysadmin.cli import Cli
 # chats
 from lazagne.softwares.chats.pidgin import Pidgin
 from lazagne.softwares.chats.jitsi import Jitsi
@@ -53,8 +54,8 @@ def get_modules():
 	moduleNames = [
 		ClawsMail(),
 		DbVisualizer(),
-		Env_variable(),
-		Filezilla(),
+		# Env_variable(),
+		# Filezilla(),
 		Gnome(),
 		Jitsi(),
 		Mozilla(),
@@ -65,6 +66,7 @@ def get_modules():
         Aws(),
         Docker(),
 		Ssh(),
+		Cli(),
 		SQLDeveloper(),
 		Squirrel(),
 		Wifi(),

diff --git a/Linux/lazagne/config/write_output.py b/Linux/lazagne/config/write_output.py
@@ -78,6 +78,10 @@ def print_output(software_name, pwdFound):
 					hash = [s for s in lower_list if "hash" in s]
 					if hash:
 						password_category = hash
+					else:
+						cmd = [s for s in lower_list if "cmd" in s]
+						if cmd:
+							password_category = cmd
 
 			# No password found
 			if not password_category:

diff --git a/Linux/lazagne/softwares/sysadmin/cli.py b/Linux/lazagne/softwares/sysadmin/cli.py
@@ -0,0 +1,124 @@
+from lazagne.config.constant import *
+from lazagne.config.write_output import print_debug
+from lazagne.config.moduleInfo import ModuleInfo
+from lazagne.config import homes
+from ConfigParser import ConfigParser
+
+import psutil
+import os
+import pwd
+
+class Cli(ModuleInfo):
+    def __init__(self):
+        options = {'command': '-C', 'action': 'store_true', 'dest': 'cli', 'help': 'cli'}
+        suboptions = []
+        ModuleInfo.__init__(self, 'cli', 'sysadmin', options, suboptions)
+
+    def get_files(self):
+        known = set()
+        for user, histfile in homes.users(file=['.history', '.sh_history', '.bash_history', '.zhistory']):
+            yield user, histfile
+            known.add(histfile)
+
+        for process in psutil.process_iter():
+            try:
+                environ = process.environ()
+                user = process.username()
+            except:
+                continue
+
+            if not 'HISTFILE' in environ:
+                continue
+
+            histfile = environ['HISTFILE']
+
+            if histfile in ('/dev/zero', '/dev/null'):
+                continue
+
+            if histfile.startswith('~/'):
+                try:
+                    home = pwd.getpwuid(process.uids().effective).pw_dir
+                except:
+                    continue
+
+                histfile = os.path.join(home, histfile[2:])
+
+            if os.path.isfile(histfile) and not histfile in known:
+                yield user, histfile
+                known.add(histfile)
+
+    def get_lines(self):
+        known = set()
+        for user, plainfile in self.get_files():
+            try:
+                with open(plainfile) as infile:
+                    for line in infile.readlines():
+                        line = line.strip()
+                        if line.startswith('#'):
+                            continue
+                        try:
+                            int(line)
+                            continue
+                        except:
+                            pass
+
+                        line = ' '.join(x for x in line.split() if x)
+                        if not line in known:
+                            yield user, line
+                            known.add(line)
+            except:
+                pass
+
+        for user, histfile in homes.users(file='.local/share/mc/history'):
+            parser = ConfigParser()
+            try:
+                parser.read(histfile)
+            except:
+                continue
+
+            try:
+                for i in parser.options('cmdline'):
+                    line = parser.get('cmdline', i)
+                    if not line in known:
+                        yield user, line
+                        known.add(line)
+            except:
+                pass
+
+    def suspicious(self, user, line):
+        markers = [
+            ('sshpass', '-p'),
+            ('chpasswd',),
+            ('openssl', 'passwd'),
+            ('sudo', '-S'),
+            ('mysql', '-p'),
+            ('psql', 'postgresql://'),
+            ('pgcli', 'postgresql://'),
+            ('ssh', '-i'),
+            ('sqlplus', '/'),
+            ('xfreerdp', '/p'),
+            ('vncviewer', 'passwd'),
+            ('vncviewer', 'PasswordFile'),
+            ('mount.cifs', 'credentials'),
+            ('pass=',),
+            ('smbclient',),
+            ('ftp', '@'),
+            ('wget', '@'),
+            ('curl', '@'),
+            ('curl', '-u'),
+            ('wget', '-password')
+        ]
+
+        for marker in markers:
+            if all((x in line) for x in marker):
+                yield {
+                    'User': user,
+                    'Cmd': line
+                }
+
+    def run(self, software_name=None):
+        all_cmds = []
+        for user, line in self.get_lines():
+            for cmd in self.suspicious(user, line):
+                all_cmds.append(cmd)
+        return all_cmds