logo color, updated output, added -fullcheck flag

Added colors to the logo, so winPEAS looks like it should. Updated the output to filter out erroneous information. Which leads to the -fullcheck flag. The flag adds all regex searches back into the script to check files/folders for data. However the regexes do return false positives, so use as a last resort.
2025-03-28 18:33:05 +01:00 · 2023-10-11 15:57:35 -04:00 · 2023-10-11 15:57:35 -04:00 · 4ee91b897a
commit 4ee91b897a
parent cab71afe3a
1 changed files with 325 additions and 274 deletions
--- a/winPEAS/winPEASps1/winPEAS.ps1
+++ b/winPEAS/winPEASps1/winPEAS.ps1
@ -4,26 +4,34 @@
 .DESCRIPTION
  For the legal enumeration of windows based computers that you either own or are approved to run this script on
 .EXAMPLE
-  .\WinPeas.ps1
+  # Default - normal operation with username/password audit in drives/registry
+  .\winPeas.ps1
+  
+  # Full audit - normal operation with APIs / Keys / Tokens
+  ## This will produce false positives ## 
+  .\winPeas.ps1 -FullCheck 
+
  # Add Time stamps to each command
-  .\WinPeas.ps1 -TimeStamp
+  .\winPeas.ps1 -TimeStamp
+
 .NOTES
-  Version:                    1.0
+  Version:                    1.3
  PEASS-ng Original Author:   carlospolop
-  WinPEAS.ps1 Author:         @RandolphConley
+  winPEAS.ps1 Author:         @RandolphConley
  Creation Date:              10/4/2022
  Website:                    https://github.com/carlospolop/PEASS-ng

  TESTED: PoSh 5,7
-  UNTESTED: Posh 3,4
-  INCOMPATIBLE: Posh 2 or lower
+  UNTESTED: PoSh 3,4
+  NOT FULLY COMPATIBLE: PoSh 2 or lower
 #>

 ######################## FUNCTIONS ########################

 [CmdletBinding()]
 param(
-  [switch]$TimeStamp
+  [switch]$TimeStamp,
+  [switch]$FullCheck
 )

 # Gather KB from all patches installed
@ -120,40 +128,55 @@ Function Get-ClipBoardText {
    
  }
 }
-function h { Write-Host "##" -ForegroundColor Green }
+function Write-Color([String[]]$Text, [ConsoleColor[]]$Color) {
+  for ($i = 0; $i -lt $Text.Length; $i++) {
+    Write-Host $Text[$i] -Foreground $Color[$i] -NoNewline
+  }
+  Write-Host
+}

-"
-    ((,.,/((((((((((((((((((((/,  */
-,/*,..*(((((((((((((((((((((((((((((((((,
-,*/((((((((((((((((((/,  .*//((//**, .*((((((*
-((((((((((((((((* *****,,,/########## .(* ,((((((
-(((((((((((/* ******************/####### .(. ((((((
-((((((..******************/@@@@@/***/###### /((((((
-,,..**********************@@@@@@@@@@(***,#### ../(((((
-, ,**********************#@@@@@#@@@@*********##((/ /((((
-..(((##########*********/#@@@@@@@@@/*************,,..((((
-.(((################(/******/@@@@@#****************.. /((
-.((########################(/************************..*(
-.((#############################(/********************.,(
-.((##################################(/***************..(
-.((######################################(************..(
-.((######(,.***.,(###################(..***(/*********..(
-.((######*(#####((##################((######/(********..(
-.((##################(/**********(################(**...(
-.(((####################/*******(###################.((((
-.(((((############################################/  /((
-..(((((#########################################(..(((((.
-....(((((#####################################( .((((((.
-......(((((#################################( .(((((((.
-(((((((((. ,(############################(../(((((((((.
-  (((((((((/,  ,####################(/..((((((((((.
-        (((((((((/,.  ,*//////*,. ./(((((((((((.
-           (((((((((((((((((((((((((((/
-          by CarlosPolop & RandolphConley
-"                  
+#Write-Color "    ((,.,/((((((((((((((((((((/,  */" -Color Green
+Write-Color ",/*,..*(((((((((((((((((((((((((((((((((," -Color Green
+Write-Color ",*/((((((((((((((((((/,  .*//((//**, .*((((((*" -Color Green
+Write-Color "((((((((((((((((", "* *****,,,", "\########## .(* ,((((((" -Color Green, Blue, Green
+Write-Color "(((((((((((", "/*******************", "####### .(. ((((((" -Color Green, Blue, Green
+Write-Color "(((((((", "/******************", "/@@@@@/", "***", "\#######\((((((" -Color Green, Blue, White, Blue, Green
+Write-Color ",,..", "**********************", "/@@@@@@@@@/", "***", ",#####.\/(((((" -Color Green, Blue, White, Blue, Green
+Write-Color ", ,", "**********************", "/@@@@@+@@@/", "*********", "##((/ /((((" -Color Green, Blue, White, Blue, Green
+Write-Color "..(((##########", "*********", "/#@@@@@@@@@/", "*************", ",,..((((" -Color Green, Blue, White, Blue, Green
+Write-Color ".(((################(/", "******", "/@@@@@/", "****************", ".. /((" -Color Green, Blue, White, Blue, Green
+Write-Color ".((########################(/", "************************", "..*(" -Color Green, Blue, Green
+Write-Color ".((#############################(/", "********************", ".,(" -Color Green, Blue, Green
+Write-Color ".((##################################(/", "***************", "..(" -Color Green, Blue, Green
+Write-Color ".((######################################(/", "***********", "..(" -Color Green, Blue, Green
+Write-Color ".((######", "(,.***.,(", "###################", "(..***", "(/*********", "..(" -Color Green, Green, Green, Green, Blue, Green
+Write-Color ".((######*", "(####((", "###################", "((######", "/(********", "..(" -Color Green, Green, Green, Green, Blue, Green
+Write-Color ".((##################", "(/**********(", "################(**...(" -Color Green, Green, Green
+Write-Color ".(((####################", "/*******(", "###################.((((" -Color Green, Green, Green
+Write-Color ".(((((############################################/  /((" -Color Green
+Write-Color "..(((((#########################################(..(((((." -Color Green
+Write-Color "....(((((#####################################( .((((((." -Color Green
+Write-Color "......(((((#################################( .(((((((." -Color Green
+Write-Color "(((((((((. ,(############################(../(((((((((." -Color Green
+Write-Color "  (((((((((/,  ,####################(/..((((((((((." -Color Green
+Write-Color "        (((((((((/,.  ,*//////*,. ./(((((((((((." -Color Green
+Write-Color "           (((((((((((((((((((((((((((/" -Color Green
+Write-Color "          by CarlosPolop & RandolphConley" -Color Green
+
+######################## VARIABLES ########################

 # Manually added Regex search strings from https://github.com/carlospolop/PEASS-ng/blob/master/build_lists/sensitive_files.yaml
+
+# Set these values to true to add them to the regex search by default
+$password = $true
+$username = $true
+$webAuth = $true
+
 $regexSearch = @{}
+
+if ($password) {
+  $regexSearch.add("Simple Passwords1", "pass.*[=:].+")
+  $regexSearch.add("Simple Passwords2", "pwd.*[=:].+")
  $regexSearch.add("Apr1 MD5", '\$apr1\$[a-zA-Z0-9_/\.]{8}\$[a-zA-Z0-9_/\.]{22}')
  $regexSearch.add("Apache SHA", "\{SHA\}[0-9a-zA-Z/_=]{10,}")
  $regexSearch.add("Blowfish", '\$2[abxyz]?\$[0-9]{2}\$[a-zA-Z0-9_/\.]*')
@ -167,29 +190,31 @@ $regexSearch.add("md5", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{32}([^a-zA-Z0-9]|$)")
  $regexSearch.add("sha1", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{40}([^a-zA-Z0-9]|$)")
  $regexSearch.add("sha256", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{64}([^a-zA-Z0-9]|$)")
  $regexSearch.add("sha512", "(^|[^a-zA-Z0-9])[a-fA-F0-9]{128}([^a-zA-Z0-9]|$)")  
+  # This does not work correctly
+  #$regexSearch.add("Base32", "(?:[A-Z2-7]{8})*(?:[A-Z2-7]{2}={6}|[A-Z2-7]{4}={4}|[A-Z2-7]{5}={3}|[A-Z2-7]{7}=)?")
+  $regexSearch.add("Base64", "(eyJ|YTo|Tzo|PD[89]|aHR0cHM6L|aHR0cDo|rO0)[a-zA-Z0-9+\/]+={0,2}")
+
+}
+if ($username) {
+  $regexSearch.add("Usernames1", "username[=:].+")
+  $regexSearch.add("Usernames2", "user[=:].+")
+  $regexSearch.add("Usernames3", "login[=:].+")
+  $regexSearch.add("Emails", "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}")
+  $regexSearch.add("Net user add", "net user .+ /add")
+}
+
+if ($apiANDToken) {
  $regexSearch.add("Artifactory API Token", "AKC[a-zA-Z0-9]{10,}")
  $regexSearch.add("Artifactory Password", "AP[0-9ABCDEF][a-zA-Z0-9]{8,}")
-$regexSearch.add("Authorization Basic", "basic [a-zA-Z0-9_:\.=\-]+")
-$regexSearch.add("Authorization Bearer", "bearer [a-zA-Z0-9_\.=\-]+")
+  $regexSearch.add("Adafruit API Key", "([a-z0-9_-]{32})")
  $regexSearch.add("Adafruit API Key", "([a-z0-9_-]{32})")
  $regexSearch.add("Adobe Client Id (Oauth Web)", "(adobe[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-f0-9]{32})['""]")
  $regexSearch.add("Abode Client Secret", "(p8e-)[a-z0-9]{32}")
  $regexSearch.add("Age Secret Key", "AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}")
  $regexSearch.add("Airtable API Key", "([a-z0-9]{17})")
  $regexSearch.add("Alchemi API Key", "(alchemi[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9-]{32})['""]")
-$regexSearch.add("Alibaba Access Key ID", "(LTAI)[a-z0-9]{20}")
-$regexSearch.add("Alibaba Secret Key", "(alibaba[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{30})['""]")
  $regexSearch.add("Artifactory API Key & Password", "[""']AKC[a-zA-Z0-9]{10,}[""']|[""']AP[0-9ABCDEF][a-zA-Z0-9]{8,}[""']")
-$regexSearch.add("Asana Client ID", "((asana[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9]{16})['""])|((asana[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""])")
  $regexSearch.add("Atlassian API Key", "(atlassian[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{24})['""]")
-$regexSearch.add("AWS Client ID", "(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}")
-$regexSearch.add("AWS MWS Key", "amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}")
-$regexSearch.add("AWS Secret Key", "aws(.{0,20})?['""][0-9a-zA-Z\/+]{40}['""]")
-$regexSearch.add("AWS AppSync GraphQL Key", "da2-[a-z0-9]{26}")
-$regexSearch.add("Base32", "(?:[A-Z2-7]{8})*(?:[A-Z2-7]{2}={6}|[A-Z2-7]{4}={4}|[A-Z2-7]{5}={3}|[A-Z2-7]{7}=)?")
-$regexSearch.add("Base64", "(eyJ|YTo|Tzo|PD[89]|aHR0cHM6L|aHR0cDo|rO0)[a-zA-Z0-9+/]+={0,2}")
-$regexSearch.add("Basic Auth Credentials", "://[a-zA-Z0-9]+:[a-zA-Z0-9]+@[a-zA-Z0-9]+\.[a-zA-Z]+")
-$regexSearch.add("Beamer Client Secret", "(beamer[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""](b_[a-z0-9=_\-]{44})['""]")
  $regexSearch.add("Binance API Key", "(binance[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-zA-Z0-9]{64})['""]")
  $regexSearch.add("Bitbucket Client Id", "((bitbucket[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""])")
  $regexSearch.add("Bitbucket Client Secret", "((bitbucket[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9_\-]{64})['""])")
@ -204,7 +229,6 @@ $regexSearch.add("Box API Key", "(box[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:
  $regexSearch.add("Bravenewcoin API Key", "(bravenewcoin[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{50})['""]")
  $regexSearch.add("Clearbit API Key", "sk_[a-z0-9]{32}")
  $regexSearch.add("Clojars API Key", "(CLOJARS_)[a-zA-Z0-9]{60}")
-$regexSearch.add("Cloudinary Basic Auth", "cloudinary://[0-9]{15}:[0-9A-Za-z]+@[a-z]+")
  $regexSearch.add("Coinbase Access Token", "([a-z0-9_-]{64})")
  $regexSearch.add("Coinlayer API Key", "(coinlayer[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""]")
  $regexSearch.add("Coinlib API Key", "(coinlib[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{16})['""]")
@ -227,9 +251,6 @@ $regexSearch.add("EasyPost test API Key", "EZTK[a-zA-Z0-9]{54}")
  $regexSearch.add("Etherscan API Key", "(etherscan[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Z0-9]{34})['""]")
  $regexSearch.add("Etsy Access Token", "([a-z0-9]{24})")
  $regexSearch.add("Facebook Access Token", "EAACEdEose0cBA[0-9A-Za-z]+")
-$regexSearch.add("Facebook Client ID", "([fF][aA][cC][eE][bB][oO][oO][kK]|[fF][bB])(.{0,20})?['""][0-9]{13,17}")
-$regexSearch.add("Facebook Oauth", "[fF][aA][cC][eE][bB][oO][oO][kK].*['|""][0-9a-f]{32}['|""]")
-$regexSearch.add("Facebook Secret Key", "([fF][aA][cC][eE][bB][oO][oO][kK]|[fF][bB])(.{0,20})?['""][0-9a-f]{32}")
  $regexSearch.add("Fastly API Key", "(fastly[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9=_\-]{32})['""]")
  $regexSearch.add("Finicity API Key & Client Secret", "(finicity[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-f0-9]{32}|[a-z0-9]{20})['""]")
  $regexSearch.add("Flickr Access Token", "([a-z0-9]{32})")
@ -262,7 +283,6 @@ $regexSearch.add("Hubspot API Key", "['""][a-h0-9]{8}-[a-h0-9]{4}-[a-h0-9]{4}-[a
  $regexSearch.add("Instatus API Key", "(instatus[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""]")
  $regexSearch.add("Intercom API Key & Client Secret/ID", "(intercom[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9=_]{60}|[a-h0-9]{8}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{4}-[a-h0-9]{12})['""]")
  $regexSearch.add("Ionic API Key", "(ionic[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""](ion_[a-z0-9]{42})['""]")
-$regexSearch.add("Jenkins Creds", "<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<")
  $regexSearch.add("JSON Web Token", "(ey[0-9a-z]{30,34}\.ey[0-9a-z\/_\-]{30,}\.[0-9a-zA-Z\/_\-]{10,}={0,2})")
  $regexSearch.add("Kraken Access Token", "([a-z0-9\/=_\+\-]{80,90})")
  $regexSearch.add("Kucoin Access Token", "([a-f0-9]{24})")
@ -347,24 +367,48 @@ $regexSearch.add("Yandex AWS Access Token", "(YC[a-zA-Z0-9_\-]{38})")
  $regexSearch.add("Web3 API Key", "(web3[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([A-Za-z0-9_=\-]+\.[A-Za-z0-9_=\-]+\.?[A-Za-z0-9_.+/=\-]*)['""]")
  $regexSearch.add("Zendesk Secret Key", "([a-z0-9]{40})")
  $regexSearch.add("Generic API Key", "((key|api|token|secret|password)[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9a-zA-Z_=\-]{8,64})['""]")
+}
+
+if ($webAuth) {
+  $regexSearch.add("Authorization Basic", "basic [a-zA-Z0-9_:\.=\-]+")
+  $regexSearch.add("Authorization Bearer", "bearer [a-zA-Z0-9_\.=\-]+")
+  $regexSearch.add("Alibaba Access Key ID", "(LTAI)[a-z0-9]{20}")
+  $regexSearch.add("Alibaba Secret Key", "(alibaba[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{30})['""]")
+  $regexSearch.add("Asana Client ID", "((asana[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9]{16})['""])|((asana[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([a-z0-9]{32})['""])")
+  $regexSearch.add("AWS Client ID", "(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}")
+  $regexSearch.add("AWS MWS Key", "amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}")
+  $regexSearch.add("AWS Secret Key", "aws(.{0,20})?['""][0-9a-zA-Z\/+]{40}['""]")
+  $regexSearch.add("AWS AppSync GraphQL Key", "da2-[a-z0-9]{26}")
+  $regexSearch.add("Basic Auth Credentials", "://[a-zA-Z0-9]+:[a-zA-Z0-9]+@[a-zA-Z0-9]+\.[a-zA-Z]+")
+  $regexSearch.add("Beamer Client Secret", "(beamer[a-z0-9_ \.,\-]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['""](b_[a-z0-9=_\-]{44})['""]")
+  $regexSearch.add("Cloudinary Basic Auth", "cloudinary://[0-9]{15}:[0-9A-Za-z]+@[a-z]+")
+  $regexSearch.add("Facebook Client ID", "([fF][aA][cC][eE][bB][oO][oO][kK]|[fF][bB])(.{0,20})?['""][0-9]{13,17}")
+  $regexSearch.add("Facebook Oauth", "[fF][aA][cC][eE][bB][oO][oO][kK].*['|""][0-9a-f]{32}['|""]")
+  $regexSearch.add("Facebook Secret Key", "([fF][aA][cC][eE][bB][oO][oO][kK]|[fF][bB])(.{0,20})?['""][0-9a-f]{32}")
+  $regexSearch.add("Jenkins Creds", "<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<")
  $regexSearch.add("Generic Secret", "[sS][eE][cC][rR][eE][tT].*['""][0-9a-zA-Z]{32,45}['""]")
  $regexSearch.add("Basic Auth", "//(.+):(.+)@")
  $regexSearch.add("PHP Passwords", "(pwd|passwd|password|PASSWD|PASSWORD|dbuser|dbpass|pass').*[=:].+|define ?\('(\w*pass|\w*pwd|\w*user|\w*datab)")
-$regexSearch.add("Config Secrets", "passwd.*|creden.*|^kind:[^a-zA-Z0-9_]?Secret|[^a-zA-Z0-9_]env:|secret:|secretName:|^kind:[^a-zA-Z0-9_]?EncryptionConfiguration|\-\-encryption\-provider\-config")
-$regexSearch.add("Simple Passwords", "passw.*[=:].+")
+  $regexSearch.add("Config Secrets (Passwd / Credentials)", "passwd.*|creden.*|^kind:[^a-zA-Z0-9_]?Secret|[^a-zA-Z0-9_]env:|secret:|secretName:|^kind:[^a-zA-Z0-9_]?EncryptionConfiguration|\-\-encryption\-provider\-config")
  $regexSearch.add("Generiac API tokens search", "(access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key| amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret| api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret| application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket| aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password| bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key| bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver| cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret| client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password| cloudflare_api_key|cloudflare_auth_key|cloudinary_api_secret|cloudinary_name|codecov_token|conn.login| connectionstring|consumer_key|consumer_secret|credentials|cypress_record_key|database_password|database_schema_test| datadog_api_key|datadog_app_key|db_password|db_server|db_username|dbpasswd|dbpassword|dbuser|deploy_password| digitalocean_ssh_key_body|digitalocean_ssh_key_ids|docker_hub_password|docker_key|docker_pass|docker_passwd| docker_password|dockerhub_password|dockerhubpassword|dot-files|dotfiles|droplet_travis_password|dynamoaccesskeyid| dynamosecretaccesskey|elastica_host|elastica_port|elasticsearch_password|encryption_key|encryption_password| env.heroku_api_key|env.sonatype_password|eureka.awssecretkey)[a-z0-9_ .,<\-]{0,25}(=|>|:=|\|\|:|<=|=>|:).{0,5}['""]([0-9a-zA-Z_=\-]{8,64})['""]")
-$regexSearch.add("Usernames", "username.*[=:].+")
-$regexSearch.add("Net user add", "net user .+ /add")
+}
+
 $regexSearch.add("IPs", "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)")
-$regexSearch.add("Emails", "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}")
+$Drives = Get-PSDrive | Where-Object { $_.Root -like "*:\" }
+$fileExtensions = @("*.xml", "*.txt", "*.conf", "*.config", "*.cfg", "*.ini", ".y*ml", "*.log", "*.bak")
+

 ######################## INTRODUCTION ########################
 $stopwatch = [system.diagnostics.stopwatch]::StartNew()
+
+if($FullCheck){
+  Write-Host "**Full Check Enabled. This will significantly increase false positives in registry / folder check for Usernames / Passwords.**"
+}
 # Introduction    
-Write-Host -ForegroundColor cyan  "ADVISORY: WinPEAS - Windows local Privilege Escalation Awesome Script"
-Write-Host -ForegroundColor cyan  "WinPEAS should be used for authorized penetration testing and/or educational purposes only"
-Write-Host -ForegroundColor cyan  "Any misuse of this software will not be the responsibility of the author or of any other collaborator"
-Write-Host -ForegroundColor cyan  "Use it at your own networks and/or with the network owner's explicit permission"
+Write-Host -BackgroundColor Red -ForegroundColor White  "ADVISORY: WinPEAS - Windows local Privilege Escalation Awesome Script"
+Write-Host -BackgroundColor Red -ForegroundColor White "WinPEAS should be used for authorized penetration testing and/or educational purposes only"
+Write-Host -BackgroundColor Red -ForegroundColor White "Any misuse of this software will not be the responsibility of the author or of any other collaborator"
+Write-Host -BackgroundColor Red -ForegroundColor White "Use it at your own networks and/or with the network owner's explicit permission"


 # Color Scheme Introduction
@ -1352,9 +1396,46 @@ if ($TimeStamp) { TimeElapsed }
 Write-Host -ForegroundColor Blue "=========|| Recycle Bin TIP:"
 Write-Host "if credentials are found in the recycle bin, tool from nirsoft may assist: http://www.nirsoft.net/password_recovery_tools.html" -ForegroundColor Yellow

+Write-Host ""
+if ($TimeStamp) { TimeElapsed }
+Write-Host -ForegroundColor Blue "=========||  Password Check in Files/Folders"
+
+# Looking through the entire computer for passwords
+if ($TimeStamp) { TimeElapsed }
+Write-Host -ForegroundColor Blue "=========|| Password Check. Starting at root of each drive. This will take some time. Like, grab a coffee or tea kinda time."
+Write-Host -ForegroundColor Blue "=========|| Looking through each drive, searching for $fileExtensions"
+# Also looks for MCaffee site list while looping through the drives.
+$Drives.Root | ForEach-Object {
+  $Drive = $_
+  Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {
+    $path = $_
+    if ($Path.FullName -like '*Lang*') {
+      #Write-Host "$($_.FullName) found!" -ForegroundColor red
+    }
+    else {
+      if ($path.Length -gt 0) {
+        # Write-Host -ForegroundColor Blue "Path name matches extension search: $path"
+      }
+      if ($path -like "*SiteList.xml") {
+        Write-Host "Possible MCaffee Site List Found: $($_.FullName)"
+        Write-Host "Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption" -ForegroundColor Yellow
+      }
+      $regexSearch.keys | ForEach-Object {
+        $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1
+        if ($passwordFound) {
+          Write-Host "Possible Password found: $_" -ForegroundColor Yellow
+          Write-Host $Path.FullName
+          Write-Host -ForegroundColor Blue "$_ triggered"
+          Write-Host $passwordFound -ForegroundColor Red
+        }
+      }
+    }  
+  }
+}
+
+
 Write-Host -ForegroundColor Blue "=========|| Registry Password Check"
 # Looking through the entire registry for passwords
-Write-Host "Checking over 200 different password regex types."
 Write-Host "This will take some time. Won't you have a pepsi?"
 $regPath = @("registry::\HKEY_CURRENT_USER\", "registry::\HKEY_LOCAL_MACHINE\")
 # Search for the string in registry values and properties
@ -1382,33 +1463,3 @@ foreach ($r in $regPath) {
  if ($TimeStamp) { TimeElapsed }
  Write-Host "Finished $r"
 }
-
-Write-Host ""
-if ($TimeStamp) { TimeElapsed }
-Write-Host -ForegroundColor Blue "=========||  Password Check in Files"
-# Looking through the entire computer for passwords
-$Drives = Get-PSDrive | Where-Object { $_.Root -like "*:\" }
-$fileExtensions = @("*.xml", "*.txt", "*.conf","*.config", "*.cfg", "*.ini", ".y*ml", "*.log", "*.bak")
-Write-Host ""
-if ($TimeStamp) { TimeElapsed }
-Write-Host -ForegroundColor Blue "=========|| Password Check. Starting at root of each drive. This will take some time. Like, grab a coffee or tea."
-Write-Host -ForegroundColor Blue "=========|| Looking through each drive, searching for $fileExtensions"
-# Also looks for MCaffee site list while looping through the drives.
-$Drives.Root | ForEach-Object {
-  $Drive = $_
-  Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue | ForEach-Object {
-    $path = $_
-    if ($path -like "*SiteList.xml") {
-      Write-Host "Possible MCaffee Site List Found: $($_.FullName)"
-      Write-Host "Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption" -ForegroundColor Yellow
-    }
-    $regexSearch.keys | ForEach-Object {
-      $password = Get-Content $path.FullName -ErrorAction SilentlyContinue | Select-String $regexSearch[$_]
-      if ($password) {
-        Write-Host "Possible Password found: $_" -ForegroundColor Yellow
-        Write-Host $Path.FullName
-        Write-Host $password -ForegroundColor Red
-      }
-    }
-  }
-}