SauronEye: File Keyword Search Tool

CyberPunk CyberSpace
Last Release: 07/19/2020     Last Commit: 11/18/2020
SauronEye: File Keyword Search Tool

SauronEye is a search tool created to help users search for files which contain certain keywords. These can include passwords, usernames or other common keywords which are used to store information. This tool can particularly be used by red team members or by penetration testers to find hidden information.

SauronEye: Find Specific Files Containing Specific Keywords

With SauronEye, the user can define several properties which can refine the search efficiency to a great degree. For example, the user can define which directories to search in, keywords to search for, time range to search in and whether to search the file contents for the required keywords. The major advantage of SauronEye is that it is very fast, with the developers claiming that it can search through 1.3 TB of data in under a minute with realistic filters.

Interesting: According to the tool author(s), SauronEye will search C:\ within ~15 seconds, even on a cheap SATA SSD).

Features:

  • Search multiple (network) drives, contents of files
  • Search contents of Microsoft Office files (.doc, .docx, .xls, .xlsx)
  • Find VBA macros in old 2003 .xls and .doc files
  • Search multiple drives multi-threaded for increased performance
  • Supports regular expressions in search keywords
  • Compatible with Cobalt Strike’s execute-assembly

Supported Platforms:

  • Windows

Requirements:

  • .NET 4.7.2 +

Install

Download the executable file from here.

SauronEye Usage

Run the executable file.

Use --help to list available options:

C:\>SauronEye.exe --help
 
         === SauronEye ===
 
Usage: SauronEye.exe [OPTIONS]+ argument
Search directories for files containing specific keywords.
 
Options:
  -d, --directories=VALUE    Directories to search
  -f, --filetypes=VALUE      Filetypes to search for/in
  -k, --keywords=VALUE       Keywords to search for
  -c, --contents             Search file contents
  -m, --maxfilesize=VALUE    Max file size to search contents in, in kilobytes
  -b, --beforedate=VALUE     Filter files last modified before this date,
                                format: yyyy-MM-dd
  -a, --afterdate=VALUE      Filter files last modified after this date,
                                format: yyyy-MM-dd
  -s, --systemdirs           Search in filesystem directories %APPDATA% and %
                               WINDOWS%
  -v, --vbamacrocheck        Check if 2003 Office files (*.doc and *.xls)
                               contain a VBA macro
  -h, --help                 Show help
Note: SauronEye doesn’t search %WINDIR% and %APPDATA%. To search the contents of Program Files*, use the --systemdirs flag.

Usage Examples

Search multiple directories, including network drives: 

SauronEye.exe --directories C:\ \\SOMENETWORKDRIVE\C$ --filetypes .txt .bat .docx .conf --contents --keywords password pass*

Search paths and shares containing spaces: 

SauronEye.exe -d "C:\Users\user\Path with a space" -d "\\SOME NETWORK DRIVE\C$" --filetypes .txt --keywords password pass*
Download Box
Windows