Feature Add, Bug fix
Added 203 regex password options (from yaml regex search). Updated entry for %userprofile% to $env:UserName
This commit is contained in:
StevenLtheThird
parent
b617756f80
commit
f296c89300
@ -120,7 +120,7 @@ Function Get-ClipBoardText {
|
||||
|
||||
}
|
||||
}
|
||||
function h {Write-host "##" -ForegroundColor Green}
|
||||
function h { Write-Host "##" -ForegroundColor Green }
|
||||
|
||||
"
|
||||
((,.,/((((((((((((((((((((/, */
|
||||
@ -608,7 +608,7 @@ Write-Host -ForegroundColor Blue "=========|| RDCMan Settings Check"
|
||||
if (Test-Path "$env:USERPROFILE\appdata\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings") {
|
||||
Write-Host "RDCMan Settings Found at: $($env:USERPROFILE)\appdata\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings" -ForegroundColor Red
|
||||
}
|
||||
else { write-host "No RCDMan.Settings found." }
|
||||
else { Write-Host "No RCDMan.Settings found." }
|
||||
|
||||
|
||||
Write-Host ""
|
||||
@ -620,15 +620,15 @@ New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
|
||||
Get-ChildItem HKU:\ -ErrorAction SilentlyContinue | ForEach-Object {
|
||||
# get the SID from output
|
||||
$HKUSID = $_.Name.Replace('HKEY_USERS\', "")
|
||||
if (test-path "registry::HKEY_USERS\$HKUSID\Software\Microsoft\Terminal Server Client\Default") {
|
||||
Write-Host "Server Found: $((Get-ItemProperty "registry::HKEY_USERS\$HKUSID\Software\Microsoft\Terminal Server Client\Default" -name MRU0).MRU0)"
|
||||
if (Test-Path "registry::HKEY_USERS\$HKUSID\Software\Microsoft\Terminal Server Client\Default") {
|
||||
Write-Host "Server Found: $((Get-ItemProperty "registry::HKEY_USERS\$HKUSID\Software\Microsoft\Terminal Server Client\Default" -Name MRU0).MRU0)"
|
||||
}
|
||||
else { Write-Host "Not found for $($_.Name)" }
|
||||
}
|
||||
|
||||
Write-Host "HKCU"
|
||||
if (test-path "registry::HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default") {
|
||||
write-host "Server Found: $((Get-ItemProperty "registry::HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" -name MRU0).MRU0)"
|
||||
if (Test-Path "registry::HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default") {
|
||||
Write-Host "Server Found: $((Get-ItemProperty "registry::HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" -Name MRU0).MRU0)"
|
||||
}
|
||||
else { Write-Host "Terminal Server Client not found in HCKU" }
|
||||
|
||||
@ -641,12 +641,12 @@ if (Test-Path HKCU:\SOFTWARE\SimonTatham\PuTTY\Sessions) {
|
||||
$RegKeyName = Split-Path $_.Name -Leaf
|
||||
Write-Host "Key: $RegKeyName"
|
||||
@("HostName", "PortNumber", "UserName", "PublicKeyFile", "PortForwardings", "ConnectionSharing", "ProxyUsername", "ProxyPassword") | ForEach-Object {
|
||||
write-host "$_ :"
|
||||
write-host "$((Get-ItemProperty HKCU:\SOFTWARE\SimonTatham\PuTTY\Sessions\$RegKeyName).$_)"
|
||||
Write-Host "$_ :"
|
||||
Write-Host "$((Get-ItemProperty HKCU:\SOFTWARE\SimonTatham\PuTTY\Sessions\$RegKeyName).$_)"
|
||||
}
|
||||
}
|
||||
}
|
||||
else { write-host "No putty credentials found in HKCU:\SOFTWARE\SimonTatham\PuTTY\Sessions" }
|
||||
else { Write-Host "No putty credentials found in HKCU:\SOFTWARE\SimonTatham\PuTTY\Sessions" }
|
||||
|
||||
|
||||
Write-Host ""
|
||||
@ -655,14 +655,14 @@ Write-Host -ForegroundColor Blue "=========|| SSH Key Checks"
|
||||
Write-Host ""
|
||||
if ($debug) { TimeElapsed }
|
||||
Write-Host -ForegroundColor Blue "=========|| If found:"
|
||||
Write-host "https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/" -ForegroundColor Yellow
|
||||
Write-Host "https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/" -ForegroundColor Yellow
|
||||
Write-Host ""
|
||||
if ($debug) { TimeElapsed }
|
||||
Write-Host -ForegroundColor Blue "=========|| Checking Putty SSH KNOWN HOSTS"
|
||||
if (Test-Path HKCU:\Software\SimonTatham\PuTTY\SshHostKeys) {
|
||||
write-host "$((Get-Item -path HKCU:\Software\SimonTatham\PuTTY\SshHostKeys).Property)"
|
||||
Write-Host "$((Get-Item -Path HKCU:\Software\SimonTatham\PuTTY\SshHostKeys).Property)"
|
||||
}
|
||||
else { Write-host "No putty ssh keys found" }
|
||||
else { Write-Host "No putty ssh keys found" }
|
||||
|
||||
Write-Host ""
|
||||
if ($debug) { TimeElapsed }
|
||||
@ -674,19 +674,19 @@ else { Write-Host "No OpenSSH Keys found." }
|
||||
Write-Host ""
|
||||
if ($debug) { TimeElapsed }
|
||||
Write-Host -ForegroundColor Blue "=========|| Checking for WinVNC Passwords"
|
||||
if ( Test-Path "HKCU:\Software\ORL\WinVNC3\Password") { Write-host " WinVNC found at HKCU:\Software\ORL\WinVNC3\Password" }else { Write-Host "No WinVNC found." }
|
||||
if ( Test-Path "HKCU:\Software\ORL\WinVNC3\Password") { Write-Host " WinVNC found at HKCU:\Software\ORL\WinVNC3\Password" }else { Write-Host "No WinVNC found." }
|
||||
|
||||
|
||||
Write-Host ""
|
||||
if ($debug) { TimeElapsed }
|
||||
Write-Host -ForegroundColor Blue "=========|| Checking for SNMP Passwords"
|
||||
if ( Test-Path "HKLM:\SYSTEM\CurrentControlSet\Services\SNMP" ) { Write-host "SNPM Key found at HKLM:\SYSTEM\CurrentControlSet\Services\SNMP" }else { Write-host "No SNPM found." }
|
||||
if ( Test-Path "HKLM:\SYSTEM\CurrentControlSet\Services\SNMP" ) { Write-Host "SNPM Key found at HKLM:\SYSTEM\CurrentControlSet\Services\SNMP" }else { Write-Host "No SNPM found." }
|
||||
|
||||
|
||||
Write-Host ""
|
||||
if ($debug) { TimeElapsed }
|
||||
Write-Host -ForegroundColor Blue "=========|| Checking for TightVNC Passwords"
|
||||
if ( Test-Path "HKCU:\Software\TightVNC\Server") { write-host "TightVNC key found at HKCU:\Software\TightVNC\Server" }else { write-host "No TightVNC found." }
|
||||
if ( Test-Path "HKCU:\Software\TightVNC\Server") { Write-Host "TightVNC key found at HKCU:\Software\TightVNC\Server" }else { Write-Host "No TightVNC found." }
|
||||
|
||||
|
||||
Write-Host ""
|
||||
@ -708,7 +708,7 @@ Get-ChildItem HKU:\ -ErrorAction SilentlyContinue | ForEach-Object {
|
||||
$HKUSID = $_.Name.Replace('HKEY_USERS\', "")
|
||||
$property = (Get-Item "HKU:\$_\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -ErrorAction SilentlyContinue).Property
|
||||
$HKUSID | ForEach-Object {
|
||||
if (test-path "HKU:\$_\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU") {
|
||||
if (Test-Path "HKU:\$_\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU") {
|
||||
Write-Host -ForegroundColor Blue "=========||HKU Recently Run Commands"
|
||||
foreach ($p in $property) {
|
||||
Write-Host "$((Get-Item "HKU:\$_\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"-ErrorAction SilentlyContinue).getValue($p))"
|
||||
@ -852,7 +852,7 @@ Get-Process | Select-Object Path -Unique | ForEach-Object { Start-ACLCheck -Targ
|
||||
Write-Host ""
|
||||
if ($debug) { TimeElapsed }
|
||||
Write-Host -ForegroundColor Blue "=========|| System processes"
|
||||
Start-process tasklist -argumentList '/v /fi "username eq system"' -wait -NoNewWindow
|
||||
Start-Process tasklist -ArgumentList '/v /fi "username eq system"' -Wait -NoNewWindow
|
||||
|
||||
|
||||
######################## SERVICES ########################
|
||||
@ -885,7 +885,7 @@ UnquotedServicePathCheck
|
||||
Write-Host ""
|
||||
if ($debug) { TimeElapsed }
|
||||
Write-Host -ForegroundColor Blue "=========|| Checking Service Registry Permissions"
|
||||
Write-host "This will take some time."
|
||||
Write-Host "This will take some time."
|
||||
|
||||
Get-ChildItem 'HKLM:\System\CurrentControlSet\services\' | ForEach-Object {
|
||||
$target = $_.Name.Replace("HKEY_LOCAL_MACHINE", "hklm:")
|
||||
@ -918,7 +918,7 @@ else {
|
||||
elseif ($a -like "%appdata%*") { $a = $a.replace("%localappdata%", $env:Appdata) }
|
||||
$a = $a.Replace('"', '')
|
||||
Start-ACLCheck -Target $a
|
||||
Write-host "`n"
|
||||
Write-Host "`n"
|
||||
Write-Host "TaskName: $($_.TaskName)"
|
||||
Write-Host "-------------"
|
||||
[pscustomobject]@{
|
||||
@ -927,7 +927,7 @@ else {
|
||||
Status = $_.State
|
||||
Command = $_.Actions.execute
|
||||
Arguments = $_.Actions.Arguments
|
||||
} | write-host
|
||||
} | Write-Host
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -950,7 +950,7 @@ Write-Host "https://book.hacktricks.xyz/windows-hardening/windows-local-privileg
|
||||
Start-ACLCheck $_
|
||||
Get-ChildItem -Recurse -Force -Path $_ | ForEach-Object {
|
||||
$SubItem = $_.FullName
|
||||
if (test-path $SubItem) {
|
||||
if (Test-Path $SubItem) {
|
||||
Start-ACLCheck -Target $SubItem
|
||||
}
|
||||
}
|
||||
@ -1027,20 +1027,20 @@ Write-Host -ForegroundColor Blue "=========|| IP INFORMATION"
|
||||
Write-Host ""
|
||||
if ($debug) { TimeElapsed }
|
||||
Write-Host -ForegroundColor Blue "=========|| Ipconfig ALL"
|
||||
start-process ipconfig.exe -ArgumentList "/all" -Wait -NoNewWindow
|
||||
Start-Process ipconfig.exe -ArgumentList "/all" -Wait -NoNewWindow
|
||||
|
||||
|
||||
Write-Host ""
|
||||
if ($debug) { TimeElapsed }
|
||||
Write-Host -ForegroundColor Blue "=========|| DNS Cache"
|
||||
ipconfig /displaydns | select-string "Record" | ForEach-Object { Write-Host $('{0}' -f $_) }
|
||||
ipconfig /displaydns | Select-String "Record" | ForEach-Object { Write-Host $('{0}' -f $_) }
|
||||
|
||||
Write-Host ""
|
||||
if ($debug) { TimeElapsed }
|
||||
Write-Host -ForegroundColor Blue "=========|| LISTENING PORTS"
|
||||
|
||||
# running netstat as powershell is too slow to print to console
|
||||
start-process NETSTAT.EXE -argumentList "-ano" -Wait -NoNewWindow
|
||||
Start-Process NETSTAT.EXE -ArgumentList "-ano" -Wait -NoNewWindow
|
||||
|
||||
|
||||
Write-Host ""
|
||||
@ -1048,14 +1048,14 @@ if($debug){TimeElapsed}
|
||||
Write-Host -ForegroundColor Blue "=========|| ARP Table"
|
||||
|
||||
# Arp table info
|
||||
Start-process arp -argumentList "-A" -Wait -NoNewWindow
|
||||
Start-Process arp -ArgumentList "-A" -Wait -NoNewWindow
|
||||
|
||||
Write-Host ""
|
||||
if ($debug) { TimeElapsed }
|
||||
Write-Host -ForegroundColor Blue "=========|| Routes"
|
||||
|
||||
# Route info
|
||||
start-process route -argumentList "print" -Wait -NoNewWindow
|
||||
Start-Process route -ArgumentList "print" -Wait -NoNewWindow
|
||||
|
||||
Write-Host ""
|
||||
if ($debug) { TimeElapsed }
|
||||
@ -1063,13 +1063,13 @@ Write-Host -ForegroundColor Blue "=========|| Network Adapter info"
|
||||
|
||||
# Network Adapter info
|
||||
Get-NetAdapter | ForEach-Object {
|
||||
write-host "----------"
|
||||
write-host $_.Name
|
||||
write-host $_.InterfaceDescription
|
||||
write-host $_.ifIndex
|
||||
write-host $_.Status
|
||||
write-host $_.MacAddress
|
||||
write-host "----------"
|
||||
Write-Host "----------"
|
||||
Write-Host $_.Name
|
||||
Write-Host $_.InterfaceDescription
|
||||
Write-Host $_.ifIndex
|
||||
Write-Host $_.Status
|
||||
Write-Host $_.MacAddress
|
||||
Write-Host "----------"
|
||||
}
|
||||
|
||||
|
||||
@ -1113,11 +1113,11 @@ Write-Host "== || Generating List of all Administrators, Users and Backup Operat
|
||||
@("ADMINISTRATORS", "USERS") | ForEach-Object {
|
||||
Write-Host $_
|
||||
Write-Host "-------"
|
||||
Start-process net -ArgumentList "localgroup $_" -Wait -NoNewWindow
|
||||
Start-Process net -ArgumentList "localgroup $_" -Wait -NoNewWindow
|
||||
}
|
||||
Write-Host "BACKUP OPERATORS"
|
||||
Write-Host "-------"
|
||||
start-process net -ArgumentList 'localgroup "Backup Operators"' -wait -NoNewWindow
|
||||
Start-Process net -ArgumentList 'localgroup "Backup Operators"' -Wait -NoNewWindow
|
||||
|
||||
|
||||
Write-Host ""
|
||||
@ -1138,7 +1138,7 @@ if($debug){TimeElapsed}
|
||||
Write-Host -ForegroundColor Blue "=========|| Check Token access here: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens" -ForegroundColor yellow
|
||||
Write-Host -ForegroundColor Blue "=========|| Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege"
|
||||
Write-Host "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups" -ForegroundColor Yellow
|
||||
start-process whoami.exe -ArgumentList "/all" -wait -NoNewWindow
|
||||
Start-Process whoami.exe -ArgumentList "/all" -Wait -NoNewWindow
|
||||
|
||||
|
||||
Write-Host ""
|
||||
@ -1245,14 +1245,14 @@ $appdataRoaming = "C:\Users\$env:USERNAME\AppData\Roaming\Microsoft\"
|
||||
$appdataLocal = "C:\Users\$env:USERNAME\AppData\Local\Microsoft\"
|
||||
if ( Test-Path "$appdataRoaming\Protect\") {
|
||||
Write-Host "found: $appdataRoaming\Protect\"
|
||||
Get-ChildItem -Path "$appdataRoaming\Protect\" -Force | foreach-object {
|
||||
Get-ChildItem -Path "$appdataRoaming\Protect\" -Force | ForEach-Object {
|
||||
Write-Host $_.FullName
|
||||
}
|
||||
}
|
||||
if ( Test-Path "$appdataLocal\Protect\") {
|
||||
Write-Host "found: $appdataLocal\Protect\"
|
||||
Get-ChildItem -Path "$appdataLocal\Protect\" -Force | foreach-object {
|
||||
write-host $_.FullName
|
||||
Get-ChildItem -Path "$appdataLocal\Protect\" -Force | ForEach-Object {
|
||||
Write-Host $_.FullName
|
||||
}
|
||||
}
|
||||
|
||||
@ -1354,7 +1354,8 @@ Write-Host "if credentials are found in the recycle bin, tool from nirsoft may a
|
||||
|
||||
Write-Host -ForegroundColor Blue "=========|| Registry Password Check"
|
||||
# Looking through the entire registry for passwords
|
||||
Write-host "This will take some time. Won't you have a pepsi?"
|
||||
Write-Host "Checking over 200 different password regex types."
|
||||
Write-Host "This will take some time. Won't you have a pepsi?"
|
||||
$regPath = @("registry::\HKEY_CURRENT_USER\", "registry::\HKEY_LOCAL_MACHINE\")
|
||||
# Search for the string in registry values and properties
|
||||
foreach ($r in $regPath) {
|
||||
@ -1363,14 +1364,16 @@ foreach ($r in $regPath) {
|
||||
$Name = $_.Name
|
||||
$property | ForEach-Object {
|
||||
$Prop = $_
|
||||
foreach ($r in $regexSearch) {
|
||||
if ($Prop | Where-Object { $_ -like $r }) {
|
||||
"Found: $Name\$Prop"
|
||||
$regexSearch.keys | ForEach-Object {
|
||||
$value = $regexSearch[$_]
|
||||
if ($Prop | Where-Object { $_ -like $value }) {
|
||||
Write-Host "Possible Password Found: $Name\$Prop"
|
||||
Write-Host "Key: $_" -ForegroundColor Red
|
||||
}
|
||||
$Prop | ForEach-Object {
|
||||
$Value = (Get-ItemProperty "registry::$Name").$_
|
||||
if ($Value | Where-Object { $_ -like $r }) {
|
||||
Write-Host "Found: $name\$_ $Value"
|
||||
$propValue = (Get-ItemProperty "registry::$Name").$_
|
||||
if ($propValue | Where-Object { $_ -like $Value }) {
|
||||
Write-Host "Possible Password Found: $name\$_ $propValue"
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -1382,10 +1385,10 @@ foreach ($r in $regPath) {
|
||||
|
||||
Write-Host ""
|
||||
if ($debug) { TimeElapsed }
|
||||
Write-Host -ForegroundColor Blue "=========|| Password Check"
|
||||
Write-Host -ForegroundColor Blue "=========|| Password Check in Files"
|
||||
# Looking through the entire computer for passwords
|
||||
$Drives = Get-PSDrive | Where-Object { $_.Root -like "*:\" }
|
||||
$fileExtensions = @("*.xml", "*.txt", "*.conf*", "*.ini", ".y*ml", "*.log", "*.bak")
|
||||
$fileExtensions = @("*.xml", "*.txt", "*.conf","*.config", "*.cfg", "*.ini", ".y*ml", "*.log", "*.bak")
|
||||
Write-Host ""
|
||||
if ($debug) { TimeElapsed }
|
||||
Write-Host -ForegroundColor Blue "=========|| Password Check. Starting at root of each drive. This will take some time. Like, grab a coffee or tea."
|
||||
@ -1399,12 +1402,12 @@ $Drives.Root | ForEach-Object {
|
||||
Write-Host "Possible MCaffee Site List Found: $($_.FullName)"
|
||||
Write-Host "Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption" -ForegroundColor Yellow
|
||||
}
|
||||
foreach ($r in $regexSearch) {
|
||||
$password = Get-Content $_.FullName -ErrorAction SilentlyContinue | Select-String $r
|
||||
$regexSearch.keys | ForEach-Object {
|
||||
$password = Get-Content $path.FullName -ErrorAction SilentlyContinue | Select-String $regexSearch[$_]
|
||||
if ($password) {
|
||||
Write-Host "Possible Password found: "
|
||||
Write-Host "Possible Password found: $_" -ForegroundColor Yellow
|
||||
Write-Host $Path.FullName
|
||||
Write-Host $password
|
||||
Write-Host $password -ForegroundColor Red
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user