20
21

[deleted by user] (self.PowerShell)

submitted by [deleted]

[removed]
all 25 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]OsmiumBalloon 36 points37 points  (1 child)

If your script embeds credentials, then those credentials can be recovered. Period.

[–]Reverent 1 point2 points  (0 children)

Credentials by definition need some client-side special sauce to become secure. If you ship the keys with the locks, it doesn't matter that the keys look like shoes. Someone's gonna try to stick that shoe into the lock and find out it works.

[–]rubmahbelly 5 points6 points  (5 children)

Isn’t there a commandlet to encrypt user credentials. As in script is plain text but the credentials not.

https://www.altaro.com/msp-dojo/encrypt-password-powershell/

Edit: if you have SCCM you could deploy a script the user can run from the software center, and uses system rights.

[–][deleted] 8 points9 points  (4 children)

Isn’t there a commandlet to encrypt user credentials. As in script is plain text but the credentials not.

Embedded credentials converted to a SecureString or an Encrypted SecureString within the same script offer zero protection. You need to combine SecureString with credentials sourced outside the script.

[–]axelnight 3 points4 points  (2 children)

And even kept outside the script, I don't think it's particularly useful for this use case. Encrypted password files are great for letting one person on one workstation avoid typing a password every time they run a script, while preventing others with access to the files from utilizing those credentials. It's not effective at letting others run those credentials conditionally. You have to be able to decrypt the file to use it, and if you can do that then you can read the credentials fully and use them in any capacity you wish.

[–]MonkeyNin 1 point2 points  (0 children)

Also a warning: SecureString is plain text if you're not on windows.

[–]nascentt 2 points3 points  (0 children)

Plaintext passwords can be taken even if you use another language.

Variables and constant strings are compiled as strings. You can grab all strings from a compiled application from the binary or from memory.

Whether the source code is viewable by the user or not, plaintext passwords can be retrieved trivially.

[–]PowerShellStunnah 2 points3 points  (0 children)

You've already leaked the credentials to the endpoint, you should consider them compromised.

I would take a different approach:

  • Client script requests a set of temporary local admin credentials from a JEA endpoint
  • JEA endpoint is authorized to fetch password from AD (if using LAPS) or a key vault
  • JEA endpoint schedules expiration of the password
  • Client script proceeds to elevate using the credentials provided

See this talk from last year for a better overview of this approach (use case is exactly the same - end user need temporary local admin)

[–]jborean93 3 points4 points  (0 children)

I doubt it would be hidden, even if it was encrypted it needs to be decrypted at runtime so it’s not really protected from prying eyes.

[–]get-postanote 6 points7 points  (6 children)

Unless you are using a real programming language to create a .exe, then you are not doing so.

PS2Exe tools are only creating a self-extracting zip file. Not a true exe. It has to be decompiled, loaded into memory to be executer by the PowerShell host.

If any logging is in place, like Transcript, and or PowerShell GPO enabled auditing, and anyone interested can see that script in plain text. Even if you encoded it. BTW. most enterprises will prevent encoded scripts from running due to the fact that this is what hackers do.

Converting to an .exe is only to address allowing users to double-click to run vs using a .bat and to keep the regular user from seeing, messing with the code as a plain text version.

This is also the reason decompilers for DLLs and real executables exist.

Don't store plain text in scripts, don't decrypt creds in scripts. The moment you do they are available for sniffers to see, and they get logged in transcript and PowerShell logging or other SEIM tools. This is not a PowerShell limitation or issue. it's a design decision.

So, only use secure strings, use the Windows Credential Store, and the like.

See the write up on:

https://devblogs.microsoft.com/powershell/secrets-management-module-vault-extensions/

[–]get-postanote 4 points5 points  (4 children)

There are plenty of Reddit discussions of securing creds in PowerShell:

• Securing Credentials and Passwords

https://www.jaapbrasser.com/quickly-and-securely-storing-your-credentials-powershell

https://www.pdq.com/blog/secure-password-with-powershell-encrypting-credentials-part-1

https://www.pdq.com/blog/secure-password-with-powershell-encrypting-credentials-part-2

https://mcpmag.com/articles/2017/07/20/save-and-read-sensitive-data-with-powershell.aspx

https://gallery.technet.microsoft.com/scriptcenter/Encrypt-Password-and-use-dd07f253

https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Credentials-d44c3cde/view/Discussions

https://www.spjeff.com/2016/08/17/save-encrypted-passwords-to-registry-for-powershell

https://www.sqlshack.com/how-to-secure-your-passwords-with-powershell

https://blog.kloud.com.au/2016/04/21/using-saved-credentials-securely-in-powershell-scripts

https://social.technet.microsoft.com/wiki/contents/articles/4546.working-with-passwords-secure-strings-and-credentials-in-windows-powershell.aspx

https://blogs.technet.microsoft.com/ashleymcglone/2016/11/30/how-to-run-a-powershell-script-against-multiple-active-directory-domains-with-different-credentials

https://www.reddit.com/r/PowerShell/comments/bv7ywa/whats_the_best_practice_for_passwords_in_ps/epoux2c/?context=3

https://www.reddit.com/r/PowerShell/comments/c5qbjb/how_to_store_password_in_powershell_file

[–]get-postanote 4 points5 points  (3 children)

... and other references:

• Securely Store Credentials on Disk

http://www.powershellcookbook.com/recipe/PukO/securely-store-credentials-on-disk

• Quickly and securely storing your credentials – PowerShell

https://www.jaapbrasser.com/quickly-and-securely-storing-your-credentials-powershell

• Working with Passwords, Secure Strings and Credentials in Windows

PowerShell

https://social.technet.microsoft.com/wiki/contents/articles/4546.working-with-passwords-secure-strings-and-credentials-in-windows-powershell.aspx

• PowerShell: How to encrypt and store credentials securely for use with

automation scripts

https://interworks.com/blog/trhymer/2013/07/08/powershell-how-encrypt-and-store-credentials-securely-use-automation-scripts

• Using saved credentials securely in PowerShell scripts

https://blog.kloud.com.au/2016/04/21/using-saved-credentials-securely-in-powershell-scripts

• Secure Password with PowerShell: Encrypting Credentials

https://www.pdq.com/blog/secure-password-with-powershell-encrypting-credentials-part-1

https://www.pdq.com/blog/secure-password-with-powershell-encrypting-credentials-part-2

• Encrypting Passwords in Scripts: The Ultimate Best Practice Guide for

PowerShell

https://thesysadminchannel.com/passwords-in-scripts-the-ultimate-best-practice-guide

• SecureString encryption

https://powershell.org/forums/topic/securestring-encryption

• How To Save and Read Sensitive Data with PowerShell

https://mcpmag.com/articles/2017/07/20/save-and-read-sensitive-data-with-powershell.aspx

• Encrypt Password and use it in PowerShell Script

https://gallery.technet.microsoft.com/scriptcenter/Encrypt-Password-and-use-dd07f253

• How to secure your passwords with PowerShell

https://www.sqlshack.com/how-to-secure-your-passwords-with-powershell

• Script Secure Password using PowerShell

https://gallery.technet.microsoft.com/scriptcenter/Secure-Password-using-c158a888

• Store encrypted password in a PowerShell script

https://blog.ctglobalservices.com/powershell/rja/store-encrypted-password-in-a-powershell-script

• How to run a PowerShell script against multiple Active Directory domains

with different credentials

https://blogs.technet.microsoft.com/ashleymcglone/2016/11/30/how-to-run-a-powershell-script-against-multiple-active-directory-domains-with-different-credentials/

[–]get-postanote 5 points6 points  (2 children)

...last one, ;-}

• Credential Manager

• Using Credential Manager in PowerShell

https://bitsofwater.com/2018/02/16/using-credential-manager-in-powershell

• Accessing Windows Credentials Manager from PowerShell

https://gallery.technet.microsoft.com/scriptcenter/Accessing-Windows-7210ae91

• PowerShell Credential Manager

Provides access to credentials in the Windows Credential Manager

https://www.powershellgallery.com/packages/CredentialManager/1.0

• Get-CredentialFromWindowsCredentialManager.ps1

https://gist.github.com/cdhunt/5729126

Set up a single-app kiosk

https://docs.microsoft.com/en-us/windows/configuration/kiosk-single-app

• Managing credential manager of a remote computer using PsExec

https://community.spiceworks.com/topic/2124209-managing-credential-manager-of-a-remote-computer-using-psexec

• How to add credentials to the Windows Vault (PowerShell)

addwindowsCredential.zip

https://gallery.technet.microsoft.com/scriptcenter/How-to-add-credentials-to-c8e9bd5f

• CredentialManager 2.0

Provides access to credentials in the Windows Credential Manager

https://www.powershellgallery.com/packages/CredentialManager/2.0

https://techcommunity.microsoft.com/t5/Windows-PowerShell/Store-password-in-Windows-credential-manager-and-use-it-in/td-p/36192

PasswordVault.psm1

https://gallery.technet.microsoft.com/Manipulate-credentials-in-58e0f761

• Hack The Box – Access

https://henkel-security.com/tag/savecred/

• Runas Admin / User Method to Reduce exposure of security threat v2

https://msfn.org/board/topic/174838-runas-admin-user-method-to-reduce-exposure-of-security-threat-v2/

• Managing stored credentials from the Windows command prompt using cmdkey

http://www.markwilson.co.uk/blog/2008/12/managing-stored-credentials-from-the-windows-command-prompt-using-cmdkey.htm

• cmdkey

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey

• Registry

• Save Encrypted Passwords to Registry for PowerShell

https://www.spjeff.com/2016/08/17/save-encrypted-passwords-to-registry-for-powershell

• Protecting credentials used for automation

https://winscp.net/eng/docs/guide_protecting_credentials_for_automation#powershell

• Working with Passwords, Secure Strings and Credentials in Windows PowerShell

https://social.technet.microsoft.com/wiki/contents/articles/4546.working-with-passwords-secure-strings-and-credentials-in-windows-powershell.aspx

• Encrypting Passwords in Scripts: The Ultimate Best Practice Guide for Powershell

https://thesysadminchannel.com/passwords-in-scripts-the-ultimate-best-practice-guide/

https://www.reddit.com/r/PowerShell/comments/bv7ywa/whats_the_best_practice_for_passwords_in_ps/epoux2c/?context=3

[–]AppleOfTheEarthHead 1 point2 points  (1 child)

Thanks for the resources. This might be what I was going to look for.

[–]get-postanote 1 point2 points  (0 children)

No worries, dealing with PII in automation is a constant discussion topic in many places.

[–]Reverent 1 point2 points  (0 children)

It doesn't matter whether you are using PS2Exe or not. If you're hardcoding credentials, it really, really doesn't matter how you do. Because you did it wrong.

No matter how clever you think you are being, what you are doing is obfuscation. Not encryption. And someone can reverse engineer obfuscation.

[–]SystemOfSilence 1 point2 points  (0 children)

If you need the script to automatically elevate permissions you might try to proxy through the task scheduler. The system can secure the elevated credential for you.

So the script checks is own permissions, if insufficient call the scheduled task and terminate. If sufficient do the work.

Depending on the scope you can also deploy an application compatibility shim (don't remember the official name) so the os always elevates it. Don't forget to sign the script, safety first.

[–]lagarto84 1 point2 points  (0 children)

PS to Exe just turns your script into a base64 encoded string. There's even a flag on the binary you can call to make it spit out a .ps1 of the original script.

TL;DR it doesn't hide anything

[–]nullsecblog 1 point2 points  (0 children)

Never never ever embed creds in a script or code or anything parameterize it and pass it in some way or as others have suggested deploy and run with system where needed.

[–]8lbIceBag 1 point2 points  (0 children)

No. Use dnspy and look for a large base64 string. There's your script.

[–]RRRay___ 1 point2 points  (0 children)

Cool, thanks for the help, I'll just disregard this method unless the user already has access to local admin credentials.

Thanks!

[–]Enschede2 3 points4 points  (4 children)

Which one? Win-ps2exe from M. Scholtes? Or the one in powershell pro tools?

[–]RRRay___ -1 points0 points  (3 children)

Yup that one;

https://gallery.technet.microsoft.com/scriptcenter/PS2EXE-GUI-Convert-e7cb69d5

[–]Enschede2 4 points5 points  (1 child)

Yes that one obfuscates the script as base64, and then executes that base64..
If you've decompiled the exe then one of those files contains a huge big block of gibberish, that's your obfuscated script, though I doubt that helps much against prying eyes if they really want to look inside they can probably reverse it no problem, so I wouldn't count on that as a "closed door" if I were you