diff --git a/winPEAS/winPEASexe/winPEAS/InterestingFiles.cs b/winPEAS/winPEASexe/winPEAS/InterestingFiles.cs index c007727..a2322d7 100755 --- a/winPEAS/winPEASexe/winPEAS/InterestingFiles.cs +++ b/winPEAS/winPEASexe/winPEAS/InterestingFiles.cs @@ -437,6 +437,23 @@ namespace winPEAS return results; } + public static string GetConsoleHostHistory() + { + string result = ""; + try + { + + string searchLocation = String.Format("{0}\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt", Environment.GetEnvironmentVariable("USERPROFILE")); + if (System.IO.File.Exists(searchLocation)) + result = searchLocation; + } + catch (Exception ex) + { + Beaprint.GrayPrint("Error: " + ex); + } + return result; + } + public static List> GetRecycleBin() { List> results = new List>(); diff --git a/winPEAS/winPEASexe/winPEAS/Program.cs b/winPEAS/winPEASexe/winPEAS/Program.cs index 1413eaa..fddad93 100755 --- a/winPEAS/winPEASexe/winPEAS/Program.cs +++ b/winPEAS/winPEASexe/winPEAS/Program.cs @@ -1959,6 +1959,31 @@ namespace winPEAS } } + void PrintConsoleHostHistory() + { + try + { + Beaprint.MainPrint("Powershell History", ""); + string console_host_history = InterestingFiles.GetConsoleHostHistory(); + if (console_host_history != "") + { + + string text = File.ReadAllText(console_host_history); + List credStringsRegexPowershell = new List(credStringsRegex); + credStringsRegexPowershell.Add("CONVERTTO-SECURESTRING"); + + if (MyUtils.ContainsAnyRegex(text.ToUpper(), credStringsRegexPowershell)) + Beaprint.BadPrint(" " + console_host_history + " (Potential credentials found)"); + else + System.Console.WriteLine(" " + console_host_history); + } + } + catch (Exception ex) + { + Beaprint.GrayPrint(String.Format("{0}", ex)); + } + } + void PrintSAMBackups() { try @@ -2182,6 +2207,7 @@ namespace winPEAS PrintSSHKeysReg(); PrintCloudCreds(); PrintUnattendFiles(); + PrintConsoleHostHistory(); PrintSAMBackups(); PrintMcAffeSitelistFiles(); PrintCachedGPPPassword();