SauronEye – Search Tool To Find Specific Files Containing Specific Words, I.E. Files Containing Passwords
SauronEye is a search tool built to aid red teams in finding files containing specific keywords.
Features:
- Search multiple (network) drives
- Search contents of files
- Search contents of Microsoft Office files (
.doc
,.docx
,.xls
,.xlsx
) - Find VBA macros in old 2003
.xls
and.doc
files - Search multiple drives multi-threaded for increased performance
- Supports regular expressions in search keywords
- Compatible with Cobalt Strike’s
execute-assembly
It’s also quite fast, can do 50k files, totaling 1,3 TB on a network drive in under a minute (with realistic file filters). Searches a C:
(on a cheap SATA SSD) in about 15 seconds.
UsageSauronEye.exe --directories C: \SOMENETWORKDRIVEC$ --filetypes .txt .bat .docx .conf --contents --keywords password pass*
=== SauronEye ===
Directories to search: C:UsersvincentDesktop
For file types: .txt, .doc, .docx, .xls
Containing: wacht, pass
Search contents: True
Search Office 2003 files for VBA: True
Max file size: 1000 KB
Search Program Files directories: False
Searching in parallel: C:UsersvincentDesktop
[+] C:UsersvincentDesktoptestwachtwoord - Copy (2).txt
[+] C:UsersvincentDesktoptestwachtwoord - Copy (3).txt
[+] C:UsersvincentDesktoptestwachtwoord - Copy.txt
[+] C:UsersvincentDesktoptestwachtwoord.txt
[+] C:UsersvincentDesktoppass.txt
[*] Done searching file system, now searching contents
[+] C:UsersvincentDesktoppass.txt
...the admin password=admin123...
[+] C:UsersvincentDesktoptest.docx:
...this is a testPassword = "welkom12...
Done. Time elapsed = 00:00:01.6656911
C:>SauronEye.exe --help
=== SauronEye ===
Usage: SauronEye.exe [OPTIONS]+ argument
Search directories for files containing specific keywords.
Options:
-d, --directories=VALUE Directories to search
-f, --filetypes=VALUE Filetypes to search for/in
-k, --keywords=VALUE Keywords to search for
-c, --contents Search file contents
-m, --maxfilesize=VALUE Max file size to search contents in, in kilobytes
-b, --beforedate=VALUE Filter files last modified before this date,
format: yyyy-MM-dd
-a, --afterdate=VALUE Filter files last modified after this date,
format: yyyy-MM-dd
-s, --systemdirs Search in filesystem directories %APPDATA% and %
WIND OWS%
-v, --vbamacrocheck Check if 2003 Office files (*.doc and *.xls)
contain a VBA macro
-h, --help Show help
Notes
SauronEye does not search %WINDIR%
and %APPDATA%
. Use the --systemdirs
flag to search the contents of Program Files*
. SauronEye relies on functionality only available from .NET 4.7.2, and so requires >= .NET 4.7.2 to run.