├── Profit.ps1
└── README.md


/Profit.ps1:
--------------------------------------------------------------------------------
  1 | #Script to find possibly useful documents. The purpose of this is simple and the implementation is even easier, it's primarily to save time. Results are not written to disk since they are just queried. Should be relatively easy to store the results in variables if needed.
  2 | #Written by Z3R0th
  3 | 
  4 | Write-Host "     __    ____     ____     ____     ______   ____   ______    __"
  5 | Write-Host "   _/ /   / __ \   / __ \   / __ \   / ____/  /  _/  /_  __/  _/ /"
  6 | Write-Host "  / __/  / /_/ /  / /_/ /  / / / /  / /_      / /     / /    / __/"
  7 | Write-Host " (_  )  / ____/  / _, _/  / /_/ /  / __/    _/ /     / /    (_  ) "
  8 | Write-Host "/  _/  /_/      /_/ |_|   \____/  /_/      /___/    /_/    /  _/  "
  9 | Write-Host "/_/                                                        /_/    "
 10 | Write-Host " "
 11 | 
 12 | Write-Host "Checking filesystem for interesting files...this could take a while..."
 13 | 
 14 | function Invoke-Profit {
 15 | 
 16 |   if ((Get-Host).Version.Major.Equals(3) -or (Get-Host).Version.Major.Equals(4) -or (Get-Host).Version.Major.Equals(5)) {
 17 |   
 18 |   $Drives = [System.IO.DriveInfo]::GetDrives() | select-string ":" #Finds all drives on system
 19 | 
 20 |   $Mutate = [string]$Drives #Convert $Drives into a string.
 21 | 
 22 |   $FinalForm = $Mutate -split " " #Change the $Mutate variable to separate by blank spaces so that there are individual lines for drive letters.
 23 | 
 24 |   $drivelist = $FinalForm.replace("\", "\users\") #Piece everything together and add \users\ to the drive letters so that it will only search user folders on target machine.
 25 | 
 26 |   $Repair = $FinalForm.replace("\", "\Windows\Repair\")
 27 | 
 28 |   $Hosts = $FinalForm.replace("\", "\Windows\system32\drivers\etc\")
 29 | 
 30 |   GCI -Recurse -Path $Drives -Filter "*password*" -File -ErrorAction SilentlyContinue | where {($_.Extension -eq ".txt") -or ($_.Extension -eq ".csv") -or ($_.Extension -eq ".db") -or ($_.Extension -eq ".dbf") -or ($_.Extension -eq ".log") -or ($_.Extension -eq ".mdb") -or ($_.Extension -eq ".sav") -or ($_.Extension -eq ".sql") -or ($_.Extension -eq ".tar") -or ($_.Extension -eq ".xml") -or ($_.Extension -eq ".bak") -or ($_.Extension -eq ".pdf") -or ($_.Extension -eq ".tex") -or ($_.Extension -eq ".docx") -or ($_.Extension -eq ".doc") -or ($_.Extension -eq ".xls") -or ($_.Extension -eq ".xlsx")} #Will look for password files.
 31 | 
 32 |   GCI -Recurse -Path $Drives -Filter "*credential*" -File -ErrorAction SilentlyContinue | where {($_.Extension -eq ".txt") -or ($_.Extension -eq ".csv") -or ($_.Extension -eq ".db") -or ($_.Extension -eq ".dbf") -or ($_.Extension -eq ".log") -or ($_.Extension -eq ".mdb") -or ($_.Extension -eq ".sav") -or ($_.Extension -eq ".sql") -or ($_.Extension -eq ".tar") -or ($_.Extension -eq ".xml") -or ($_.Extension -eq ".bak") -or ($_.Extension -eq ".pdf") -or ($_.Extension -eq ".tex") -or ($_.Extension -eq ".docx") -or ($_.Extension -eq ".doc") -or ($_.Extension -eq ".xls") -or ($_.Extension -eq ".xlsx")} #Will look for credential files.
 33 | 
 34 |   GCI -Recurse -Path $Drives -Filter "*NTUSER*" -File -ErrorAction SilentlyContinue | where {$_.Extension -eq ".dat"} #Will look for NTUSER.dat files but will only find them if running from admin prompt
 35 | 
 36 |   GCI -Recurse -Path $Drives -Filter "*" -File -ErrorAction SilentlyContinue | where {$_.Extension -eq ".kbdx"} #Will look for Keepass files.
 37 | 
 38 |   GCI -Recurse -Path $Drives -Filter "*system*" -File -ErrorAction SilentlyContinue | where {$_.Extension -eq ".bak"} #Will look for backup system file.
 39 | 
 40 |   GCI -Recurse -Path $Drives -Filter "*security*" -File -ErrorAction SilentlyContinue | where {$_.Extension -eq ".bak"} #Will look for backup security file.
 41 | 
 42 |   GCI -Recurse -Path $Drives -Filter "*sam*" -File -ErrorAction SilentlyContinue | where {$_.Extension -eq ".bak"} #Will look for backup sam file.
 43 | 
 44 |   GCI -Recurse -Path $Repair -Filter "*SAM*" -File -ErrorAction SilentlyContinue #Will look for SAM file that exists in Repair.
 45 | 
 46 |   GCI -Recurse -Path $Repair -Filter "*system*" -File -ErrorAction SilentlyContinue #Will look for system file that exists in Repair.
 47 | 
 48 |   GCI -Recurse -Path $Repair -Filter "*software*" -File -ErrorAction SilentlyContinue #Will look for software file that exists in Repair.
 49 | 
 50 |   GCI -Recurse -Path $Repair -Filter "*security*" -File -ErrorAction SilentlyContinue #Will look for security file that exists in Repair.
 51 | 
 52 |   GCI -Recurse -Path $Hosts -Filter "hosts*" -File -Erroraction SilentlyContinue #Will look for hosts file.
 53 | 
 54 |   GCI -Recurse -Path $Drives -Filter "*unattend*" -File -ErrorAction SilentlyContinue | where {$_.Extension -eq ".xml"} #Will look for answer files. Sometimes plain-text passwords are stored here.
 55 | 
 56 |   GCI -Recurse -Path $Drives -Filter "*" -File -ErrorAction SilentlyContinue | where {$_.Extension -eq ".settingcontent-ms"} #Will look for Windows Settings shortcut files. Can be weaponized for code execution.
 57 | 
 58 |   GCI -Recurse -Path $drivelist -Filter "*" -File -ErrorAction SilentlyContinue | where {$_.Extension -eq ".bat"} #Will look for batch files. Can possibly be edited for code execution. Though this only checks within the user files as there are too many within the filesystem.
 59 | 
 60 |   Write-Host " "
 61 |   Write-Host "---------------------------------------------------"
 62 |   Write-Host "`nFinished. PowerShell 'Modes' are as follows:
 63 | 
 64 |   d - Directory
 65 | 
 66 |   a - Archive
 67 | 
 68 |   r - Read-Only
 69 | 
 70 |   h - Hidden
 71 | 
 72 |   s - System
 73 | 
 74 |   l - Reparse point, symlink, etc.
 75 | 
 76 |   Example (d-r---) <-- Directory that is read only
 77 |   "
 78 |   Write-Host "---------------------------------------------------"
 79 |   
 80 |   }
 81 |   
 82 |   Else {
 83 |   
 84 |   #Runs when PowerShell Versio nis less than 3 since version 2 and below does not support searching with -File or .replace.
 85 |   
 86 |   $Drives = [System.IO.DriveInfo]::GetDrives() | select-string ":" #Finds all drives on system
 87 | 
 88 |   $Mutate = [string]$Drives #Convert $Drives into a string.
 89 | 
 90 |   $FinalForm = $Mutate -split " " #Change the $Mutate variable to separate by blank spaces so that there are individual lines for drive letters.
 91 | 
 92 |   $drivelist = ($FinalForm) -replace("\\", "\\users\\") #Piece everything together and add \users\ to the drive letters so that it will only search user folders on target machine.
 93 | 
 94 |   $Repair = ($FinalForm) -replace("\\", "\\Windows\Repair\\")
 95 | 
 96 |   $Hosts = ($FinalForm) -replace("\\", "\\Windows\\system32\\drivers\\etc\\")
 97 | 
 98 |   GCI -Recurse -Path $Drives -Filter "*password*" -ErrorAction SilentlyContinue | where {($_.Extension -eq ".txt") -or ($_.Extension -eq ".csv") -or ($_.Extension -eq ".db") -or ($_.Extension -eq ".dbf") -or ($_.Extension -eq ".log") -or ($_.Extension -eq ".mdb") -or ($_.Extension -eq ".sav") -or ($_.Extension -eq ".sql") -or ($_.Extension -eq ".tar") -or ($_.Extension -eq ".xml") -or ($_.Extension -eq ".bak") -or ($_.Extension -eq ".pdf") -or ($_.Extension -eq ".tex") -or ($_.Extension -eq ".docx") -or ($_.Extension -eq ".doc") -or ($_.Extension -eq ".xls") -or ($_.Extension -eq ".xlsx")} #Will look for password files.
 99 | 
100 |   GCI -Recurse -Path $Drives -Filter "*credential*" -ErrorAction SilentlyContinue | where {($_.Extension -eq ".txt") -or ($_.Extension -eq ".csv") -or ($_.Extension -eq ".db") -or ($_.Extension -eq ".dbf") -or ($_.Extension -eq ".log") -or ($_.Extension -eq ".mdb") -or ($_.Extension -eq ".sav") -or ($_.Extension -eq ".sql") -or ($_.Extension -eq ".tar") -or ($_.Extension -eq ".xml") -or ($_.Extension -eq ".bak") -or ($_.Extension -eq ".pdf") -or ($_.Extension -eq ".tex") -or ($_.Extension -eq ".docx") -or ($_.Extension -eq ".doc") -or ($_.Extension -eq ".xls") -or ($_.Extension -eq ".xlsx")} #Will look for credential files.
101 | 
102 |   GCI -Recurse -Path $Drives -Filter "*NTUSER*" -ErrorAction SilentlyContinue | where {$_.Extension -eq ".dat"} #Will look for NTUSER.dat files but will only find them if running from admin prompt
103 | 
104 |   GCI -Recurse -Path $Drives -Filter "*" -ErrorAction SilentlyContinue | where {$_.Extension -eq ".kbdx"} #Will look for Keepass files.
105 | 
106 |   GCI -Recurse -Path $Drives -Filter "*system*" -ErrorAction SilentlyContinue | where {$_.Extension -eq ".bak"} #Will look for backup system file.
107 | 
108 |   GCI -Recurse -Path $Drives -Filter "*security*" -ErrorAction SilentlyContinue | where {$_.Extension -eq ".bak"} #Will look for backup security file.
109 | 
110 |   GCI -Recurse -Path $Drives -Filter "*sam*" -ErrorAction SilentlyContinue | where {$_.Extension -eq ".bak"} #Will look for backup sam file.
111 | 
112 |   GCI -Recurse -Path $Repair -Filter "*SAM*" -ErrorAction SilentlyContinue #Will look for SAM file that exists in Repair.
113 | 
114 |   GCI -Recurse -Path $Repair -Filter "*system*" -ErrorAction SilentlyContinue #Will look for system file that exists in Repair.
115 | 
116 |   GCI -Recurse -Path $Repair -Filter "*software*" -ErrorAction SilentlyContinue #Will look for software file that exists in Repair.
117 | 
118 |   GCI -Recurse -Path $Repair -Filter "*security*" -ErrorAction SilentlyContinue #Will look for security file that exists in Repair.
119 | 
120 |   GCI -Recurse -Path $Hosts -Filter "hosts*" -Erroraction SilentlyContinue #Will look for hosts file.
121 | 
122 |   GCI -Recurse -Path $Drives -Filter "*unattend*" -ErrorAction SilentlyContinue | where {$_.Extension -eq ".xml"} #Will look for answer files. Sometimes plain-text passwords are stored here.
123 | 
124 |   GCI -Recurse -Path $Drives -Filter "*" -ErrorAction SilentlyContinue | where {$_.Extension -eq ".settingcontent-ms"} #Will look for Windows Settings shortcut files. Can be weaponized for code execution.
125 | 
126 |   GCI -Recurse -Path $drivelist -Filter "*" -ErrorAction SilentlyContinue | where {$_.Extension -eq ".bat"} #Will look for batch files. Can possibly be edited for code execution. Though this only checks within the user files as there are too many within the filesystem.
127 | 
128 |   Write-Host " "
129 |   Write-Host "---------------------------------------------------"
130 |   Write-Host "`nFinished. PowerShell 'Modes' are as follows:
131 | 
132 |   d - Directory
133 | 
134 |   a - Archive
135 | 
136 |   r - Read-Only
137 | 
138 |   h - Hidden
139 | 
140 |   s - System
141 | 
142 |   l - Reparse point, symlink, etc.
143 | 
144 |   Example (d-r---) <-- Directory that is read only
145 |   "
146 |   Write-Host "---------------------------------------------------"
147 |   }
148 | 
149 | }
150 | 
151 | Invoke-Profit
152 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Profit
2 | Simple PowerShell enumeration script to look for interesting files. If you need to add more parameters to the search it's fairly easy to do. 
3 | 


--------------------------------------------------------------------------------