Shell History

What is the "Shell History" module?

The "Shell History" module is designed to detect misconfigurations related to shell history files. It targets the bash, ksh, sh, and zsh shells. This module has a low severity level and was authored by pentest_swissky and geeknik.

Impact

The "Shell History" module helps identify potential security risks associated with shell history files. By analyzing the contents of these files, the module can detect commands that may indicate unauthorized access or malicious activity. This information can be used to assess the overall security posture of the system and take appropriate actions to mitigate any identified risks.

How the module works?

The "Shell History" module works by sending HTTP requests to specific paths associated with shell history files, such as /.bash_history, /.ksh_history, /.sh_history, and /.zsh_history. It then applies a series of matching conditions to determine if any misconfigurations or vulnerabilities are present.

The module uses two types of matchers: word matchers and status matchers. Word matchers analyze the response content for specific keywords, such as mkdir, chmod, mv, nano, vim, pico, sudo, cd, cp, and ps aux. If any of these keywords are found, it indicates potential misconfigurations.

Status matchers check the HTTP response status code, and in this case, it looks for a status code of 200. If the response meets all the defined matching conditions, the module reports a potential misconfiguration or vulnerability.

It's important to note that the module also considers the response content type. If the response contains any of the following words: <?xml, <env, application/javascript, application/json, application/xml, html>, text/html, or image/, it will not report a misconfiguration or vulnerability.

By analyzing the shell history files and applying these matching conditions, the "Shell History" module helps identify potential security risks and provides valuable insights for further investigation and remediation.