diff --git a/winPEAS/winPEASps1/winPEAS.ps1 b/winPEAS/winPEASps1/winPEAS.ps1 index 4aa8644..58bf2eb 100644 --- a/winPEAS/winPEASps1/winPEAS.ps1 +++ b/winPEAS/winPEASps1/winPEAS.ps1 @@ -6,7 +6,10 @@ .EXAMPLE # Default - normal operation with username/password audit in drives/registry .\winPeas.ps1 - + + # Include Excel files in search: .xls, .xlsx, .xlsm + .\winPeas.ps1 -Excel + # Full audit - normal operation with APIs / Keys / Tokens ## This will produce false positives ## .\winPeas.ps1 -FullCheck @@ -31,7 +34,8 @@ [CmdletBinding()] param( [switch]$TimeStamp, - [switch]$FullCheck + [switch]$FullCheck, + [switch]$Excel ) # Gather KB from all patches installed @@ -116,7 +120,6 @@ Function UnquotedServicePathCheck { } function TimeElapsed { Write-Host "Time Running: $($stopwatch.Elapsed.Minutes):$($stopwatch.Elapsed.Seconds)" } - Function Get-ClipBoardText { Add-Type -AssemblyName PresentationCore $text = [Windows.Clipboard]::GetText() @@ -128,6 +131,86 @@ Function Get-ClipBoardText { } } + +Function Search-Excel { + [cmdletbinding()] + Param ( + [parameter(Mandatory, ValueFromPipeline)] + [ValidateScript({ + Try { + If (Test-Path -Path $_) {$True} + Else {Throw "$($_) is not a valid path!"} + } + Catch { + Throw $_ + } + })] + [string]$Source, + [parameter(Mandatory)] + [string]$SearchText + #You can specify wildcard characters (*, ?) + ) + $Excel = New-Object -ComObject Excel.Application + Try { + $Source = Convert-Path $Source + } + Catch { + Write-Warning "Unable locate full path of $($Source)" + BREAK + } + $Workbook = $Excel.Workbooks.Open($Source) + ForEach ($Worksheet in @($Workbook.Sheets)) { + # Find Method https://msdn.microsoft.com/en-us/vba/excel-vba/articles/range-find-method-excel + $Found = $WorkSheet.Cells.Find($SearchText) + If ($Found) { + try{ + # Address Method https://msdn.microsoft.com/en-us/vba/excel-vba/articles/range-address-property-excel + Write-Host "Pattern: '$SearchText' found in $source" -ForegroundColor Blue + $BeginAddress = $Found.Address(0,0,1,1) + #Initial Found Cell + [pscustomobject]@{ + WorkSheet = $Worksheet.Name + Column = $Found.Column + Row =$Found.Row + TextMatch = $Found.Text + Address = $BeginAddress + } + Do { + $Found = $WorkSheet.Cells.FindNext($Found) + $Address = $Found.Address(0,0,1,1) + If ($Address -eq $BeginAddress) { + Write-host "Address is same as Begin Address" + BREAK + } + [pscustomobject]@{ + WorkSheet = $Worksheet.Name + Column = $Found.Column + Row =$Found.Row + TextMatch = $Found.Text + Address = $Address + } + } Until ($False) + } + catch { + # Null expression in Found + } + } + #Else { + # Write-Warning "[$($WorkSheet.Name)] Nothing Found!" + #} + } + try{ + $workbook.close($False) + [void][System.Runtime.InteropServices.Marshal]::ReleaseComObject([System.__ComObject]$excel) + [gc]::Collect() + [gc]::WaitForPendingFinalizers() + } + catch{ + #Usually an RPC error + } + Remove-Variable excel -ErrorAction SilentlyContinue +} + function Write-Color([String[]]$Text, [ConsoleColor[]]$Color) { for ($i = 0; $i -lt $Text.Length; $i++) { Write-Host $Text[$i] -Foreground $Color[$i] -NoNewline @@ -203,7 +286,7 @@ if ($username) { $regexSearch.add("Net user add", "net user .+ /add") } -if ($apiANDToken) { +if ($FullCheck) { $regexSearch.add("Artifactory API Token", "AKC[a-zA-Z0-9]{10,}") $regexSearch.add("Artifactory Password", "AP[0-9ABCDEF][a-zA-Z0-9]{8,}") $regexSearch.add("Adafruit API Key", "([a-z0-9_-]{32})") @@ -393,15 +476,17 @@ if ($webAuth) { $regexSearch.add("Generiac API tokens search", "(access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key| amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret| api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret| application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket| aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password| bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key| bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver| cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret| client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password| cloudflare_api_key|cloudflare_auth_key|cloudinary_api_secret|cloudinary_name|codecov_token|conn.login| connectionstring|consumer_key|consumer_secret|credentials|cypress_record_key|database_password|database_schema_test| datadog_api_key|datadog_app_key|db_password|db_server|db_username|dbpasswd|dbpassword|dbuser|deploy_password| digitalocean_ssh_key_body|digitalocean_ssh_key_ids|docker_hub_password|docker_key|docker_pass|docker_passwd| docker_password|dockerhub_password|dockerhubpassword|dot-files|dotfiles|droplet_travis_password|dynamoaccesskeyid| dynamosecretaccesskey|elastica_host|elastica_port|elasticsearch_password|encryption_key|encryption_password| env.heroku_api_key|env.sonatype_password|eureka.awssecretkey)[a-z0-9_ .,<\-]{0,25}(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9a-zA-Z_=\-]{8,64})['""]") } +if($FullCheck){$Excel = $true} + $regexSearch.add("IPs", "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)") $Drives = Get-PSDrive | Where-Object { $_.Root -like "*:\" } -$fileExtensions = @("*.xml", "*.txt", "*.conf", "*.config", "*.cfg", "*.ini", ".y*ml", "*.log", "*.bak") +$fileExtensions = @("*.xml", "*.txt", "*.conf", "*.config", "*.cfg", "*.ini", ".y*ml", "*.log", "*.bak", "*.xls", "*.xlsx", "*.xlsm") ######################## INTRODUCTION ######################## $stopwatch = [system.diagnostics.stopwatch]::StartNew() -if($FullCheck){ +if ($FullCheck) { Write-Host "**Full Check Enabled. This will significantly increase false positives in registry / folder check for Usernames / Passwords.**" } # Introduction @@ -1377,7 +1462,6 @@ Write-Host -ForegroundColor Blue "=========|| SAM / SYSTEM Backup Checks" } } - Write-Host "" if ($TimeStamp) { TimeElapsed } Write-Host -ForegroundColor Blue "=========|| Group Policy Password Check" @@ -1396,27 +1480,47 @@ if ($TimeStamp) { TimeElapsed } Write-Host -ForegroundColor Blue "=========|| Recycle Bin TIP:" Write-Host "if credentials are found in the recycle bin, tool from nirsoft may assist: http://www.nirsoft.net/password_recovery_tools.html" -ForegroundColor Yellow +######################## File/Folder Check ######################## + Write-Host "" if ($TimeStamp) { TimeElapsed } Write-Host -ForegroundColor Blue "=========|| Password Check in Files/Folders" # Looking through the entire computer for passwords +# Also looks for MCaffee site list while looping through the drives. if ($TimeStamp) { TimeElapsed } Write-Host -ForegroundColor Blue "=========|| Password Check. Starting at root of each drive. This will take some time. Like, grab a coffee or tea kinda time." Write-Host -ForegroundColor Blue "=========|| Looking through each drive, searching for $fileExtensions" -# Also looks for MCaffee site list while looping through the drives. +# Check if the Excel com object is installed, if so, look through files, if not, just notate if a file has "user" or "password in name" +try { New-Object -ComObject Excel.Application | Out-Null; $ReadExcel = $true }catch {$ReadExcel = $false; if($Excel){ + Write-Host -ForegroundColor Yellow "Host does not have Excel COM object, will still point out excel files when found." +}} $Drives.Root | ForEach-Object { $Drive = $_ Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object { $path = $_ - if ($Path.FullName -like '*Lang*') { + #Exclude files/folders with 'lang' in the name + if ($Path.FullName | select-string "(?i).*lang.*") { #Write-Host "$($_.FullName) found!" -ForegroundColor red } + if($Path.FullName | Select-String "(?i).:\\.*\\.*Pass.*"){ + write-host -ForegroundColor Blue "$($path.FullName) contains the word 'pass'" + } + if($Path.FullName | Select-String ".:\\.*\\.*user.*" ){ + Write-Host -ForegroundColor Blue "$($path.FullName) contains the word 'user' -excluding the 'users' directory" + } + # If path name ends with common excel extensions + elseif ($Path.FullName | Select-String ".*\.xls",".*\.xlsm",".*\.xlsx") { + if ($ReadExcel -and $Excel) { + Search-Excel -Source $Path.FullName -SearchText "user" + Search-Excel -Source $Path.FullName -SearchText "pass" + } + } else { if ($path.Length -gt 0) { # Write-Host -ForegroundColor Blue "Path name matches extension search: $path" } - if ($path -like "*SiteList.xml") { + if ($path.FullName | Select-String "(?i).*SiteList\.xml") { Write-Host "Possible MCaffee Site List Found: $($_.FullName)" Write-Host "Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption" -ForegroundColor Yellow } @@ -1433,6 +1537,7 @@ $Drives.Root | ForEach-Object { } } +######################## Registry Password Check ######################## Write-Host -ForegroundColor Blue "=========|| Registry Password Check" # Looking through the entire registry for passwords