-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhijackAccountDetection.py
88 lines (69 loc) · 2.82 KB
/
hijackAccountDetection.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
import re
import sys
import argparse
import datetime
import re
import subprocess
def sudoFinder(data):
subs = 'sudo'
results = [i for i in data if subs in i]
return results
# for j in results:
# print(j.strip())
def pwdFinder(data):
subs = 'pwd'
results = [i for i in data if subs in i]
return results
def whoamiFinder(data):
subs = 'whoami'
results = [i for i in data if subs in i]
return results
def idFinder(data):
p = re.compile("(id$)")
results = []
# subs = 'id'
for i in data:
match = p.match(i) # match line with regex
if match is not None: # if there is a match do following
match_index = None # initialize match index. Can be of group3 or group4 depending on match
if match.group(1) is not None:
match_index = 1
results.append(match.group(match_index))
return results
def unameFinder(data):
subs = 'uname'
results = [i for i in data if subs in i]
return results
def hijackAccountDetection():
retrieveUser = subprocess.run(['cat', '/etc/passwd'], stdout=subprocess.PIPE).stdout.decode('utf-8')
result = open("existingUser.txt", "w") # create file last.txt
result.write(retrieveUser)
result.close()
logs = open("existingUser.txt")
p1 = re.compile(".*:(\/.*):\/bin\/bash|.*:(\/.*):\/bin\/sh")
userFilePath = []
allFileHistory = []
eachUserStatus = []
for line in logs: # iterate over each line
match = p1.match(line) # match line with regex
if match is not None: # if there is a match do following
match_index = None # initialize match index. Can be of group3 or group4 depending on match
if match.group(1) is not None:
output = ''
match_index = 1
userFilePath.append(match.group(match_index))
filePath = match.group(match_index) + '/.bash_history'
# print(filePath)
# allFileHistory.append(subprocess.run(['cat', filePath], stdout=subprocess.PIPE).stdout.decode('utf-8'))
output += subprocess.run(['cat', filePath], stdout=subprocess.PIPE).stdout.decode('utf-8')
# print(output)
allFileHistory.append(output)
# print(allFileHistory)
for count in range(len(userFilePath)):
if allFileHistory[count] != '':
parsed_data = allFileHistory[count].split('\n')
eachUserStatus.append(
[len(sudoFinder(parsed_data)), len(pwdFinder(parsed_data)), len(whoamiFinder(parsed_data)),len(idFinder(parsed_data)), len(unameFinder(parsed_data))])
else:
eachUserStatus.append([0, 0, 0, 0, 0])
return userFilePath, eachUserStatus