mirror of
https://github.com/carlospolop/PEASS-ng
synced 2024-11-20 12:39:21 +01:00
logo color, updated output, added -fullcheck flag
Added colors to the logo, so winPEAS looks like it should. Updated the output to filter out erroneous information. Which leads to the -fullcheck flag. The flag adds all regex searches back into the script to check files/folders for data. However the regexes do return false positives, so use as a last resort.
This commit is contained in:
StevenLtheThird
parent
cab71afe3a
commit
4ee91b897a
@ -4,26 +4,34 @@
|
||||
.DESCRIPTION
|
||||
For the legal enumeration of windows based computers that you either own or are approved to run this script on
|
||||
.EXAMPLE
|
||||
.\WinPeas.ps1
|
||||
# Default - normal operation with username/password audit in drives/registry
|
||||
.\winPeas.ps1
|
||||
|
||||
# Full audit - normal operation with APIs / Keys / Tokens
|
||||
## This will produce false positives ##
|
||||
.\winPeas.ps1 -FullCheck
|
||||
|
||||
# Add Time stamps to each command
|
||||
.\WinPeas.ps1 -TimeStamp
|
||||
.\winPeas.ps1 -TimeStamp
|
||||
|
||||
.NOTES
|
||||
Version: 1.0
|
||||
Version: 1.3
|
||||
PEASS-ng Original Author: carlospolop
|
||||
WinPEAS.ps1 Author: @RandolphConley
|
||||
winPEAS.ps1 Author: @RandolphConley
|
||||
Creation Date: 10/4/2022
|
||||
Website: https://github.com/carlospolop/PEASS-ng
|
||||
|
||||
TESTED: PoSh 5,7
|
||||
UNTESTED: Posh 3,4
|
||||
INCOMPATIBLE: Posh 2 or lower
|
||||
UNTESTED: PoSh 3,4
|
||||
NOT FULLY COMPATIBLE: PoSh 2 or lower
|
||||
#>
|
||||
|
||||
######################## FUNCTIONS ########################
|
||||
|
||||
[CmdletBinding()]
|
||||
param(
|
||||
[switch]$TimeStamp
|
||||
[switch]$TimeStamp,
|
||||
[switch]$FullCheck
|
||||
)
|
||||
|
||||
# Gather KB from all patches installed
|
||||
@ -120,251 +128,287 @@ Function Get-ClipBoardText {
|
||||
|
||||
}
|
||||
}
|
||||
function h { Write-Host "##" -ForegroundColor Green }
|
||||
function Write-Color([String[]]$Text, [ConsoleColor[]]$Color) {
|
||||
for ($i = 0; $i -lt $Text.Length; $i++) {
|
||||
Write-Host $Text[$i] -Foreground $Color[$i] -NoNewline
|
||||
}
|
||||
Write-Host
|
||||
}
|
||||
|
||||
"
|
||||
((,.,/((((((((((((((((((((/, */
|
||||
,/*,..*(((((((((((((((((((((((((((((((((,
|
||||
,*/((((((((((((((((((/, .*//((//**, .*((((((*
|
||||
((((((((((((((((* *****,,,/########## .(* ,((((((
|
||||
(((((((((((/* ******************/####### .(. ((((((
|
||||
((((((..******************/@@@@@/***/###### /((((((
|
||||
,,..**********************@@@@@@@@@@(***,#### ../(((((
|
||||
, ,**********************#@@@@@#@@@@*********##((/ /((((
|
||||
..(((##########*********/#@@@@@@@@@/*************,,..((((
|
||||
.(((################(/******/@@@@@#****************.. /((
|
||||
.((########################(/************************..*(
|
||||
.((#############################(/********************.,(
|
||||
.((##################################(/***************..(
|
||||
.((######################################(************..(
|
||||
.((######(,.***.,(###################(..***(/*********..(
|
||||
.((######*(#####((##################((######/(********..(
|
||||
.((##################(/**********(################(**...(
|
||||
.(((####################/*******(###################.((((
|
||||
.(((((############################################/ /((
|
||||
..(((((#########################################(..(((((.
|
||||
....(((((#####################################( .((((((.
|
||||
......(((((#################################( .(((((((.
|
||||
(((((((((. ,(############################(../(((((((((.
|
||||
(((((((((/, ,####################(/..((((((((((.
|
||||
(((((((((/,. ,*//////*,. ./(((((((((((.
|
||||
(((((((((((((((((((((((((((/
|
||||
by CarlosPolop & RandolphConley
|
||||
"
|
||||
#Write-Color " ((,.,/((((((((((((((((((((/, */" -Color Green
|
||||
Write-Color ",/*,..*(((((((((((((((((((((((((((((((((," -Color Green
|
||||
Write-Color ",*/((((((((((((((((((/, .*//((//**, .*((((((*" -Color Green
|
||||
Write-Color "((((((((((((((((", "* *****,,,", "\########## .(* ,((((((" -Color Green, Blue, Green
|
||||
Write-Color "(((((((((((", "/*******************", "####### .(. ((((((" -Color Green, Blue, Green
|
||||
Write-Color "(((((((", "/******************", "/@@@@@/", "***", "\#######\((((((" -Color Green, Blue, White, Blue, Green
|
||||
Write-Color ",,..", "**********************", "/@@@@@@@@@/", "***", ",#####.\/(((((" -Color Green, Blue, White, Blue, Green
|
||||
Write-Color ", ,", "**********************", "/@@@@@+@@@/", "*********", "##((/ /((((" -Color Green, Blue, White, Blue, Green
|
||||
Write-Color "..(((##########", "*********", "/#@@@@@@@@@/", "*************", ",,..((((" -Color Green, Blue, White, Blue, Green
|
||||
Write-Color ".(((################(/", "******", "/@@@@@/", "****************", ".. /((" -Color Green, Blue, White, Blue, Green
|
||||
Write-Color ".((########################(/", "************************", "..*(" -Color Green, Blue, Green
|
||||
Write-Color ".((#############################(/", "********************", ".,(" -Color Green, Blue, Green
|
||||
Write-Color ".((##################################(/", "***************", "..(" -Color Green, Blue, Green
|
||||
Write-Color ".((######################################(/", "***********", "..(" -Color Green, Blue, Green
|
||||
Write-Color ".((######", "(,.***.,(", "###################", "(..***", "(/*********", "..(" -Color Green, Green, Green, Green, Blue, Green
|
||||
Write-Color ".((######*", "(####((", "###################", "((######", "/(********", "..(" -Color Green, Green, Green, Green, Blue, Green
|
||||
Write-Color ".((##################", "(/**********(", "################(**...(" -Color Green, Green, Green
|
||||
Write-Color ".(((####################", "/*******(", "###################.((((" -Color Green, Green, Green
|
||||
Write-Color ".(((((############################################/ /((" -Color Green
|
||||
Write-Color "..(((((#########################################(..(((((." -Color Green
|
||||
Write-Color "....(((((#####################################( .((((((." -Color Green
|
||||
Write-Color "......(((((#################################( .(((((((." -Color Green
|
||||
Write-Color "(((((((((. ,(############################(../(((((((((." -Color Green
|
||||
Write-Color " (((((((((/, ,####################(/..((((((((((." -Color Green
|
||||
Write-Color " (((((((((/,. ,*//////*,. ./(((((((((((." -Color Green
|
||||
Write-Color " (((((((((((((((((((((((((((/" -Color Green
|
||||
Write-Color " by CarlosPolop & RandolphConley" -Color Green
|
||||
|
||||
######################## VARIABLES ########################
|
||||
|
||||
# Manually added Regex search strings from https://github.com/carlospolop/PEASS-ng/blob/master/build_lists/sensitive_files.yaml
|
||||
|
||||
# Set these values to true to add them to the regex search by default
|
||||
$password = $true
|
||||
$username = $true
|
||||
$webAuth = $true
|
||||
|
||||
$regexSearch = @{}
|
||||
$regexSearch.add("Apr1 MD5", '\$apr1\$[a-zA-Z0-9_/\.]{8}\$[a-zA-Z0-9_/\.]{22}')
|
||||
$regexSearch.add("Apache SHA", "\{SHA\}[0-9a-zA-Z/_=]{10,}")
|
||||
$regexSearch.add("Blowfish", '\$2[abxyz]?\$[0-9]{2}\$[a-zA-Z0-9_/\.]*')
|
||||
$regexSearch.add("Drupal", '\$S\$[a-zA-Z0-9_/\.]{52}')
|
||||
$regexSearch.add("Joomlavbulletin", "[0-9a-zA-Z]{32}:[a-zA-Z0-9_]{16,32}")
|
||||
$regexSearch.add("Linux MD5", '\$1\$[a-zA-Z0-9_/\.]{8}\$[a-zA-Z0-9_/\.]{22}')
|
||||
$regexSearch.add("phpbb3", '\$H\$[a-zA-Z0-9_/\.]{31}')
|
||||
$regexSearch.add("sha512crypt", '\$6\$[a-zA-Z0-9_/\.]{16}\$[a-zA-Z0-9_/\.]{86}')
|
||||
$regexSearch.add("Wordpress", '\$P\$[a-zA-Z0-9_/\.]{31}')
|
||||
$regexSearch.add("md5", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{32}([^a-zA-Z0-9]|$)")
|
||||
$regexSearch.add("sha1", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{40}([^a-zA-Z0-9]|$)")
|
||||
$regexSearch.add("sha256", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{64}([^a-zA-Z0-9]|$)")
|
||||
$regexSearch.add("sha512", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{128}([^a-zA-Z0-9]|$)")
|
||||
$regexSearch.add("Artifactory API Token", "AKC[a-zA-Z0-9]{10,}")
|
||||
$regexSearch.add("Artifactory Password", "AP[0-9ABCDEF][a-zA-Z0-9]{8,}")
|
||||
$regexSearch.add("Authorization Basic", "basic [a-zA-Z0-9_:\.=\-]+")
|
||||
$regexSearch.add("Authorization Bearer", "bearer [a-zA-Z0-9_\.=\-]+")
|
||||
$regexSearch.add("Adafruit API Key", "([a-z0-9_-]{32})")
|
||||
$regexSearch.add("Adobe Client Id (Oauth Web)", "(adobe[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-f0-9]{32})['""]")
|
||||
$regexSearch.add("Abode Client Secret", "(p8e-)[a-z0-9]{32}")
|
||||
$regexSearch.add("Age Secret Key", "AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}")
|
||||
$regexSearch.add("Airtable API Key", "([a-z0-9]{17})")
|
||||
$regexSearch.add("Alchemi API Key", "(alchemi[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9-]{32})['""]")
|
||||
$regexSearch.add("Alibaba Access Key ID", "(LTAI)[a-z0-9]{20}")
|
||||
$regexSearch.add("Alibaba Secret Key", "(alibaba[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{30})['""]")
|
||||
$regexSearch.add("Artifactory API Key & Password", "[""']AKC[a-zA-Z0-9]{10,}[""']|[""']AP[0-9ABCDEF][a-zA-Z0-9]{8,}[""']")
|
||||
$regexSearch.add("Asana Client ID", "((asana[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9]{16})['""])|((asana[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""])")
|
||||
$regexSearch.add("Atlassian API Key", "(atlassian[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{24})['""]")
|
||||
$regexSearch.add("AWS Client ID", "(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}")
|
||||
$regexSearch.add("AWS MWS Key", "amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}")
|
||||
$regexSearch.add("AWS Secret Key", "aws(.{0,20})?['""][0-9a-zA-Z\/+]{40}['""]")
|
||||
$regexSearch.add("AWS AppSync GraphQL Key", "da2-[a-z0-9]{26}")
|
||||
$regexSearch.add("Base32", "(?:[A-Z2-7]{8})*(?:[A-Z2-7]{2}={6}|[A-Z2-7]{4}={4}|[A-Z2-7]{5}={3}|[A-Z2-7]{7}=)?")
|
||||
$regexSearch.add("Base64", "(eyJ|YTo|Tzo|PD[89]|aHR0cHM6L|aHR0cDo|rO0)[a-zA-Z0-9+/]+={0,2}")
|
||||
$regexSearch.add("Basic Auth Credentials", "://[a-zA-Z0-9]+:[a-zA-Z0-9]+@[a-zA-Z0-9]+\.[a-zA-Z]+")
|
||||
$regexSearch.add("Beamer Client Secret", "(beamer[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""](b_[a-z0-9=_\-]{44})['""]")
|
||||
$regexSearch.add("Binance API Key", "(binance[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{64})['""]")
|
||||
$regexSearch.add("Bitbucket Client Id", "((bitbucket[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""])")
|
||||
$regexSearch.add("Bitbucket Client Secret", "((bitbucket[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9_\-]{64})['""])")
|
||||
$regexSearch.add("BitcoinAverage API Key", "(bitcoin.?average[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{43})['""]")
|
||||
$regexSearch.add("Bitquery API Key", "(bitquery[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Za-z0-9]{32})['""]")
|
||||
$regexSearch.add("Bittrex Access Key and Access Key", "([a-z0-9]{32})")
|
||||
$regexSearch.add("Birise API Key", "(bitrise[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9_\-]{86})['""]")
|
||||
$regexSearch.add("Block API Key", "(block[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4})['""]")
|
||||
$regexSearch.add("Blockchain API Key", "mainnet[a-zA-Z0-9]{32}|testnet[a-zA-Z0-9]{32}|ipfs[a-zA-Z0-9]{32}")
|
||||
$regexSearch.add("Blockfrost API Key", "(blockchain[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[0-9a-f]{12})['""]")
|
||||
$regexSearch.add("Box API Key", "(box[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{32})['""]")
|
||||
$regexSearch.add("Bravenewcoin API Key", "(bravenewcoin[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{50})['""]")
|
||||
$regexSearch.add("Clearbit API Key", "sk_[a-z0-9]{32}")
|
||||
$regexSearch.add("Clojars API Key", "(CLOJARS_)[a-zA-Z0-9]{60}")
|
||||
$regexSearch.add("Cloudinary Basic Auth", "cloudinary://[0-9]{15}:[0-9A-Za-z]+@[a-z]+")
|
||||
$regexSearch.add("Coinbase Access Token", "([a-z0-9_-]{64})")
|
||||
$regexSearch.add("Coinlayer API Key", "(coinlayer[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""]")
|
||||
$regexSearch.add("Coinlib API Key", "(coinlib[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{16})['""]")
|
||||
$regexSearch.add("Confluent Access Token & Secret Key", "([a-z0-9]{16})")
|
||||
$regexSearch.add("Contentful delivery API Key", "(contentful[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9=_\-]{43})['""]")
|
||||
$regexSearch.add("Covalent API Key", "ckey_[a-z0-9]{27}")
|
||||
$regexSearch.add("Charity Search API Key", "(charity.?search[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""]")
|
||||
$regexSearch.add("Databricks API Key", "dapi[a-h0-9]{32}")
|
||||
$regexSearch.add("DDownload API Key", "(ddownload[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{22})['""]")
|
||||
$regexSearch.add("Defined Networking API token", "(dnkey-[a-z0-9=_\-]{26}-[a-z0-9=_\-]{52})")
|
||||
$regexSearch.add("Discord API Key, Client ID & Client Secret", "((discord[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-h0-9]{64}|[0-9]{18}|[a-z0-9=_\-]{32})['""])")
|
||||
$regexSearch.add("Droneci Access Token", "([a-z0-9]{32})")
|
||||
$regexSearch.add("Dropbox API Key", "sl.[a-zA-Z0-9_-]{136}")
|
||||
$regexSearch.add("Doppler API Key", "(dp\.pt\.)[a-zA-Z0-9]{43}")
|
||||
$regexSearch.add("Dropbox API secret/key, short & long lived API Key", "(dropbox[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{15}|sl\.[a-z0-9=_\-]{135}|[a-z0-9]{11}(AAAAAAAAAA)[a-z0-9_=\-]{43})['""]")
|
||||
$regexSearch.add("Duffel API Key", "duffel_(test|live)_[a-zA-Z0-9_-]{43}")
|
||||
$regexSearch.add("Dynatrace API Key", "dt0c01\.[a-zA-Z0-9]{24}\.[a-z0-9]{64}")
|
||||
$regexSearch.add("EasyPost API Key", "EZAK[a-zA-Z0-9]{54}")
|
||||
$regexSearch.add("EasyPost test API Key", "EZTK[a-zA-Z0-9]{54}")
|
||||
$regexSearch.add("Etherscan API Key", "(etherscan[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Z0-9]{34})['""]")
|
||||
$regexSearch.add("Etsy Access Token", "([a-z0-9]{24})")
|
||||
$regexSearch.add("Facebook Access Token", "EAACEdEose0cBA[0-9A-Za-z]+")
|
||||
$regexSearch.add("Facebook Client ID", "([fF][aA][cC][eE][bB][oO][oO][kK]|[fF][bB])(.{0,20})?['""][0-9]{13,17}")
|
||||
$regexSearch.add("Facebook Oauth", "[fF][aA][cC][eE][bB][oO][oO][kK].*['|""][0-9a-f]{32}['|""]")
|
||||
$regexSearch.add("Facebook Secret Key", "([fF][aA][cC][eE][bB][oO][oO][kK]|[fF][bB])(.{0,20})?['""][0-9a-f]{32}")
|
||||
$regexSearch.add("Fastly API Key", "(fastly[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9=_\-]{32})['""]")
|
||||
$regexSearch.add("Finicity API Key & Client Secret", "(finicity[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-f0-9]{32}|[a-z0-9]{20})['""]")
|
||||
$regexSearch.add("Flickr Access Token", "([a-z0-9]{32})")
|
||||
$regexSearch.add("Flutterweave Keys", "FLWPUBK_TEST-[a-hA-H0-9]{32}-X|FLWSECK_TEST-[a-hA-H0-9]{32}-X|FLWSECK_TEST[a-hA-H0-9]{12}")
|
||||
$regexSearch.add("Frame.io API Key", "fio-u-[a-zA-Z0-9_=\-]{64}")
|
||||
$regexSearch.add("Freshbooks Access Token", "([a-z0-9]{64})")
|
||||
$regexSearch.add("Github", "github(.{0,20})?['""][0-9a-zA-Z]{35,40}")
|
||||
$regexSearch.add("Github App Token", "(ghu|ghs)_[0-9a-zA-Z]{36}")
|
||||
$regexSearch.add("Github OAuth Access Token", "gho_[0-9a-zA-Z]{36}")
|
||||
$regexSearch.add("Github Personal Access Token", "ghp_[0-9a-zA-Z]{36}")
|
||||
$regexSearch.add("Github Refresh Token", "ghr_[0-9a-zA-Z]{76}")
|
||||
$regexSearch.add("GitHub Fine-Grained Personal Access Token", "github_pat_[0-9a-zA-Z_]{82}")
|
||||
$regexSearch.add("Gitlab Personal Access Token", "glpat-[0-9a-zA-Z\-]{20}")
|
||||
$regexSearch.add("GitLab Pipeline Trigger Token", "glptt-[0-9a-f]{40}")
|
||||
$regexSearch.add("GitLab Runner Registration Token", "GR1348941[0-9a-zA-Z_\-]{20}")
|
||||
$regexSearch.add("Gitter Access Token", "([a-z0-9_-]{40})")
|
||||
$regexSearch.add("GoCardless API Key", "live_[a-zA-Z0-9_=\-]{40}")
|
||||
$regexSearch.add("GoFile API Key", "(gofile[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{32})['""]")
|
||||
$regexSearch.add("Google API Key", "AIza[0-9A-Za-z_\-]{35}")
|
||||
$regexSearch.add("Google Cloud Platform API Key", "(google|gcp|youtube|drive|yt)(.{0,20})?['""][AIza[0-9a-z_\-]{35}]['""]")
|
||||
$regexSearch.add("Google Drive Oauth", "[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com")
|
||||
$regexSearch.add("Google Oauth Access Token", "ya29\.[0-9A-Za-z_\-]+")
|
||||
$regexSearch.add("Google (GCP) Service-account", """type.+:.+""service_account")
|
||||
$regexSearch.add("Grafana API Key", "eyJrIjoi[a-z0-9_=\-]{72,92}")
|
||||
$regexSearch.add("Grafana cloud api token", "glc_[A-Za-z0-9\+/]{32,}={0,2}")
|
||||
$regexSearch.add("Grafana service account token", "(glsa_[A-Za-z0-9]{32}_[A-Fa-f0-9]{8})")
|
||||
$regexSearch.add("Hashicorp Terraform user/org API Key", "[a-z0-9]{14}\.atlasv1\.[a-z0-9_=\-]{60,70}")
|
||||
$regexSearch.add("Heroku API Key", "[hH][eE][rR][oO][kK][uU].{0,30}[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}")
|
||||
$regexSearch.add("Hubspot API Key", "['""][a-h0-9]{8}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{12}['""]")
|
||||
$regexSearch.add("Instatus API Key", "(instatus[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""]")
|
||||
$regexSearch.add("Intercom API Key & Client Secret/ID", "(intercom[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9=_]{60}|[a-h0-9]{8}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{12})['""]")
|
||||
$regexSearch.add("Ionic API Key", "(ionic[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""](ion_[a-z0-9]{42})['""]")
|
||||
$regexSearch.add("Jenkins Creds", "<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<")
|
||||
$regexSearch.add("JSON Web Token", "(ey[0-9a-z]{30,34}\.ey[0-9a-z\/_\-]{30,}\.[0-9a-zA-Z\/_\-]{10,}={0,2})")
|
||||
$regexSearch.add("Kraken Access Token", "([a-z0-9\/=_\+\-]{80,90})")
|
||||
$regexSearch.add("Kucoin Access Token", "([a-f0-9]{24})")
|
||||
$regexSearch.add("Kucoin Secret Key", "([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})")
|
||||
$regexSearch.add("Launchdarkly Access Token", "([a-z0-9=_\-]{40})")
|
||||
$regexSearch.add("Linear API Key", "(lin_api_[a-zA-Z0-9]{40})")
|
||||
$regexSearch.add("Linear Client Secret/ID", "((linear[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-f0-9]{32})['""])")
|
||||
$regexSearch.add("LinkedIn Client ID", "linkedin(.{0,20})?['""][0-9a-z]{12}['""]")
|
||||
$regexSearch.add("LinkedIn Secret Key", "linkedin(.{0,20})?['""][0-9a-z]{16}['""]")
|
||||
$regexSearch.add("Lob API Key", "((lob[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]((live|test)_[a-f0-9]{35})['""])|((lob[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]((test|live)_pub_[a-f0-9]{31})['""])")
|
||||
$regexSearch.add("Lob Publishable API Key", "((test|live)_pub_[a-f0-9]{31})")
|
||||
$regexSearch.add("MailboxValidator", "(mailbox.?validator[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Z0-9]{20})['""]")
|
||||
$regexSearch.add("Mailchimp API Key", "[0-9a-f]{32}-us[0-9]{1,2}")
|
||||
$regexSearch.add("Mailgun API Key", "key-[0-9a-zA-Z]{32}'")
|
||||
$regexSearch.add("Mailgun Public Validation Key", "pubkey-[a-f0-9]{32}")
|
||||
$regexSearch.add("Mailgun Webhook signing key", "[a-h0-9]{32}-[a-h0-9]{8}-[a-h0-9]{8}")
|
||||
$regexSearch.add("Mapbox API Key", "(pk\.[a-z0-9]{60}\.[a-z0-9]{22})")
|
||||
$regexSearch.add("Mattermost Access Token", "([a-z0-9]{26})")
|
||||
$regexSearch.add("MessageBird API Key & API client ID", "(messagebird[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{25}|[a-h0-9]{8}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{12})['""]")
|
||||
$regexSearch.add("Microsoft Teams Webhook", "https:\/\/[a-z0-9]+\.webhook\.office\.com\/webhookb2\/[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}@[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}\/IncomingWebhook\/[a-z0-9]{32}\/[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}")
|
||||
$regexSearch.add("MojoAuth API Key", "[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}")
|
||||
$regexSearch.add("Netlify Access Token", "([a-z0-9=_\-]{40,46})")
|
||||
$regexSearch.add("New Relic User API Key, User API ID & Ingest Browser API Key", "(NRAK-[A-Z0-9]{27})|((newrelic[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Z0-9]{64})['""])|(NRJS-[a-f0-9]{19})")
|
||||
$regexSearch.add("Nownodes", "(nownodes[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Za-z0-9]{32})['""]")
|
||||
$regexSearch.add("Npm Access Token", "(npm_[a-zA-Z0-9]{36})")
|
||||
$regexSearch.add("Nytimes Access Token", "([a-z0-9=_\-]{32})")
|
||||
$regexSearch.add("Okta Access Token", "([a-z0-9=_\-]{42})")
|
||||
$regexSearch.add("OpenAI API Token", "sk-[A-Za-z0-9]{48}")
|
||||
$regexSearch.add("ORB Intelligence Access Key", "['""][a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}['""]")
|
||||
$regexSearch.add("Pastebin API Key", "(pastebin[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""]")
|
||||
$regexSearch.add("PayPal Braintree Access Token", 'access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}')
|
||||
$regexSearch.add("Picatic API Key", "sk_live_[0-9a-z]{32}")
|
||||
$regexSearch.add("Pinata API Key", "(pinata[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{64})['""]")
|
||||
$regexSearch.add("Planetscale API Key", "pscale_tkn_[a-zA-Z0-9_\.\-]{43}")
|
||||
$regexSearch.add("PlanetScale OAuth token", "(pscale_oauth_[a-zA-Z0-9_\.\-]{32,64})")
|
||||
$regexSearch.add("Planetscale Password", "pscale_pw_[a-zA-Z0-9_\.\-]{43}")
|
||||
$regexSearch.add("Plaid API Token", "(access-(?:sandbox|development|production)-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})")
|
||||
$regexSearch.add("Plaid Client ID", "([a-z0-9]{24})")
|
||||
$regexSearch.add("Plaid Secret key", "([a-z0-9]{30})")
|
||||
$regexSearch.add("Prefect API token", "(pnu_[a-z0-9]{36})")
|
||||
$regexSearch.add("Postman API Key", "PMAK-[a-fA-F0-9]{24}-[a-fA-F0-9]{34}")
|
||||
$regexSearch.add("Private Keys", "\-\-\-\-\-BEGIN PRIVATE KEY\-\-\-\-\-|\-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-|\-\-\-\-\-BEGIN OPENSSH PRIVATE KEY\-\-\-\-\-|\-\-\-\-\-BEGIN PGP PRIVATE KEY BLOCK\-\-\-\-\-|\-\-\-\-\-BEGIN DSA PRIVATE KEY\-\-\-\-\-|\-\-\-\-\-BEGIN EC PRIVATE KEY\-\-\-\-\-")
|
||||
$regexSearch.add("Pulumi API Key", "pul-[a-f0-9]{40}")
|
||||
$regexSearch.add("PyPI upload token", "pypi-AgEIcHlwaS5vcmc[A-Za-z0-9_\-]{50,}")
|
||||
$regexSearch.add("Quip API Key", "(quip[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{15}=\|[0-9]{10}\|[a-zA-Z0-9\/+]{43}=)['""]")
|
||||
$regexSearch.add("RapidAPI Access Token", "([a-z0-9_-]{50})")
|
||||
$regexSearch.add("Rubygem API Key", "rubygems_[a-f0-9]{48}")
|
||||
$regexSearch.add("Readme API token", "rdme_[a-z0-9]{70}")
|
||||
$regexSearch.add("Sendbird Access ID", "([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})")
|
||||
$regexSearch.add("Sendbird Access Token", "([a-f0-9]{40})")
|
||||
$regexSearch.add("Sendgrid API Key", "SG\.[a-zA-Z0-9_\.\-]{66}")
|
||||
$regexSearch.add("Sendinblue API Key", "xkeysib-[a-f0-9]{64}-[a-zA-Z0-9]{16}")
|
||||
$regexSearch.add("Sentry Access Token", "([a-f0-9]{64})")
|
||||
$regexSearch.add("Shippo API Key, Access Token, Custom Access Token, Private App Access Token & Shared Secret", "shippo_(live|test)_[a-f0-9]{40}|shpat_[a-fA-F0-9]{32}|shpca_[a-fA-F0-9]{32}|shppa_[a-fA-F0-9]{32}|shpss_[a-fA-F0-9]{32}")
|
||||
$regexSearch.add("Sidekiq Secret", "([a-f0-9]{8}:[a-f0-9]{8})")
|
||||
$regexSearch.add("Sidekiq Sensitive URL", "([a-f0-9]{8}:[a-f0-9]{8})@(?:gems.contribsys.com|enterprise.contribsys.com)")
|
||||
$regexSearch.add("Slack Token", "xox[baprs]-([0-9a-zA-Z]{10,48})?")
|
||||
$regexSearch.add("Slack Webhook", "https://hooks.slack.com/services/T[a-zA-Z0-9_]{10}/B[a-zA-Z0-9_]{10}/[a-zA-Z0-9_]{24}")
|
||||
$regexSearch.add("Smarksheel API Key", "(smartsheet[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{26})['""]")
|
||||
$regexSearch.add("Square Access Token", "sqOatp-[0-9A-Za-z_\-]{22}")
|
||||
$regexSearch.add("Square API Key", "EAAAE[a-zA-Z0-9_-]{59}")
|
||||
$regexSearch.add("Square Oauth Secret", "sq0csp-[ 0-9A-Za-z_\-]{43}")
|
||||
$regexSearch.add("Stytch API Key", "secret-.*-[a-zA-Z0-9_=\-]{36}")
|
||||
$regexSearch.add("Stripe Access Token & API Key", "(sk|pk)_(test|live)_[0-9a-z]{10,32}|k_live_[0-9a-zA-Z]{24}")
|
||||
$regexSearch.add("SumoLogic Access ID", "([a-z0-9]{14})")
|
||||
$regexSearch.add("SumoLogic Access Token", "([a-z0-9]{64})")
|
||||
$regexSearch.add("Telegram Bot API Token", "[0-9]+:AA[0-9A-Za-z\\-_]{33}")
|
||||
$regexSearch.add("Travis CI Access Token", "([a-z0-9]{22})")
|
||||
$regexSearch.add("Trello API Key", "(trello[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9a-z]{32})['""]")
|
||||
$regexSearch.add("Twilio API Key", "SK[0-9a-fA-F]{32}")
|
||||
$regexSearch.add("Twitch API Key", "(twitch[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{30})['""]")
|
||||
$regexSearch.add("Twitter Client ID", "[tT][wW][iI][tT][tT][eE][rR](.{0,20})?['""][0-9a-z]{18,25}")
|
||||
$regexSearch.add("Twitter Bearer Token", "(A{22}[a-zA-Z0-9%]{80,100})")
|
||||
$regexSearch.add("Twitter Oauth", "[tT][wW][iI][tT][tT][eE][rR].{0,30}['""\\s][0-9a-zA-Z]{35,44}['""\\s]")
|
||||
$regexSearch.add("Twitter Secret Key", "[tT][wW][iI][tT][tT][eE][rR](.{0,20})?['""][0-9a-z]{35,44}")
|
||||
$regexSearch.add("Typeform API Key", "tfp_[a-z0-9_\.=\-]{59}")
|
||||
$regexSearch.add("URLScan API Key", "['""][a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}['""]")
|
||||
$regexSearch.add("Vault Token", "[sb]\.[a-zA-Z0-9]{24}")
|
||||
$regexSearch.add("Yandex Access Token", "(t1\.[A-Z0-9a-z_-]+[=]{0,2}\.[A-Z0-9a-z_-]{86}[=]{0,2})")
|
||||
$regexSearch.add("Yandex API Key", "(AQVN[A-Za-z0-9_\-]{35,38})")
|
||||
$regexSearch.add("Yandex AWS Access Token", "(YC[a-zA-Z0-9_\-]{38})")
|
||||
$regexSearch.add("Web3 API Key", "(web3[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Za-z0-9_=\-]+\.[A-Za-z0-9_=\-]+\.?[A-Za-z0-9_.+/=\-]*)['""]")
|
||||
$regexSearch.add("Zendesk Secret Key", "([a-z0-9]{40})")
|
||||
$regexSearch.add("Generic API Key", "((key|api|token|secret|password)[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9a-zA-Z_=\-]{8,64})['""]")
|
||||
$regexSearch.add("Generic Secret", "[sS][eE][cC][rR][eE][tT].*['""][0-9a-zA-Z]{32,45}['""]")
|
||||
$regexSearch.add("Basic Auth", "//(.+):(.+)@")
|
||||
$regexSearch.add("PHP Passwords", "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass|pass').*[=:].+|define ?\('(\w*pass|\w*pwd|\w*user|\w*datab)")
|
||||
$regexSearch.add("Config Secrets", "passwd.*|creden.*|^kind:[^a-zA-Z0-9_]?Secret|[^a-zA-Z0-9_]env:|secret:|secretName:|^kind:[^a-zA-Z0-9_]?EncryptionConfiguration|\-\-encryption\-provider\-config")
|
||||
$regexSearch.add("Simple Passwords", "passw.*[=:].+")
|
||||
$regexSearch.add("Generiac API tokens search", "(access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key| amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret| api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret| application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket| aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password| bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key| bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver| cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret| client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password| cloudflare_api_key|cloudflare_auth_key|cloudinary_api_secret|cloudinary_name|codecov_token|conn.login| connectionstring|consumer_key|consumer_secret|credentials|cypress_record_key|database_password|database_schema_test| datadog_api_key|datadog_app_key|db_password|db_server|db_username|dbpasswd|dbpassword|dbuser|deploy_password| digitalocean_ssh_key_body|digitalocean_ssh_key_ids|docker_hub_password|docker_key|docker_pass|docker_passwd| docker_password|dockerhub_password|dockerhubpassword|dot-files|dotfiles|droplet_travis_password|dynamoaccesskeyid| dynamosecretaccesskey|elastica_host|elastica_port|elasticsearch_password|encryption_key|encryption_password| env.heroku_api_key|env.sonatype_password|eureka.awssecretkey)[a-z0-9_ .,<\-]{0,25}(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9a-zA-Z_=\-]{8,64})['""]")
|
||||
$regexSearch.add("Usernames", "username.*[=:].+")
|
||||
$regexSearch.add("Net user add", "net user .+ /add")
|
||||
|
||||
if ($password) {
|
||||
$regexSearch.add("Simple Passwords1", "pass.*[=:].+")
|
||||
$regexSearch.add("Simple Passwords2", "pwd.*[=:].+")
|
||||
$regexSearch.add("Apr1 MD5", '\$apr1\$[a-zA-Z0-9_/\.]{8}\$[a-zA-Z0-9_/\.]{22}')
|
||||
$regexSearch.add("Apache SHA", "\{SHA\}[0-9a-zA-Z/_=]{10,}")
|
||||
$regexSearch.add("Blowfish", '\$2[abxyz]?\$[0-9]{2}\$[a-zA-Z0-9_/\.]*')
|
||||
$regexSearch.add("Drupal", '\$S\$[a-zA-Z0-9_/\.]{52}')
|
||||
$regexSearch.add("Joomlavbulletin", "[0-9a-zA-Z]{32}:[a-zA-Z0-9_]{16,32}")
|
||||
$regexSearch.add("Linux MD5", '\$1\$[a-zA-Z0-9_/\.]{8}\$[a-zA-Z0-9_/\.]{22}')
|
||||
$regexSearch.add("phpbb3", '\$H\$[a-zA-Z0-9_/\.]{31}')
|
||||
$regexSearch.add("sha512crypt", '\$6\$[a-zA-Z0-9_/\.]{16}\$[a-zA-Z0-9_/\.]{86}')
|
||||
$regexSearch.add("Wordpress", '\$P\$[a-zA-Z0-9_/\.]{31}')
|
||||
$regexSearch.add("md5", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{32}([^a-zA-Z0-9]|$)")
|
||||
$regexSearch.add("sha1", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{40}([^a-zA-Z0-9]|$)")
|
||||
$regexSearch.add("sha256", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{64}([^a-zA-Z0-9]|$)")
|
||||
$regexSearch.add("sha512", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{128}([^a-zA-Z0-9]|$)")
|
||||
# This does not work correctly
|
||||
#$regexSearch.add("Base32", "(?:[A-Z2-7]{8})*(?:[A-Z2-7]{2}={6}|[A-Z2-7]{4}={4}|[A-Z2-7]{5}={3}|[A-Z2-7]{7}=)?")
|
||||
$regexSearch.add("Base64", "(eyJ|YTo|Tzo|PD[89]|aHR0cHM6L|aHR0cDo|rO0)[a-zA-Z0-9+\/]+={0,2}")
|
||||
|
||||
}
|
||||
if ($username) {
|
||||
$regexSearch.add("Usernames1", "username[=:].+")
|
||||
$regexSearch.add("Usernames2", "user[=:].+")
|
||||
$regexSearch.add("Usernames3", "login[=:].+")
|
||||
$regexSearch.add("Emails", "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}")
|
||||
$regexSearch.add("Net user add", "net user .+ /add")
|
||||
}
|
||||
|
||||
if ($apiANDToken) {
|
||||
$regexSearch.add("Artifactory API Token", "AKC[a-zA-Z0-9]{10,}")
|
||||
$regexSearch.add("Artifactory Password", "AP[0-9ABCDEF][a-zA-Z0-9]{8,}")
|
||||
$regexSearch.add("Adafruit API Key", "([a-z0-9_-]{32})")
|
||||
$regexSearch.add("Adafruit API Key", "([a-z0-9_-]{32})")
|
||||
$regexSearch.add("Adobe Client Id (Oauth Web)", "(adobe[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-f0-9]{32})['""]")
|
||||
$regexSearch.add("Abode Client Secret", "(p8e-)[a-z0-9]{32}")
|
||||
$regexSearch.add("Age Secret Key", "AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}")
|
||||
$regexSearch.add("Airtable API Key", "([a-z0-9]{17})")
|
||||
$regexSearch.add("Alchemi API Key", "(alchemi[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9-]{32})['""]")
|
||||
$regexSearch.add("Artifactory API Key & Password", "[""']AKC[a-zA-Z0-9]{10,}[""']|[""']AP[0-9ABCDEF][a-zA-Z0-9]{8,}[""']")
|
||||
$regexSearch.add("Atlassian API Key", "(atlassian[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{24})['""]")
|
||||
$regexSearch.add("Binance API Key", "(binance[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{64})['""]")
|
||||
$regexSearch.add("Bitbucket Client Id", "((bitbucket[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""])")
|
||||
$regexSearch.add("Bitbucket Client Secret", "((bitbucket[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9_\-]{64})['""])")
|
||||
$regexSearch.add("BitcoinAverage API Key", "(bitcoin.?average[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{43})['""]")
|
||||
$regexSearch.add("Bitquery API Key", "(bitquery[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Za-z0-9]{32})['""]")
|
||||
$regexSearch.add("Bittrex Access Key and Access Key", "([a-z0-9]{32})")
|
||||
$regexSearch.add("Birise API Key", "(bitrise[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9_\-]{86})['""]")
|
||||
$regexSearch.add("Block API Key", "(block[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4})['""]")
|
||||
$regexSearch.add("Blockchain API Key", "mainnet[a-zA-Z0-9]{32}|testnet[a-zA-Z0-9]{32}|ipfs[a-zA-Z0-9]{32}")
|
||||
$regexSearch.add("Blockfrost API Key", "(blockchain[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[0-9a-f]{12})['""]")
|
||||
$regexSearch.add("Box API Key", "(box[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{32})['""]")
|
||||
$regexSearch.add("Bravenewcoin API Key", "(bravenewcoin[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{50})['""]")
|
||||
$regexSearch.add("Clearbit API Key", "sk_[a-z0-9]{32}")
|
||||
$regexSearch.add("Clojars API Key", "(CLOJARS_)[a-zA-Z0-9]{60}")
|
||||
$regexSearch.add("Coinbase Access Token", "([a-z0-9_-]{64})")
|
||||
$regexSearch.add("Coinlayer API Key", "(coinlayer[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""]")
|
||||
$regexSearch.add("Coinlib API Key", "(coinlib[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{16})['""]")
|
||||
$regexSearch.add("Confluent Access Token & Secret Key", "([a-z0-9]{16})")
|
||||
$regexSearch.add("Contentful delivery API Key", "(contentful[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9=_\-]{43})['""]")
|
||||
$regexSearch.add("Covalent API Key", "ckey_[a-z0-9]{27}")
|
||||
$regexSearch.add("Charity Search API Key", "(charity.?search[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""]")
|
||||
$regexSearch.add("Databricks API Key", "dapi[a-h0-9]{32}")
|
||||
$regexSearch.add("DDownload API Key", "(ddownload[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{22})['""]")
|
||||
$regexSearch.add("Defined Networking API token", "(dnkey-[a-z0-9=_\-]{26}-[a-z0-9=_\-]{52})")
|
||||
$regexSearch.add("Discord API Key, Client ID & Client Secret", "((discord[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-h0-9]{64}|[0-9]{18}|[a-z0-9=_\-]{32})['""])")
|
||||
$regexSearch.add("Droneci Access Token", "([a-z0-9]{32})")
|
||||
$regexSearch.add("Dropbox API Key", "sl.[a-zA-Z0-9_-]{136}")
|
||||
$regexSearch.add("Doppler API Key", "(dp\.pt\.)[a-zA-Z0-9]{43}")
|
||||
$regexSearch.add("Dropbox API secret/key, short & long lived API Key", "(dropbox[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{15}|sl\.[a-z0-9=_\-]{135}|[a-z0-9]{11}(AAAAAAAAAA)[a-z0-9_=\-]{43})['""]")
|
||||
$regexSearch.add("Duffel API Key", "duffel_(test|live)_[a-zA-Z0-9_-]{43}")
|
||||
$regexSearch.add("Dynatrace API Key", "dt0c01\.[a-zA-Z0-9]{24}\.[a-z0-9]{64}")
|
||||
$regexSearch.add("EasyPost API Key", "EZAK[a-zA-Z0-9]{54}")
|
||||
$regexSearch.add("EasyPost test API Key", "EZTK[a-zA-Z0-9]{54}")
|
||||
$regexSearch.add("Etherscan API Key", "(etherscan[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Z0-9]{34})['""]")
|
||||
$regexSearch.add("Etsy Access Token", "([a-z0-9]{24})")
|
||||
$regexSearch.add("Facebook Access Token", "EAACEdEose0cBA[0-9A-Za-z]+")
|
||||
$regexSearch.add("Fastly API Key", "(fastly[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9=_\-]{32})['""]")
|
||||
$regexSearch.add("Finicity API Key & Client Secret", "(finicity[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-f0-9]{32}|[a-z0-9]{20})['""]")
|
||||
$regexSearch.add("Flickr Access Token", "([a-z0-9]{32})")
|
||||
$regexSearch.add("Flutterweave Keys", "FLWPUBK_TEST-[a-hA-H0-9]{32}-X|FLWSECK_TEST-[a-hA-H0-9]{32}-X|FLWSECK_TEST[a-hA-H0-9]{12}")
|
||||
$regexSearch.add("Frame.io API Key", "fio-u-[a-zA-Z0-9_=\-]{64}")
|
||||
$regexSearch.add("Freshbooks Access Token", "([a-z0-9]{64})")
|
||||
$regexSearch.add("Github", "github(.{0,20})?['""][0-9a-zA-Z]{35,40}")
|
||||
$regexSearch.add("Github App Token", "(ghu|ghs)_[0-9a-zA-Z]{36}")
|
||||
$regexSearch.add("Github OAuth Access Token", "gho_[0-9a-zA-Z]{36}")
|
||||
$regexSearch.add("Github Personal Access Token", "ghp_[0-9a-zA-Z]{36}")
|
||||
$regexSearch.add("Github Refresh Token", "ghr_[0-9a-zA-Z]{76}")
|
||||
$regexSearch.add("GitHub Fine-Grained Personal Access Token", "github_pat_[0-9a-zA-Z_]{82}")
|
||||
$regexSearch.add("Gitlab Personal Access Token", "glpat-[0-9a-zA-Z\-]{20}")
|
||||
$regexSearch.add("GitLab Pipeline Trigger Token", "glptt-[0-9a-f]{40}")
|
||||
$regexSearch.add("GitLab Runner Registration Token", "GR1348941[0-9a-zA-Z_\-]{20}")
|
||||
$regexSearch.add("Gitter Access Token", "([a-z0-9_-]{40})")
|
||||
$regexSearch.add("GoCardless API Key", "live_[a-zA-Z0-9_=\-]{40}")
|
||||
$regexSearch.add("GoFile API Key", "(gofile[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{32})['""]")
|
||||
$regexSearch.add("Google API Key", "AIza[0-9A-Za-z_\-]{35}")
|
||||
$regexSearch.add("Google Cloud Platform API Key", "(google|gcp|youtube|drive|yt)(.{0,20})?['""][AIza[0-9a-z_\-]{35}]['""]")
|
||||
$regexSearch.add("Google Drive Oauth", "[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com")
|
||||
$regexSearch.add("Google Oauth Access Token", "ya29\.[0-9A-Za-z_\-]+")
|
||||
$regexSearch.add("Google (GCP) Service-account", """type.+:.+""service_account")
|
||||
$regexSearch.add("Grafana API Key", "eyJrIjoi[a-z0-9_=\-]{72,92}")
|
||||
$regexSearch.add("Grafana cloud api token", "glc_[A-Za-z0-9\+/]{32,}={0,2}")
|
||||
$regexSearch.add("Grafana service account token", "(glsa_[A-Za-z0-9]{32}_[A-Fa-f0-9]{8})")
|
||||
$regexSearch.add("Hashicorp Terraform user/org API Key", "[a-z0-9]{14}\.atlasv1\.[a-z0-9_=\-]{60,70}")
|
||||
$regexSearch.add("Heroku API Key", "[hH][eE][rR][oO][kK][uU].{0,30}[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}")
|
||||
$regexSearch.add("Hubspot API Key", "['""][a-h0-9]{8}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{12}['""]")
|
||||
$regexSearch.add("Instatus API Key", "(instatus[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""]")
|
||||
$regexSearch.add("Intercom API Key & Client Secret/ID", "(intercom[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9=_]{60}|[a-h0-9]{8}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{12})['""]")
|
||||
$regexSearch.add("Ionic API Key", "(ionic[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""](ion_[a-z0-9]{42})['""]")
|
||||
$regexSearch.add("JSON Web Token", "(ey[0-9a-z]{30,34}\.ey[0-9a-z\/_\-]{30,}\.[0-9a-zA-Z\/_\-]{10,}={0,2})")
|
||||
$regexSearch.add("Kraken Access Token", "([a-z0-9\/=_\+\-]{80,90})")
|
||||
$regexSearch.add("Kucoin Access Token", "([a-f0-9]{24})")
|
||||
$regexSearch.add("Kucoin Secret Key", "([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})")
|
||||
$regexSearch.add("Launchdarkly Access Token", "([a-z0-9=_\-]{40})")
|
||||
$regexSearch.add("Linear API Key", "(lin_api_[a-zA-Z0-9]{40})")
|
||||
$regexSearch.add("Linear Client Secret/ID", "((linear[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-f0-9]{32})['""])")
|
||||
$regexSearch.add("LinkedIn Client ID", "linkedin(.{0,20})?['""][0-9a-z]{12}['""]")
|
||||
$regexSearch.add("LinkedIn Secret Key", "linkedin(.{0,20})?['""][0-9a-z]{16}['""]")
|
||||
$regexSearch.add("Lob API Key", "((lob[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]((live|test)_[a-f0-9]{35})['""])|((lob[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]((test|live)_pub_[a-f0-9]{31})['""])")
|
||||
$regexSearch.add("Lob Publishable API Key", "((test|live)_pub_[a-f0-9]{31})")
|
||||
$regexSearch.add("MailboxValidator", "(mailbox.?validator[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Z0-9]{20})['""]")
|
||||
$regexSearch.add("Mailchimp API Key", "[0-9a-f]{32}-us[0-9]{1,2}")
|
||||
$regexSearch.add("Mailgun API Key", "key-[0-9a-zA-Z]{32}'")
|
||||
$regexSearch.add("Mailgun Public Validation Key", "pubkey-[a-f0-9]{32}")
|
||||
$regexSearch.add("Mailgun Webhook signing key", "[a-h0-9]{32}-[a-h0-9]{8}-[a-h0-9]{8}")
|
||||
$regexSearch.add("Mapbox API Key", "(pk\.[a-z0-9]{60}\.[a-z0-9]{22})")
|
||||
$regexSearch.add("Mattermost Access Token", "([a-z0-9]{26})")
|
||||
$regexSearch.add("MessageBird API Key & API client ID", "(messagebird[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{25}|[a-h0-9]{8}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{12})['""]")
|
||||
$regexSearch.add("Microsoft Teams Webhook", "https:\/\/[a-z0-9]+\.webhook\.office\.com\/webhookb2\/[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}@[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}\/IncomingWebhook\/[a-z0-9]{32}\/[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}")
|
||||
$regexSearch.add("MojoAuth API Key", "[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}")
|
||||
$regexSearch.add("Netlify Access Token", "([a-z0-9=_\-]{40,46})")
|
||||
$regexSearch.add("New Relic User API Key, User API ID & Ingest Browser API Key", "(NRAK-[A-Z0-9]{27})|((newrelic[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Z0-9]{64})['""])|(NRJS-[a-f0-9]{19})")
|
||||
$regexSearch.add("Nownodes", "(nownodes[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Za-z0-9]{32})['""]")
|
||||
$regexSearch.add("Npm Access Token", "(npm_[a-zA-Z0-9]{36})")
|
||||
$regexSearch.add("Nytimes Access Token", "([a-z0-9=_\-]{32})")
|
||||
$regexSearch.add("Okta Access Token", "([a-z0-9=_\-]{42})")
|
||||
$regexSearch.add("OpenAI API Token", "sk-[A-Za-z0-9]{48}")
|
||||
$regexSearch.add("ORB Intelligence Access Key", "['""][a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}['""]")
|
||||
$regexSearch.add("Pastebin API Key", "(pastebin[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""]")
|
||||
$regexSearch.add("PayPal Braintree Access Token", 'access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}')
|
||||
$regexSearch.add("Picatic API Key", "sk_live_[0-9a-z]{32}")
|
||||
$regexSearch.add("Pinata API Key", "(pinata[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{64})['""]")
|
||||
$regexSearch.add("Planetscale API Key", "pscale_tkn_[a-zA-Z0-9_\.\-]{43}")
|
||||
$regexSearch.add("PlanetScale OAuth token", "(pscale_oauth_[a-zA-Z0-9_\.\-]{32,64})")
|
||||
$regexSearch.add("Planetscale Password", "pscale_pw_[a-zA-Z0-9_\.\-]{43}")
|
||||
$regexSearch.add("Plaid API Token", "(access-(?:sandbox|development|production)-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})")
|
||||
$regexSearch.add("Plaid Client ID", "([a-z0-9]{24})")
|
||||
$regexSearch.add("Plaid Secret key", "([a-z0-9]{30})")
|
||||
$regexSearch.add("Prefect API token", "(pnu_[a-z0-9]{36})")
|
||||
$regexSearch.add("Postman API Key", "PMAK-[a-fA-F0-9]{24}-[a-fA-F0-9]{34}")
|
||||
$regexSearch.add("Private Keys", "\-\-\-\-\-BEGIN PRIVATE KEY\-\-\-\-\-|\-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-|\-\-\-\-\-BEGIN OPENSSH PRIVATE KEY\-\-\-\-\-|\-\-\-\-\-BEGIN PGP PRIVATE KEY BLOCK\-\-\-\-\-|\-\-\-\-\-BEGIN DSA PRIVATE KEY\-\-\-\-\-|\-\-\-\-\-BEGIN EC PRIVATE KEY\-\-\-\-\-")
|
||||
$regexSearch.add("Pulumi API Key", "pul-[a-f0-9]{40}")
|
||||
$regexSearch.add("PyPI upload token", "pypi-AgEIcHlwaS5vcmc[A-Za-z0-9_\-]{50,}")
|
||||
$regexSearch.add("Quip API Key", "(quip[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{15}=\|[0-9]{10}\|[a-zA-Z0-9\/+]{43}=)['""]")
|
||||
$regexSearch.add("RapidAPI Access Token", "([a-z0-9_-]{50})")
|
||||
$regexSearch.add("Rubygem API Key", "rubygems_[a-f0-9]{48}")
|
||||
$regexSearch.add("Readme API token", "rdme_[a-z0-9]{70}")
|
||||
$regexSearch.add("Sendbird Access ID", "([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})")
|
||||
$regexSearch.add("Sendbird Access Token", "([a-f0-9]{40})")
|
||||
$regexSearch.add("Sendgrid API Key", "SG\.[a-zA-Z0-9_\.\-]{66}")
|
||||
$regexSearch.add("Sendinblue API Key", "xkeysib-[a-f0-9]{64}-[a-zA-Z0-9]{16}")
|
||||
$regexSearch.add("Sentry Access Token", "([a-f0-9]{64})")
|
||||
$regexSearch.add("Shippo API Key, Access Token, Custom Access Token, Private App Access Token & Shared Secret", "shippo_(live|test)_[a-f0-9]{40}|shpat_[a-fA-F0-9]{32}|shpca_[a-fA-F0-9]{32}|shppa_[a-fA-F0-9]{32}|shpss_[a-fA-F0-9]{32}")
|
||||
$regexSearch.add("Sidekiq Secret", "([a-f0-9]{8}:[a-f0-9]{8})")
|
||||
$regexSearch.add("Sidekiq Sensitive URL", "([a-f0-9]{8}:[a-f0-9]{8})@(?:gems.contribsys.com|enterprise.contribsys.com)")
|
||||
$regexSearch.add("Slack Token", "xox[baprs]-([0-9a-zA-Z]{10,48})?")
|
||||
$regexSearch.add("Slack Webhook", "https://hooks.slack.com/services/T[a-zA-Z0-9_]{10}/B[a-zA-Z0-9_]{10}/[a-zA-Z0-9_]{24}")
|
||||
$regexSearch.add("Smarksheel API Key", "(smartsheet[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{26})['""]")
|
||||
$regexSearch.add("Square Access Token", "sqOatp-[0-9A-Za-z_\-]{22}")
|
||||
$regexSearch.add("Square API Key", "EAAAE[a-zA-Z0-9_-]{59}")
|
||||
$regexSearch.add("Square Oauth Secret", "sq0csp-[ 0-9A-Za-z_\-]{43}")
|
||||
$regexSearch.add("Stytch API Key", "secret-.*-[a-zA-Z0-9_=\-]{36}")
|
||||
$regexSearch.add("Stripe Access Token & API Key", "(sk|pk)_(test|live)_[0-9a-z]{10,32}|k_live_[0-9a-zA-Z]{24}")
|
||||
$regexSearch.add("SumoLogic Access ID", "([a-z0-9]{14})")
|
||||
$regexSearch.add("SumoLogic Access Token", "([a-z0-9]{64})")
|
||||
$regexSearch.add("Telegram Bot API Token", "[0-9]+:AA[0-9A-Za-z\\-_]{33}")
|
||||
$regexSearch.add("Travis CI Access Token", "([a-z0-9]{22})")
|
||||
$regexSearch.add("Trello API Key", "(trello[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9a-z]{32})['""]")
|
||||
$regexSearch.add("Twilio API Key", "SK[0-9a-fA-F]{32}")
|
||||
$regexSearch.add("Twitch API Key", "(twitch[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{30})['""]")
|
||||
$regexSearch.add("Twitter Client ID", "[tT][wW][iI][tT][tT][eE][rR](.{0,20})?['""][0-9a-z]{18,25}")
|
||||
$regexSearch.add("Twitter Bearer Token", "(A{22}[a-zA-Z0-9%]{80,100})")
|
||||
$regexSearch.add("Twitter Oauth", "[tT][wW][iI][tT][tT][eE][rR].{0,30}['""\\s][0-9a-zA-Z]{35,44}['""\\s]")
|
||||
$regexSearch.add("Twitter Secret Key", "[tT][wW][iI][tT][tT][eE][rR](.{0,20})?['""][0-9a-z]{35,44}")
|
||||
$regexSearch.add("Typeform API Key", "tfp_[a-z0-9_\.=\-]{59}")
|
||||
$regexSearch.add("URLScan API Key", "['""][a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}['""]")
|
||||
$regexSearch.add("Vault Token", "[sb]\.[a-zA-Z0-9]{24}")
|
||||
$regexSearch.add("Yandex Access Token", "(t1\.[A-Z0-9a-z_-]+[=]{0,2}\.[A-Z0-9a-z_-]{86}[=]{0,2})")
|
||||
$regexSearch.add("Yandex API Key", "(AQVN[A-Za-z0-9_\-]{35,38})")
|
||||
$regexSearch.add("Yandex AWS Access Token", "(YC[a-zA-Z0-9_\-]{38})")
|
||||
$regexSearch.add("Web3 API Key", "(web3[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Za-z0-9_=\-]+\.[A-Za-z0-9_=\-]+\.?[A-Za-z0-9_.+/=\-]*)['""]")
|
||||
$regexSearch.add("Zendesk Secret Key", "([a-z0-9]{40})")
|
||||
$regexSearch.add("Generic API Key", "((key|api|token|secret|password)[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9a-zA-Z_=\-]{8,64})['""]")
|
||||
}
|
||||
|
||||
if ($webAuth) {
|
||||
$regexSearch.add("Authorization Basic", "basic [a-zA-Z0-9_:\.=\-]+")
|
||||
$regexSearch.add("Authorization Bearer", "bearer [a-zA-Z0-9_\.=\-]+")
|
||||
$regexSearch.add("Alibaba Access Key ID", "(LTAI)[a-z0-9]{20}")
|
||||
$regexSearch.add("Alibaba Secret Key", "(alibaba[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{30})['""]")
|
||||
$regexSearch.add("Asana Client ID", "((asana[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9]{16})['""])|((asana[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""])")
|
||||
$regexSearch.add("AWS Client ID", "(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}")
|
||||
$regexSearch.add("AWS MWS Key", "amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}")
|
||||
$regexSearch.add("AWS Secret Key", "aws(.{0,20})?['""][0-9a-zA-Z\/+]{40}['""]")
|
||||
$regexSearch.add("AWS AppSync GraphQL Key", "da2-[a-z0-9]{26}")
|
||||
$regexSearch.add("Basic Auth Credentials", "://[a-zA-Z0-9]+:[a-zA-Z0-9]+@[a-zA-Z0-9]+\.[a-zA-Z]+")
|
||||
$regexSearch.add("Beamer Client Secret", "(beamer[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""](b_[a-z0-9=_\-]{44})['""]")
|
||||
$regexSearch.add("Cloudinary Basic Auth", "cloudinary://[0-9]{15}:[0-9A-Za-z]+@[a-z]+")
|
||||
$regexSearch.add("Facebook Client ID", "([fF][aA][cC][eE][bB][oO][oO][kK]|[fF][bB])(.{0,20})?['""][0-9]{13,17}")
|
||||
$regexSearch.add("Facebook Oauth", "[fF][aA][cC][eE][bB][oO][oO][kK].*['|""][0-9a-f]{32}['|""]")
|
||||
$regexSearch.add("Facebook Secret Key", "([fF][aA][cC][eE][bB][oO][oO][kK]|[fF][bB])(.{0,20})?['""][0-9a-f]{32}")
|
||||
$regexSearch.add("Jenkins Creds", "<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<")
|
||||
$regexSearch.add("Generic Secret", "[sS][eE][cC][rR][eE][tT].*['""][0-9a-zA-Z]{32,45}['""]")
|
||||
$regexSearch.add("Basic Auth", "//(.+):(.+)@")
|
||||
$regexSearch.add("PHP Passwords", "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass|pass').*[=:].+|define ?\('(\w*pass|\w*pwd|\w*user|\w*datab)")
|
||||
$regexSearch.add("Config Secrets (Passwd / Credentials)", "passwd.*|creden.*|^kind:[^a-zA-Z0-9_]?Secret|[^a-zA-Z0-9_]env:|secret:|secretName:|^kind:[^a-zA-Z0-9_]?EncryptionConfiguration|\-\-encryption\-provider\-config")
|
||||
$regexSearch.add("Generiac API tokens search", "(access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key| amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret| api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret| application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket| aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password| bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key| bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver| cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret| client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password| cloudflare_api_key|cloudflare_auth_key|cloudinary_api_secret|cloudinary_name|codecov_token|conn.login| connectionstring|consumer_key|consumer_secret|credentials|cypress_record_key|database_password|database_schema_test| datadog_api_key|datadog_app_key|db_password|db_server|db_username|dbpasswd|dbpassword|dbuser|deploy_password| digitalocean_ssh_key_body|digitalocean_ssh_key_ids|docker_hub_password|docker_key|docker_pass|docker_passwd| docker_password|dockerhub_password|dockerhubpassword|dot-files|dotfiles|droplet_travis_password|dynamoaccesskeyid| dynamosecretaccesskey|elastica_host|elastica_port|elasticsearch_password|encryption_key|encryption_password| env.heroku_api_key|env.sonatype_password|eureka.awssecretkey)[a-z0-9_ .,<\-]{0,25}(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9a-zA-Z_=\-]{8,64})['""]")
|
||||
}
|
||||
|
||||
$regexSearch.add("IPs", "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)")
|
||||
$regexSearch.add("Emails", "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}")
|
||||
$Drives = Get-PSDrive | Where-Object { $_.Root -like "*:\" }
|
||||
$fileExtensions = @("*.xml", "*.txt", "*.conf", "*.config", "*.cfg", "*.ini", ".y*ml", "*.log", "*.bak")
|
||||
|
||||
|
||||
######################## INTRODUCTION ########################
|
||||
$stopwatch = [system.diagnostics.stopwatch]::StartNew()
|
||||
|
||||
if($FullCheck){
|
||||
Write-Host "**Full Check Enabled. This will significantly increase false positives in registry / folder check for Usernames / Passwords.**"
|
||||
}
|
||||
# Introduction
|
||||
Write-Host -ForegroundColor cyan "ADVISORY: WinPEAS - Windows local Privilege Escalation Awesome Script"
|
||||
Write-Host -ForegroundColor cyan "WinPEAS should be used for authorized penetration testing and/or educational purposes only"
|
||||
Write-Host -ForegroundColor cyan "Any misuse of this software will not be the responsibility of the author or of any other collaborator"
|
||||
Write-Host -ForegroundColor cyan "Use it at your own networks and/or with the network owner's explicit permission"
|
||||
Write-Host -BackgroundColor Red -ForegroundColor White "ADVISORY: WinPEAS - Windows local Privilege Escalation Awesome Script"
|
||||
Write-Host -BackgroundColor Red -ForegroundColor White "WinPEAS should be used for authorized penetration testing and/or educational purposes only"
|
||||
Write-Host -BackgroundColor Red -ForegroundColor White "Any misuse of this software will not be the responsibility of the author or of any other collaborator"
|
||||
Write-Host -BackgroundColor Red -ForegroundColor White "Use it at your own networks and/or with the network owner's explicit permission"
|
||||
|
||||
|
||||
# Color Scheme Introduction
|
||||
@ -1352,9 +1396,46 @@ if ($TimeStamp) { TimeElapsed }
|
||||
Write-Host -ForegroundColor Blue "=========|| Recycle Bin TIP:"
|
||||
Write-Host "if credentials are found in the recycle bin, tool from nirsoft may assist: http://www.nirsoft.net/password_recovery_tools.html" -ForegroundColor Yellow
|
||||
|
||||
Write-Host ""
|
||||
if ($TimeStamp) { TimeElapsed }
|
||||
Write-Host -ForegroundColor Blue "=========|| Password Check in Files/Folders"
|
||||
|
||||
# Looking through the entire computer for passwords
|
||||
if ($TimeStamp) { TimeElapsed }
|
||||
Write-Host -ForegroundColor Blue "=========|| Password Check. Starting at root of each drive. This will take some time. Like, grab a coffee or tea kinda time."
|
||||
Write-Host -ForegroundColor Blue "=========|| Looking through each drive, searching for $fileExtensions"
|
||||
# Also looks for MCaffee site list while looping through the drives.
|
||||
$Drives.Root | ForEach-Object {
|
||||
$Drive = $_
|
||||
Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {
|
||||
$path = $_
|
||||
if ($Path.FullName -like '*Lang*') {
|
||||
#Write-Host "$($_.FullName) found!" -ForegroundColor red
|
||||
}
|
||||
else {
|
||||
if ($path.Length -gt 0) {
|
||||
# Write-Host -ForegroundColor Blue "Path name matches extension search: $path"
|
||||
}
|
||||
if ($path -like "*SiteList.xml") {
|
||||
Write-Host "Possible MCaffee Site List Found: $($_.FullName)"
|
||||
Write-Host "Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption" -ForegroundColor Yellow
|
||||
}
|
||||
$regexSearch.keys | ForEach-Object {
|
||||
$passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1
|
||||
if ($passwordFound) {
|
||||
Write-Host "Possible Password found: $_" -ForegroundColor Yellow
|
||||
Write-Host $Path.FullName
|
||||
Write-Host -ForegroundColor Blue "$_ triggered"
|
||||
Write-Host $passwordFound -ForegroundColor Red
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Write-Host -ForegroundColor Blue "=========|| Registry Password Check"
|
||||
# Looking through the entire registry for passwords
|
||||
Write-Host "Checking over 200 different password regex types."
|
||||
Write-Host "This will take some time. Won't you have a pepsi?"
|
||||
$regPath = @("registry::\HKEY_CURRENT_USER\", "registry::\HKEY_LOCAL_MACHINE\")
|
||||
# Search for the string in registry values and properties
|
||||
@ -1382,33 +1463,3 @@ foreach ($r in $regPath) {
|
||||
if ($TimeStamp) { TimeElapsed }
|
||||
Write-Host "Finished $r"
|
||||
}
|
||||
|
||||
Write-Host ""
|
||||
if ($TimeStamp) { TimeElapsed }
|
||||
Write-Host -ForegroundColor Blue "=========|| Password Check in Files"
|
||||
# Looking through the entire computer for passwords
|
||||
$Drives = Get-PSDrive | Where-Object { $_.Root -like "*:\" }
|
||||
$fileExtensions = @("*.xml", "*.txt", "*.conf","*.config", "*.cfg", "*.ini", ".y*ml", "*.log", "*.bak")
|
||||
Write-Host ""
|
||||
if ($TimeStamp) { TimeElapsed }
|
||||
Write-Host -ForegroundColor Blue "=========|| Password Check. Starting at root of each drive. This will take some time. Like, grab a coffee or tea."
|
||||
Write-Host -ForegroundColor Blue "=========|| Looking through each drive, searching for $fileExtensions"
|
||||
# Also looks for MCaffee site list while looping through the drives.
|
||||
$Drives.Root | ForEach-Object {
|
||||
$Drive = $_
|
||||
Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue | ForEach-Object {
|
||||
$path = $_
|
||||
if ($path -like "*SiteList.xml") {
|
||||
Write-Host "Possible MCaffee Site List Found: $($_.FullName)"
|
||||
Write-Host "Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption" -ForegroundColor Yellow
|
||||
}
|
||||
$regexSearch.keys | ForEach-Object {
|
||||
$password = Get-Content $path.FullName -ErrorAction SilentlyContinue | Select-String $regexSearch[$_]
|
||||
if ($password) {
|
||||
Write-Host "Possible Password found: $_" -ForegroundColor Yellow
|
||||
Write-Host $Path.FullName
|
||||
Write-Host $password -ForegroundColor Red
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user