unix-privesc-check
Overview
Sección titulada «Overview»unix-privesc-check is a shell script that performs automated security auditing of Unix and Linux systems to identify potential privilege escalation vulnerabilities and misconfigurations. It checks for common weaknesses that could allow unprivileged users to gain root or elevated privileges, including insecure file permissions, weak sudo configurations, vulnerable SUID binaries, and misconfigured system services. This tool is essential for security professionals validating system hardening and identifying privilege escalation paths.
Note: Run on systems you own or have explicit authorization to test. Privilege escalation testing is strictly regulated and requires proper authorization.
Installation
Sección titulada «Installation»Linux/Unix Installation
Sección titulada «Linux/Unix Installation»# Download from GitHub
git clone https://github.com/sleventyeleven/unix-privesc-check.git
cd unix-privesc-check
# Make executable
chmod +x unix-privesc-check
# Run directly
./unix-privesc-check standardAlternative Methods
Sección titulada «Alternative Methods»# Direct download
wget https://raw.githubusercontent.com/sleventyeleven/unix-privesc-check/master/unix-privesc-check
chmod +x unix-privesc-check
# Or via package manager (if available)
apt-get install unix-privesc-check
# Debian/Ubuntu
sudo apt-get install unix-privesc-check
# Kali Linux (pre-installed)
unix-privesc-check standardVerification
Sección titulada «Verification»# Check installation
./unix-privesc-check -h
# Verify script integrity
file ./unix-privesc-check
head -n 1 ./unix-privesc-check # Should show #!/bin/shBasic Usage
Sección titulada «Basic Usage»| Command | Description |
|---|---|
unix-privesc-check standard | Run standard privilege escalation checks |
unix-privesc-check detailed | Run all checks including detailed analysis |
unix-privesc-check help | Display help and available options |
unix-privesc-check version | Show script version |
Common Check Modes
Sección titulada «Common Check Modes»Standard Security Audit
Sección titulada «Standard Security Audit»# Run standard privilege escalation checks
./unix-privesc-check standard
# Standard mode with output file
./unix-privesc-check standard > privesc_report.txt
# Detailed output with timestamp
./unix-privesc-check standard > privesc_check_$(date +%Y%m%d_%H%M%S).txtComprehensive Detailed Analysis
Sección titulada «Comprehensive Detailed Analysis»# Run all available checks
./unix-privesc-check detailed
# Detailed mode with file output
./unix-privesc-check detailed > detailed_audit.txt
# Combine standard and detailed
./unix-privesc-check standard > standard.txt
./unix-privesc-check detailed > detailed.txtPrivilege Escalation Checks
Sección titulada «Privilege Escalation Checks»File Permission Vulnerabilities
Sección titulada «File Permission Vulnerabilities»# Check for world-writable files in critical directories
./unix-privesc-check standard | grep -i "world"
# Identify SUID binaries
./unix-privesc-check standard | grep -i "suid"
# Find writable /etc/ files
./unix-privesc-check detailed | grep -i "/etc"Common file permission issues detected:
- World-writable files in sensitive directories
- Insecure permissions on /etc/passwd or /etc/shadow
- Writable SUID binaries
- Weak permissions on home directories
Sudo Configuration Analysis
Sección titulada «Sudo Configuration Analysis»# Check for sudoers misconfigurations
./unix-privesc-check standard | grep -i "sudo"
# Identify NOPASSWD sudo entries
./unix-privesc-check detailed | grep -i "nopasswd"
# Check for command wildcards in sudoers
./unix-privesc-check detailed | grep "\*"SUID/SGID Binary Detection
Sección titulada «SUID/SGID Binary Detection»# Find all SUID binaries
./unix-privesc-check standard | grep -i "suid"
# Identify dangerous SUID programs
./unix-privesc-check detailed | grep -E "find|chmod|chown|cp|mv|tar"
# Check for potentially exploitable SGID binaries
./unix-privesc-check detailed | grep -i "sgid"Service and Process Vulnerabilities
Sección titulada «Service and Process Vulnerabilities»# Check running services for privilege escalation
./unix-privesc-check standard | grep -i "service"
# Identify processes running as root
./unix-privesc-check detailed | grep "root"
# Check for vulnerable service configurations
./unix-privesc-check detailed | head -n 50Detailed Check Categories
Sección titulada «Detailed Check Categories»Installed Packages Analysis
Sección titulada «Installed Packages Analysis»# Check for outdated/vulnerable packages
./unix-privesc-check detailed | grep -i "package"
# Identify weak dependencies
./unix-privesc-check standard | grep -E "lib|depend"Network Service Audit
Sección titulada «Network Service Audit»# Check listening services
./unix-privesc-check standard | grep -i "listen"
# Identify unencrypted services
./unix-privesc-check detailed | grep -E "telnet|ftp|http"
# Review open ports
./unix-privesc-check standard | grep -E "port|service"User and Group Review
Sección titulada «User and Group Review»# Check user accounts and privileges
./unix-privesc-check detailed | grep -i "user"
# Identify group memberships
./unix-privesc-check standard | grep -i "group"
# Review UID/GID anomalies
./unix-privesc-check detailed | grep -E "uid|gid"Advanced Usage Patterns
Sección titulada «Advanced Usage Patterns»Automated Reporting
Sección titulada «Automated Reporting»# Generate comprehensive audit report
REPORT_DATE=$(date +%Y%m%d_%H%M%S)
./unix-privesc-check detailed > report_${REPORT_DATE}.txt
# Create summary report
echo "=== Unix Privilege Escalation Check ===" > summary.txt
echo "Date: $(date)" >> summary.txt
./unix-privesc-check standard >> summary.txtBaseline Comparison
Sección titulada «Baseline Comparison»# Create baseline from secure system
./unix-privesc-check detailed > baseline.txt
# Compare against new audit
./unix-privesc-check detailed > current.txt
diff baseline.txt current.txt | grep "^<"Filtered Output Analysis
Sección titulada «Filtered Output Analysis»# Show only warnings/alerts
./unix-privesc-check detailed | grep -i "warning\|alert\|vulnerable\|insecure"
# Extract critical findings
./unix-privesc-check standard | grep -E "critical|high|severe"
# Check specific vulnerability types
./unix-privesc-check detailed | grep -i "world.writable\|unprotected"System Hardening Validation
Sección titulada «System Hardening Validation»File System Permissions
Sección titulada «File System Permissions»# Validate critical file permissions
./unix-privesc-check detailed | grep "/etc/passwd"
./unix-privesc-check detailed | grep "/etc/shadow"
./unix-privesc-check detailed | grep "/etc/sudoers"
# Check home directory permissions
./unix-privesc-check detailed | grep -E "^/home|^/root"Authentication Review
Sección titulada «Authentication Review»# Check password policy enforcement
./unix-privesc-check standard | grep -i "password"
# Review authentication methods
./unix-privesc-check detailed | grep -i "auth"
# Verify PAM configuration
./unix-privesc-check detailed | grep -i "pam"Sudo Hardening Check
Sección titulada «Sudo Hardening Check»# Validate sudoers configuration
./unix-privesc-check standard | grep -i "sudo"
# Check for dangerous sudo rules
./unix-privesc-check detailed | grep -E "NOPASSWD|ALL"
# Review sudo logging
./unix-privesc-check detailed | grep -i "audit\|log"Integration with Security Tools
Sección titulada «Integration with Security Tools»Workflow with LinPEAS
Sección titulada «Workflow with LinPEAS»# Use unix-privesc-check for quick assessment
./unix-privesc-check standard > quick_check.txt
# Follow up with detailed LinPEAS analysis
./linpeas.sh > linpeas_detailed.txt
# Compare findings
diff quick_check.txt linpeas_detailed.txtChaining with Metasploit
Sección titulada «Chaining with Metasploit»# Identify privilege escalation vectors
./unix-privesc-check detailed > privesc_vectors.txt
# Import findings into Metasploit
msfconsole -x "db_import privesc_vectors.txt"Automated Remediation
Sección titulada «Automated Remediation»#!/bin/bash
# Run check and capture critical issues
./unix-privesc-check standard > current_audit.txt
# Identify and fix common issues
if grep -q "world.writable" current_audit.txt; then
echo "Found world-writable files - remediation needed"
fi
if grep -q "NOPASSWD" current_audit.txt; then
echo "Found NOPASSWD sudo entries - review sudoers"
fiCommon Vulnerability Patterns
Sección titulada «Common Vulnerability Patterns»World-Writable Files
Sección titulada «World-Writable Files»# Detect world-writable critical files
./unix-privesc-check detailed | grep -i "world.writable"
# Common vulnerable locations
find / -type f -perm -002 2>/dev/null | head -20
# Remediation
chmod o-w /path/to/fileSUID Abuse Vectors
Sección titulada «SUID Abuse Vectors»# Identify exploitable SUID binaries
./unix-privesc-check standard | grep -E "find|nmap|perl|python"
# Check for compiled SUID exploits
./unix-privesc-check detailed | grep "binary\|compiled"
# Verify SUID binary functionality
ls -la /usr/bin/*Weak Sudo Configuration
Sección titulada «Weak Sudo Configuration»# Check for sudo misconfigurations
./unix-privesc-check standard | grep "sudo"
# Example dangerous config (detected by script)
# User may run as root without password
# /etc/sudoers: ALL=(ALL) NOPASSWD: ALL
# Remediation approach
sudo visudo # Edit sudoers properlyPrivilege Escalation Remediation
Sección titulada «Privilege Escalation Remediation»Address Identified Issues
Sección titulada «Address Identified Issues»# After running unix-privesc-check
./unix-privesc-check detailed > vulnerabilities.txt
# Fix world-writable files
chmod 644 /path/to/world-writable-file
# Review and correct sudoers
sudo visudo
# Remove unnecessary SUID bits
sudo chmod u-s /usr/bin/vulnerable-binaryHardening Recommendations
Sección titulada «Hardening Recommendations»# Implement principle of least privilege
chmod 640 /etc/shadow
chmod 644 /etc/passwd
# Restrict sudo access
# Limit to specific commands
# Remove NOPASSWD entries
# Enable sudo logging
# Monitor file changes
aide --init
aide --checkScheduled Auditing
Sección titulada «Scheduled Auditing»Automated Regular Checks
Sección titulada «Automated Regular Checks»#!/bin/bash
# crontab entry for daily privilege escalation checks
# 0 2 * * * /path/to/unix-privesc-check detailed > /var/log/privesc_$(date +\%Y\%m\%d).txt
# Create monitoring script
cat > /usr/local/bin/privesc-monitor.sh <<'EOF'
#!/bin/bash
AUDIT_DIR="/var/log/privesc-audits"
mkdir -p $AUDIT_DIR
/path/to/unix-privesc-check detailed > $AUDIT_DIR/check_$(date +%Y%m%d_%H%M%S).txt
EOF
chmod +x /usr/local/bin/privesc-monitor.shContinuous Monitoring
Sección titulada «Continuous Monitoring»#!/bin/bash
# Create baseline
./unix-privesc-check detailed > baseline.txt
# Periodic comparison
while true; do
./unix-privesc-check detailed > current.txt
if ! diff -q baseline.txt current.txt > /dev/null; then
echo "Changes detected at $(date)"
diff baseline.txt current.txt
fi
sleep 86400 # Run daily
donePerformance Considerations
Sección titulada «Performance Considerations»Quick Scan for Initial Assessment
Sección titulada «Quick Scan for Initial Assessment»# Fast initial scan
./unix-privesc-check standard
# Typical output: seconds to complete
# Checks essential privilege escalation vectors
# Good for rapid security assessmentComprehensive Analysis
Sección titulada «Comprehensive Analysis»# Detailed scan with full analysis
./unix-privesc-check detailed
# May take several minutes
# Comprehensive coverage of all check categories
# Suitable for thorough security auditsCustom Check Focus
Sección titulada «Custom Check Focus»# Run standard then grep for specific area
./unix-privesc-check standard | grep "sudo"
./unix-privesc-check detailed | grep "suid"
./unix-privesc-check detailed | grep "world"Troubleshooting
Sección titulada «Troubleshooting»Script Execution Issues
Sección titulada «Script Execution Issues»# Ensure proper permissions
chmod +x unix-privesc-check
# Run with explicit interpreter
sh unix-privesc-check standard
# Check for bash-specific syntax
bash unix-privesc-check standardMissing Checks
Sección titulada «Missing Checks»# Verify script version
head -n 20 unix-privesc-check
# Update to latest version
git clone https://github.com/sleventyeleven/unix-privesc-check.git
cd unix-privesc-check
./unix-privesc-check standardPermission Denied Errors
Sección titulada «Permission Denied Errors»# Some checks require elevated privileges
sudo ./unix-privesc-check detailed
# Alternative: capture errors separately
./unix-privesc-check standard 2> errors.txt > output.txt
# Review error output
cat errors.txtBest Practices
Sección titulada «Best Practices»Pre-Assessment Preparation
Sección titulada «Pre-Assessment Preparation»# Verify system access and permissions
whoami
id
# Check available disk space for reports
df -h
# Create audit directory
mkdir -p /var/log/security-auditsDocumentation and Reporting
Sección titulada «Documentation and Reporting»# Document scan parameters
echo "System: $(hostname)" > scan_summary.txt
echo "Date: $(date)" >> scan_summary.txt
echo "User: $(whoami)" >> scan_summary.txt
# Run comprehensive check
./unix-privesc-check detailed >> scan_summary.txt
# Archive results
tar -czf audit_$(date +%Y%m%d).tar.gz scan_summary.txtRemediation Tracking
Sección titulada «Remediation Tracking»# Document findings
./unix-privesc-check standard > findings_$(date +%Y%m%d).txt
# Create remediation plan
cat > remediation_plan.txt <<'EOF'
Finding: World-writable /tmp
Severity: Medium
Remediation: chmod 1777 /tmp
Verified: [Pending]
EOF
# Verify fixes
./unix-privesc-check standard > findings_post_remediation.txt
diff findings_pre.txt findings_post.txtLegal and Compliance
Sección titulada «Legal and Compliance»Always ensure proper authorization before running privilege escalation audits. Document:
- Written approval from system owner
- Audit scope and authorized systems
- Testing date and personnel
- Findings and remediation status
- Compliance with security policies
Use unix-privesc-check only in authorized security testing environments with proper documentation and approval.