Bug in Find-SccmCacheFileCredentials?
nurfed1 opened this issue · comments
Hi,
Is the throw at line 725 intended?
PrivescCheck/src/helper/CredentialHelpers.ps1
Lines 638 to 730 in 7d384bf
function Find-SccmCacheFileCredentials { | |
<# | |
.SYNOPSIS | |
Helper - Find potentially hard coded credentials in SCCM cache files. | |
Author: @itm4n | |
License: BSD 3-Clause | |
.DESCRIPTION | |
This function first retrieves a list of potentially interesting files from the SCCM cache folders, and tries to find potentially hard coded credentials or secrets. For binary files, it simply determines whether there is a potential match, without returning anything to avoid messing up with the terminal output. For text files (incl. scripts), it returns all matching results. | |
#> | |
[CmdletBinding()] | |
param () | |
begin { | |
$Keywords = @( "password", "SecureString", "secret", "pwd", "token", "username" ) | |
$CredentialSearchPattern = "($($Keywords -join '|'))" | |
function Get-MatchedKeyword { | |
param ( | |
[string] $InputMatched | |
) | |
$KeywordMatched = $null | |
foreach ($Keyword in $Keywords) { | |
$KeywordMatch = $InputMatched | Select-String -Pattern $Keyword | |
if ($null -ne $KeywordMatch) { | |
$KeywordMatched = $Keyword | |
break | |
} | |
} | |
return $KeywordMatched | |
} | |
} | |
process { | |
$SccmCacheFolders = [object[]] (Get-SccmCacheFoldersFromRegistry) | |
foreach ($SccmCacheFolder in $SccmCacheFolders) { | |
$SccmCacheFiles = [object[]] (Get-SccmCacheFiles -Path $SccmCacheFolder.Path) | |
foreach ($SccmCacheFile in $SccmCacheFiles) { | |
$FileItem = Get-Item -Path $SccmCacheFile.Path -ErrorAction SilentlyContinue | |
if ($null -eq $FileItem) { continue } | |
if ($SccmCacheFile.Type -eq "Binary") { | |
# For binary files, just check whether the target file matches at least | |
# once, without returning anything. | |
# Ignore files that are larger than 100 MB to avoid spending too much | |
# time on the search. | |
if ($FileItem.Length -gt 100000000) { | |
Write-Warning "File '$($SccmCacheFile.Path) is too big, ignoring." | |
continue | |
} | |
$TempMatch = Get-Content -Path $SccmCacheFile.Path | Select-String -Pattern $CredentialSearchPattern | |
if ($null -ne $TempMatch) { | |
$Result = $SccmCacheFile.PSObject.Copy() | |
$Result | Add-Member -MemberType "NoteProperty" -Name "Match" -Value "(binary file matches)" | |
$Result | Add-Member -MemberType "NoteProperty" -Name "Keyword" -Value (Get-MatchedKeyword -InputMatched $TempMatch.Line) | |
$Result | |
} | |
} | |
elseif (($SccmCacheFile.Type -eq "Script") -or ($SccmCacheFile.Type -eq "Text")) { | |
# For script files and misc text files, return all matches of the pattern. | |
$TempMatch = Get-Content -Path $SccmCacheFile.Path | Select-String -Pattern $CredentialSearchPattern -AllMatches | |
if ($null -ne $TempMatch) { | |
Write-Verbose "File '$($SccmCacheFile.Path)' matches pattern." | |
foreach ($Match in $TempMatch) { | |
$Result = $SccmCacheFile.PSObject.Copy() | |
$Result | Add-Member -MemberType "NoteProperty" -Name "Match" -Value "Line $($Match.LineNumber): $($Match.Line.Trim())" | |
$Result | Add-Member -MemberType "NoteProperty" -Name "Keyword" -Value (Get-MatchedKeyword -InputMatched $TempMatch.Line) | |
$Result | |
} | |
} | |
} | |
else { | |
throw "Unhandled file type: $($SccmCacheFile.Type)" | |
} | |
} | |
} | |
} | |
} |
It seems to be crashing the script when Get-SccmCacheFiles return $null.
I pushed a quick fix with commit f4eb074, could you test again?
Yeah, that seems to work :)
Thanks