modDetective is a small Python software that chronologizes information primarily based on modification time to be able to examine current system exercise. This can be utilized in CTF’s to be able to pinpoint the place escalation and assault vectors could exist.
To see the software in its most helpful type, strive operating the command as follows: python3 modDetective.py -i /usr/share,/usr/lib,/lib. This can ignore the /usr/lib, /usr/share, and /lib directories, which have a tendency to not have something of curiosity. Additionally observe that by default the “dynamic” directories are ignored (/proc, /sys, /run, /snap, /dev).
modDetective could be very elementary in the way it operates. It merely walks the filesystem, with bounds decided by person specified choices (-i is for ignore, which means the software will stroll each listing EXCEPT for those specified within the -i choice, and -e is for unique, which means the software will ONLY stroll the directories specified). Whereas strolling, it picks up the modification occasions of every file, then orders these modification occasions to be able to output them chronologically.
Moreover, within the output you’ll doubtlessly see some information highlighted purple. These information are denoted as “Indicators of Consumer Exercise,” Since current modifications to those information point out {that a} person is at present energetic. As of now, these information embrace .swp information, .bash_history, .python_history and .viminfo. This checklist shall be prolonged as I brainstorm extra information that point out current person exercise.
modDetective at present works solely with python3; python2 compatability shall be accomplished shortly (therefore the dearth of f strings). Customary libraries ought to be tremendous.
