darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #396 from RandolphConley/master

Browse Source 
logo color, updated output, added -fullcheck flag
This commit is contained in:
Carlos Polop 2023-10-11 22:59:21 +02:00 committed by GitHub
commit 9163062daa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 325 additions and 274 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

241
winPEAS/winPEASps1/winPEAS.ps1
View File

@ -4,26 +4,34 @@
.DESCRIPTION .DESCRIPTION
For the legal enumeration of windows based computers that you either own or are approved to run this script on For the legal enumeration of windows based computers that you either own or are approved to run this script on
.EXAMPLE .EXAMPLE
.\WinPeas.ps1 # Default - normal operation with username/password audit in drives/registry
.\winPeas.ps1
# Full audit - normal operation with APIs / Keys / Tokens
## This will produce false positives ##
.\winPeas.ps1 -FullCheck
# Add Time stamps to each command # Add Time stamps to each command
.\WinPeas.ps1 -TimeStamp .\winPeas.ps1 -TimeStamp
.NOTES .NOTES
Version: 1.0 Version: 1.3
PEASS-ng Original Author: carlospolop PEASS-ng Original Author: carlospolop
WinPEAS.ps1 Author: @RandolphConley winPEAS.ps1 Author: @RandolphConley
Creation Date: 10/4/2022 Creation Date: 10/4/2022
Website: https://github.com/carlospolop/PEASS-ng Website: https://github.com/carlospolop/PEASS-ng
TESTED: PoSh 5,7 TESTED: PoSh 5,7
UNTESTED: Posh 3,4 UNTESTED: PoSh 3,4
INCOMPATIBLE: Posh 2 or lower NOT FULLY COMPATIBLE: PoSh 2 or lower
#> #>
######################## FUNCTIONS ######################## ######################## FUNCTIONS ########################
[CmdletBinding()] [CmdletBinding()]
param( param(
[switch]$TimeStamp [switch]$TimeStamp,
[switch]$FullCheck
) )
# Gather KB from all patches installed # Gather KB from all patches installed
@ -120,40 +128,55 @@ Function Get-ClipBoardText {
} }
} }
function h { Write-Host "##" -ForegroundColor Green } function Write-Color([String[]]$Text, [ConsoleColor[]]$Color) {
for ($i = 0; $i -lt $Text.Length; $i++) {
Write-Host $Text[$i] -Foreground $Color[$i] -NoNewline
}
Write-Host
}
" #Write-Color " ((,.,/((((((((((((((((((((/, */" -Color Green
((,.,/((((((((((((((((((((/, */ Write-Color ",/*,..*(((((((((((((((((((((((((((((((((," -Color Green
,/*,..*(((((((((((((((((((((((((((((((((, Write-Color ",*/((((((((((((((((((/, .*//((//**, .*((((((*" -Color Green
,*/((((((((((((((((((/, .*//((//**, .*((((((* Write-Color "((((((((((((((((", "* *****,,,", "\########## .(* ,((((((" -Color Green, Blue, Green
((((((((((((((((* *****,,,/########## .(* ,(((((( Write-Color "(((((((((((", "/*******************", "####### .(. ((((((" -Color Green, Blue, Green
(((((((((((/* ******************/####### .(. (((((( Write-Color "(((((((", "/******************", "/@@@@@/", "***", "\#######\((((((" -Color Green, Blue, White, Blue, Green
((((((..******************/@@@@@/***/###### /(((((( Write-Color ",,..", "**********************", "/@@@@@@@@@/", "***", ",#####.\/(((((" -Color Green, Blue, White, Blue, Green
,,..**********************@@@@@@@@@@(***,#### ../((((( Write-Color ", ,", "**********************", "/@@@@@+@@@/", "*********", "##((/ /((((" -Color Green, Blue, White, Blue, Green
, ,**********************#@@@@@#@@@@*********##((/ /(((( Write-Color "..(((##########", "*********", "/#@@@@@@@@@/", "*************", ",,..((((" -Color Green, Blue, White, Blue, Green
..(((##########*********/#@@@@@@@@@/*************,,..(((( Write-Color ".(((################(/", "******", "/@@@@@/", "****************", ".. /((" -Color Green, Blue, White, Blue, Green
.(((################(/******/@@@@@#****************.. /(( Write-Color ".((########################(/", "************************", "..*(" -Color Green, Blue, Green
.((########################(/************************..*( Write-Color ".((#############################(/", "********************", ".,(" -Color Green, Blue, Green
.((#############################(/********************.,( Write-Color ".((##################################(/", "***************", "..(" -Color Green, Blue, Green
.((##################################(/***************..( Write-Color ".((######################################(/", "***********", "..(" -Color Green, Blue, Green
.((######################################(************..( Write-Color ".((######", "(,.***.,(", "###################", "(..***", "(/*********", "..(" -Color Green, Green, Green, Green, Blue, Green
.((######(,.***.,(###################(..***(/*********..( Write-Color ".((######*", "(####((", "###################", "((######", "/(********", "..(" -Color Green, Green, Green, Green, Blue, Green
.((######*(#####((##################((######/(********..( Write-Color ".((##################", "(/**********(", "################(**...(" -Color Green, Green, Green
.((##################(/**********(################(**...( Write-Color ".(((####################", "/*******(", "###################.((((" -Color Green, Green, Green
.(((####################/*******(###################.(((( Write-Color ".(((((############################################/ /((" -Color Green
.(((((############################################/ /(( Write-Color "..(((((#########################################(..(((((." -Color Green
..(((((#########################################(..(((((. Write-Color "....(((((#####################################( .((((((." -Color Green
....(((((#####################################( .((((((. Write-Color "......(((((#################################( .(((((((." -Color Green
......(((((#################################( .(((((((. Write-Color "(((((((((. ,(############################(../(((((((((." -Color Green
(((((((((. ,(############################(../(((((((((. Write-Color " (((((((((/, ,####################(/..((((((((((." -Color Green
(((((((((/, ,####################(/..((((((((((. Write-Color " (((((((((/,. ,*//////*,. ./(((((((((((." -Color Green
(((((((((/,. ,*//////*,. ./(((((((((((. Write-Color " (((((((((((((((((((((((((((/" -Color Green
(((((((((((((((((((((((((((/ Write-Color " by CarlosPolop & RandolphConley" -Color Green
by CarlosPolop & RandolphConley
" ######################## VARIABLES ########################
# Manually added Regex search strings from https://github.com/carlospolop/PEASS-ng/blob/master/build_lists/sensitive_files.yaml # Manually added Regex search strings from https://github.com/carlospolop/PEASS-ng/blob/master/build_lists/sensitive_files.yaml
# Set these values to true to add them to the regex search by default
$password = $true
$username = $true
$webAuth = $true
$regexSearch = @{} $regexSearch = @{}
if ($password) {
$regexSearch.add("Simple Passwords1", "pass.*[=:].+")
$regexSearch.add("Simple Passwords2", "pwd.*[=:].+")
$regexSearch.add("Apr1 MD5", '\$apr1\$[a-zA-Z0-9_/\.]{8}\$[a-zA-Z0-9_/\.]{22}') $regexSearch.add("Apr1 MD5", '\$apr1\$[a-zA-Z0-9_/\.]{8}\$[a-zA-Z0-9_/\.]{22}')
$regexSearch.add("Apache SHA", "\{SHA\}[0-9a-zA-Z/_=]{10,}") $regexSearch.add("Apache SHA", "\{SHA\}[0-9a-zA-Z/_=]{10,}")
$regexSearch.add("Blowfish", '\$2[abxyz]?\$[0-9]{2}\$[a-zA-Z0-9_/\.]*') $regexSearch.add("Blowfish", '\$2[abxyz]?\$[0-9]{2}\$[a-zA-Z0-9_/\.]*')
@ -167,29 +190,31 @@ $regexSearch.add("md5", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{32}([^a-zA-Z0-9]|$)")
$regexSearch.add("sha1", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{40}([^a-zA-Z0-9]|$)") $regexSearch.add("sha1", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{40}([^a-zA-Z0-9]|$)")
$regexSearch.add("sha256", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{64}([^a-zA-Z0-9]|$)") $regexSearch.add("sha256", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{64}([^a-zA-Z0-9]|$)")
$regexSearch.add("sha512", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{128}([^a-zA-Z0-9]|$)") $regexSearch.add("sha512", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{128}([^a-zA-Z0-9]|$)")
# This does not work correctly
#$regexSearch.add("Base32", "(?:[A-Z2-7]{8})*(?:[A-Z2-7]{2}={6}|[A-Z2-7]{4}={4}|[A-Z2-7]{5}={3}|[A-Z2-7]{7}=)?")
$regexSearch.add("Base64", "(eyJ|YTo|Tzo|PD[89]|aHR0cHM6L|aHR0cDo|rO0)[a-zA-Z0-9+\/]+={0,2}")
}
if ($username) {
$regexSearch.add("Usernames1", "username[=:].+")
$regexSearch.add("Usernames2", "user[=:].+")
$regexSearch.add("Usernames3", "login[=:].+")
$regexSearch.add("Emails", "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}")
$regexSearch.add("Net user add", "net user .+ /add")
}
if ($apiANDToken) {
$regexSearch.add("Artifactory API Token", "AKC[a-zA-Z0-9]{10,}") $regexSearch.add("Artifactory API Token", "AKC[a-zA-Z0-9]{10,}")
$regexSearch.add("Artifactory Password", "AP[0-9ABCDEF][a-zA-Z0-9]{8,}") $regexSearch.add("Artifactory Password", "AP[0-9ABCDEF][a-zA-Z0-9]{8,}")
$regexSearch.add("Authorization Basic", "basic [a-zA-Z0-9_:\.=\-]+") $regexSearch.add("Adafruit API Key", "([a-z0-9_-]{32})")
$regexSearch.add("Authorization Bearer", "bearer [a-zA-Z0-9_\.=\-]+")
$regexSearch.add("Adafruit API Key", "([a-z0-9_-]{32})") $regexSearch.add("Adafruit API Key", "([a-z0-9_-]{32})")
$regexSearch.add("Adobe Client Id (Oauth Web)", "(adobe[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-f0-9]{32})['""]") $regexSearch.add("Adobe Client Id (Oauth Web)", "(adobe[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-f0-9]{32})['""]")
$regexSearch.add("Abode Client Secret", "(p8e-)[a-z0-9]{32}") $regexSearch.add("Abode Client Secret", "(p8e-)[a-z0-9]{32}")
$regexSearch.add("Age Secret Key", "AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}") $regexSearch.add("Age Secret Key", "AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}")
$regexSearch.add("Airtable API Key", "([a-z0-9]{17})") $regexSearch.add("Airtable API Key", "([a-z0-9]{17})")
$regexSearch.add("Alchemi API Key", "(alchemi[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9-]{32})['""]") $regexSearch.add("Alchemi API Key", "(alchemi[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9-]{32})['""]")
$regexSearch.add("Alibaba Access Key ID", "(LTAI)[a-z0-9]{20}")
$regexSearch.add("Alibaba Secret Key", "(alibaba[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{30})['""]")
$regexSearch.add("Artifactory API Key & Password", "[""']AKC[a-zA-Z0-9]{10,}[""']|[""']AP[0-9ABCDEF][a-zA-Z0-9]{8,}[""']") $regexSearch.add("Artifactory API Key & Password", "[""']AKC[a-zA-Z0-9]{10,}[""']|[""']AP[0-9ABCDEF][a-zA-Z0-9]{8,}[""']")
$regexSearch.add("Asana Client ID", "((asana[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9]{16})['""])|((asana[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""])")
$regexSearch.add("Atlassian API Key", "(atlassian[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{24})['""]") $regexSearch.add("Atlassian API Key", "(atlassian[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{24})['""]")
$regexSearch.add("AWS Client ID", "(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}")
$regexSearch.add("AWS MWS Key", "amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}")
$regexSearch.add("AWS Secret Key", "aws(.{0,20})?['""][0-9a-zA-Z\/+]{40}['""]")
$regexSearch.add("AWS AppSync GraphQL Key", "da2-[a-z0-9]{26}")
$regexSearch.add("Base32", "(?:[A-Z2-7]{8})*(?:[A-Z2-7]{2}={6}|[A-Z2-7]{4}={4}|[A-Z2-7]{5}={3}|[A-Z2-7]{7}=)?")
$regexSearch.add("Base64", "(eyJ|YTo|Tzo|PD[89]|aHR0cHM6L|aHR0cDo|rO0)[a-zA-Z0-9+/]+={0,2}")
$regexSearch.add("Basic Auth Credentials", "://[a-zA-Z0-9]+:[a-zA-Z0-9]+@[a-zA-Z0-9]+\.[a-zA-Z]+")
$regexSearch.add("Beamer Client Secret", "(beamer[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""](b_[a-z0-9=_\-]{44})['""]")
$regexSearch.add("Binance API Key", "(binance[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{64})['""]") $regexSearch.add("Binance API Key", "(binance[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{64})['""]")
$regexSearch.add("Bitbucket Client Id", "((bitbucket[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""])") $regexSearch.add("Bitbucket Client Id", "((bitbucket[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""])")
$regexSearch.add("Bitbucket Client Secret", "((bitbucket[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9_\-]{64})['""])") $regexSearch.add("Bitbucket Client Secret", "((bitbucket[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9_\-]{64})['""])")
@ -204,7 +229,6 @@ $regexSearch.add("Box API Key", "(box[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:
$regexSearch.add("Bravenewcoin API Key", "(bravenewcoin[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{50})['""]") $regexSearch.add("Bravenewcoin API Key", "(bravenewcoin[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{50})['""]")
$regexSearch.add("Clearbit API Key", "sk_[a-z0-9]{32}") $regexSearch.add("Clearbit API Key", "sk_[a-z0-9]{32}")
$regexSearch.add("Clojars API Key", "(CLOJARS_)[a-zA-Z0-9]{60}") $regexSearch.add("Clojars API Key", "(CLOJARS_)[a-zA-Z0-9]{60}")
$regexSearch.add("Cloudinary Basic Auth", "cloudinary://[0-9]{15}:[0-9A-Za-z]+@[a-z]+")
$regexSearch.add("Coinbase Access Token", "([a-z0-9_-]{64})") $regexSearch.add("Coinbase Access Token", "([a-z0-9_-]{64})")
$regexSearch.add("Coinlayer API Key", "(coinlayer[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""]") $regexSearch.add("Coinlayer API Key", "(coinlayer[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""]")
$regexSearch.add("Coinlib API Key", "(coinlib[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{16})['""]") $regexSearch.add("Coinlib API Key", "(coinlib[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{16})['""]")
@ -227,9 +251,6 @@ $regexSearch.add("EasyPost test API Key", "EZTK[a-zA-Z0-9]{54}")
$regexSearch.add("Etherscan API Key", "(etherscan[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Z0-9]{34})['""]") $regexSearch.add("Etherscan API Key", "(etherscan[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Z0-9]{34})['""]")
$regexSearch.add("Etsy Access Token", "([a-z0-9]{24})") $regexSearch.add("Etsy Access Token", "([a-z0-9]{24})")
$regexSearch.add("Facebook Access Token", "EAACEdEose0cBA[0-9A-Za-z]+") $regexSearch.add("Facebook Access Token", "EAACEdEose0cBA[0-9A-Za-z]+")
$regexSearch.add("Facebook Client ID", "([fF][aA][cC][eE][bB][oO][oO][kK]|[fF][bB])(.{0,20})?['""][0-9]{13,17}")
$regexSearch.add("Facebook Oauth", "[fF][aA][cC][eE][bB][oO][oO][kK].*['|""][0-9a-f]{32}['|""]")
$regexSearch.add("Facebook Secret Key", "([fF][aA][cC][eE][bB][oO][oO][kK]|[fF][bB])(.{0,20})?['""][0-9a-f]{32}")
$regexSearch.add("Fastly API Key", "(fastly[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9=_\-]{32})['""]") $regexSearch.add("Fastly API Key", "(fastly[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9=_\-]{32})['""]")
$regexSearch.add("Finicity API Key & Client Secret", "(finicity[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-f0-9]{32}|[a-z0-9]{20})['""]") $regexSearch.add("Finicity API Key & Client Secret", "(finicity[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-f0-9]{32}|[a-z0-9]{20})['""]")
$regexSearch.add("Flickr Access Token", "([a-z0-9]{32})") $regexSearch.add("Flickr Access Token", "([a-z0-9]{32})")
@ -262,7 +283,6 @@ $regexSearch.add("Hubspot API Key", "['""][a-h0-9]{8}-[a-h0-9]{4}-[a-h0-9]{4}-[a
$regexSearch.add("Instatus API Key", "(instatus[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""]") $regexSearch.add("Instatus API Key", "(instatus[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""]")
$regexSearch.add("Intercom API Key & Client Secret/ID", "(intercom[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9=_]{60}|[a-h0-9]{8}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{12})['""]") $regexSearch.add("Intercom API Key & Client Secret/ID", "(intercom[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9=_]{60}|[a-h0-9]{8}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{12})['""]")
$regexSearch.add("Ionic API Key", "(ionic[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""](ion_[a-z0-9]{42})['""]") $regexSearch.add("Ionic API Key", "(ionic[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""](ion_[a-z0-9]{42})['""]")
$regexSearch.add("Jenkins Creds", "<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<")
$regexSearch.add("JSON Web Token", "(ey[0-9a-z]{30,34}\.ey[0-9a-z\/_\-]{30,}\.[0-9a-zA-Z\/_\-]{10,}={0,2})") $regexSearch.add("JSON Web Token", "(ey[0-9a-z]{30,34}\.ey[0-9a-z\/_\-]{30,}\.[0-9a-zA-Z\/_\-]{10,}={0,2})")
$regexSearch.add("Kraken Access Token", "([a-z0-9\/=_\+\-]{80,90})") $regexSearch.add("Kraken Access Token", "([a-z0-9\/=_\+\-]{80,90})")
$regexSearch.add("Kucoin Access Token", "([a-f0-9]{24})") $regexSearch.add("Kucoin Access Token", "([a-f0-9]{24})")
@ -347,24 +367,48 @@ $regexSearch.add("Yandex AWS Access Token", "(YC[a-zA-Z0-9_\-]{38})")
$regexSearch.add("Web3 API Key", "(web3[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Za-z0-9_=\-]+\.[A-Za-z0-9_=\-]+\.?[A-Za-z0-9_.+/=\-]*)['""]") $regexSearch.add("Web3 API Key", "(web3[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Za-z0-9_=\-]+\.[A-Za-z0-9_=\-]+\.?[A-Za-z0-9_.+/=\-]*)['""]")
$regexSearch.add("Zendesk Secret Key", "([a-z0-9]{40})") $regexSearch.add("Zendesk Secret Key", "([a-z0-9]{40})")
$regexSearch.add("Generic API Key", "((key|api|token|secret|password)[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9a-zA-Z_=\-]{8,64})['""]") $regexSearch.add("Generic API Key", "((key|api|token|secret|password)[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9a-zA-Z_=\-]{8,64})['""]")
}
if ($webAuth) {
$regexSearch.add("Authorization Basic", "basic [a-zA-Z0-9_:\.=\-]+")
$regexSearch.add("Authorization Bearer", "bearer [a-zA-Z0-9_\.=\-]+")
$regexSearch.add("Alibaba Access Key ID", "(LTAI)[a-z0-9]{20}")
$regexSearch.add("Alibaba Secret Key", "(alibaba[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{30})['""]")
$regexSearch.add("Asana Client ID", "((asana[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9]{16})['""])|((asana[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""])")
$regexSearch.add("AWS Client ID", "(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}")
$regexSearch.add("AWS MWS Key", "amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}")
$regexSearch.add("AWS Secret Key", "aws(.{0,20})?['""][0-9a-zA-Z\/+]{40}['""]")
$regexSearch.add("AWS AppSync GraphQL Key", "da2-[a-z0-9]{26}")
$regexSearch.add("Basic Auth Credentials", "://[a-zA-Z0-9]+:[a-zA-Z0-9]+@[a-zA-Z0-9]+\.[a-zA-Z]+")
$regexSearch.add("Beamer Client Secret", "(beamer[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""](b_[a-z0-9=_\-]{44})['""]")
$regexSearch.add("Cloudinary Basic Auth", "cloudinary://[0-9]{15}:[0-9A-Za-z]+@[a-z]+")
$regexSearch.add("Facebook Client ID", "([fF][aA][cC][eE][bB][oO][oO][kK]|[fF][bB])(.{0,20})?['""][0-9]{13,17}")
$regexSearch.add("Facebook Oauth", "[fF][aA][cC][eE][bB][oO][oO][kK].*['|""][0-9a-f]{32}['|""]")
$regexSearch.add("Facebook Secret Key", "([fF][aA][cC][eE][bB][oO][oO][kK]|[fF][bB])(.{0,20})?['""][0-9a-f]{32}")
$regexSearch.add("Jenkins Creds", "<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<")
$regexSearch.add("Generic Secret", "[sS][eE][cC][rR][eE][tT].*['""][0-9a-zA-Z]{32,45}['""]") $regexSearch.add("Generic Secret", "[sS][eE][cC][rR][eE][tT].*['""][0-9a-zA-Z]{32,45}['""]")
$regexSearch.add("Basic Auth", "//(.+):(.+)@") $regexSearch.add("Basic Auth", "//(.+):(.+)@")
$regexSearch.add("PHP Passwords", "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass|pass').*[=:].+|define ?\('(\w*pass|\w*pwd|\w*user|\w*datab)") $regexSearch.add("PHP Passwords", "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass|pass').*[=:].+|define ?\('(\w*pass|\w*pwd|\w*user|\w*datab)")
$regexSearch.add("Config Secrets", "passwd.*|creden.*|^kind:[^a-zA-Z0-9_]?Secret|[^a-zA-Z0-9_]env:|secret:|secretName:|^kind:[^a-zA-Z0-9_]?EncryptionConfiguration|\-\-encryption\-provider\-config") $regexSearch.add("Config Secrets (Passwd / Credentials)", "passwd.*|creden.*|^kind:[^a-zA-Z0-9_]?Secret|[^a-zA-Z0-9_]env:|secret:|secretName:|^kind:[^a-zA-Z0-9_]?EncryptionConfiguration|\-\-encryption\-provider\-config")
$regexSearch.add("Simple Passwords", "passw.*[=:].+")
$regexSearch.add("Generiac API tokens search", "(access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key| amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret| api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret| application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket| aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password| bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key| bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver| cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret| client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password| cloudflare_api_key|cloudflare_auth_key|cloudinary_api_secret|cloudinary_name|codecov_token|conn.login| connectionstring|consumer_key|consumer_secret|credentials|cypress_record_key|database_password|database_schema_test| datadog_api_key|datadog_app_key|db_password|db_server|db_username|dbpasswd|dbpassword|dbuser|deploy_password| digitalocean_ssh_key_body|digitalocean_ssh_key_ids|docker_hub_password|docker_key|docker_pass|docker_passwd| docker_password|dockerhub_password|dockerhubpassword|dot-files|dotfiles|droplet_travis_password|dynamoaccesskeyid| dynamosecretaccesskey|elastica_host|elastica_port|elasticsearch_password|encryption_key|encryption_password| env.heroku_api_key|env.sonatype_password|eureka.awssecretkey)[a-z0-9_ .,<\-]{0,25}(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9a-zA-Z_=\-]{8,64})['""]") $regexSearch.add("Generiac API tokens search", "(access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key| amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret| api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret| application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket| aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password| bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key| bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver| cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret| client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password| cloudflare_api_key|cloudflare_auth_key|cloudinary_api_secret|cloudinary_name|codecov_token|conn.login| connectionstring|consumer_key|consumer_secret|credentials|cypress_record_key|database_password|database_schema_test| datadog_api_key|datadog_app_key|db_password|db_server|db_username|dbpasswd|dbpassword|dbuser|deploy_password| digitalocean_ssh_key_body|digitalocean_ssh_key_ids|docker_hub_password|docker_key|docker_pass|docker_passwd| docker_password|dockerhub_password|dockerhubpassword|dot-files|dotfiles|droplet_travis_password|dynamoaccesskeyid| dynamosecretaccesskey|elastica_host|elastica_port|elasticsearch_password|encryption_key|encryption_password| env.heroku_api_key|env.sonatype_password|eureka.awssecretkey)[a-z0-9_ .,<\-]{0,25}(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9a-zA-Z_=\-]{8,64})['""]")
$regexSearch.add("Usernames", "username.*[=:].+") }
$regexSearch.add("Net user add", "net user .+ /add")
$regexSearch.add("IPs", "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)") $regexSearch.add("IPs", "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)")
$regexSearch.add("Emails", "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}") $Drives = Get-PSDrive | Where-Object { $_.Root -like "*:\" }
$fileExtensions = @("*.xml", "*.txt", "*.conf", "*.config", "*.cfg", "*.ini", ".y*ml", "*.log", "*.bak")
######################## INTRODUCTION ######################## ######################## INTRODUCTION ########################
$stopwatch = [system.diagnostics.stopwatch]::StartNew() $stopwatch = [system.diagnostics.stopwatch]::StartNew()
if($FullCheck){
Write-Host "**Full Check Enabled. This will significantly increase false positives in registry / folder check for Usernames / Passwords.**"
}
# Introduction # Introduction
Write-Host -ForegroundColor cyan "ADVISORY: WinPEAS - Windows local Privilege Escalation Awesome Script" Write-Host -BackgroundColor Red -ForegroundColor White "ADVISORY: WinPEAS - Windows local Privilege Escalation Awesome Script"
Write-Host -ForegroundColor cyan "WinPEAS should be used for authorized penetration testing and/or educational purposes only" Write-Host -BackgroundColor Red -ForegroundColor White "WinPEAS should be used for authorized penetration testing and/or educational purposes only"
Write-Host -ForegroundColor cyan "Any misuse of this software will not be the responsibility of the author or of any other collaborator" Write-Host -BackgroundColor Red -ForegroundColor White "Any misuse of this software will not be the responsibility of the author or of any other collaborator"
Write-Host -ForegroundColor cyan "Use it at your own networks and/or with the network owner's explicit permission" Write-Host -BackgroundColor Red -ForegroundColor White "Use it at your own networks and/or with the network owner's explicit permission"
# Color Scheme Introduction # Color Scheme Introduction
@ -1352,9 +1396,46 @@ if ($TimeStamp) { TimeElapsed }
Write-Host -ForegroundColor Blue "=========|| Recycle Bin TIP:" Write-Host -ForegroundColor Blue "=========|| Recycle Bin TIP:"
Write-Host "if credentials are found in the recycle bin, tool from nirsoft may assist: http://www.nirsoft.net/password_recovery_tools.html" -ForegroundColor Yellow Write-Host "if credentials are found in the recycle bin, tool from nirsoft may assist: http://www.nirsoft.net/password_recovery_tools.html" -ForegroundColor Yellow
Write-Host ""
if ($TimeStamp) { TimeElapsed }
Write-Host -ForegroundColor Blue "=========|| Password Check in Files/Folders"
# Looking through the entire computer for passwords
if ($TimeStamp) { TimeElapsed }
Write-Host -ForegroundColor Blue "=========|| Password Check. Starting at root of each drive. This will take some time. Like, grab a coffee or tea kinda time."
Write-Host -ForegroundColor Blue "=========|| Looking through each drive, searching for $fileExtensions"
# Also looks for MCaffee site list while looping through the drives.
$Drives.Root | ForEach-Object {
$Drive = $_
Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {
$path = $_
if ($Path.FullName -like '*Lang*') {
#Write-Host "$($_.FullName) found!" -ForegroundColor red
}
else {
if ($path.Length -gt 0) {
# Write-Host -ForegroundColor Blue "Path name matches extension search: $path"
}
if ($path -like "*SiteList.xml") {
Write-Host "Possible MCaffee Site List Found: $($_.FullName)"
Write-Host "Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption" -ForegroundColor Yellow
}
$regexSearch.keys | ForEach-Object {
$passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1
if ($passwordFound) {
Write-Host "Possible Password found: $_" -ForegroundColor Yellow
Write-Host $Path.FullName
Write-Host -ForegroundColor Blue "$_ triggered"
Write-Host $passwordFound -ForegroundColor Red
}
}
}
}
}
Write-Host -ForegroundColor Blue "=========|| Registry Password Check" Write-Host -ForegroundColor Blue "=========|| Registry Password Check"
# Looking through the entire registry for passwords # Looking through the entire registry for passwords
Write-Host "Checking over 200 different password regex types."
Write-Host "This will take some time. Won't you have a pepsi?" Write-Host "This will take some time. Won't you have a pepsi?"
$regPath = @("registry::\HKEY_CURRENT_USER\", "registry::\HKEY_LOCAL_MACHINE\") $regPath = @("registry::\HKEY_CURRENT_USER\", "registry::\HKEY_LOCAL_MACHINE\")
# Search for the string in registry values and properties # Search for the string in registry values and properties
@ -1382,33 +1463,3 @@ foreach ($r in $regPath) {
if ($TimeStamp) { TimeElapsed } if ($TimeStamp) { TimeElapsed }
Write-Host "Finished $r" Write-Host "Finished $r"
} }
Write-Host ""
if ($TimeStamp) { TimeElapsed }
Write-Host -ForegroundColor Blue "=========|| Password Check in Files"
# Looking through the entire computer for passwords
$Drives = Get-PSDrive | Where-Object { $_.Root -like "*:\" }
$fileExtensions = @("*.xml", "*.txt", "*.conf","*.config", "*.cfg", "*.ini", ".y*ml", "*.log", "*.bak")
Write-Host ""
if ($TimeStamp) { TimeElapsed }
Write-Host -ForegroundColor Blue "=========|| Password Check. Starting at root of each drive. This will take some time. Like, grab a coffee or tea."
Write-Host -ForegroundColor Blue "=========|| Looking through each drive, searching for $fileExtensions"
# Also looks for MCaffee site list while looping through the drives.
$Drives.Root | ForEach-Object {
$Drive = $_
Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue | ForEach-Object {
$path = $_
if ($path -like "*SiteList.xml") {
Write-Host "Possible MCaffee Site List Found: $($_.FullName)"
Write-Host "Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption" -ForegroundColor Yellow
}
$regexSearch.keys | ForEach-Object {
$password = Get-Content $path.FullName -ErrorAction SilentlyContinue | Select-String $regexSearch[$_]
if ($password) {
Write-Host "Possible Password found: $_" -ForegroundColor Yellow
Write-Host $Path.FullName
Write-Host $password -ForegroundColor Red
}
}
}
}