Using PSCredentials without a prompt

You cannot use get-credential without some type of prompt (although you can do it without the pop-up dialog), however you can save your securestring password to a file, reload it for later, and manually create a credential without a prompt. Of course the problem with this is that your password will be exposed to anyone with access to the file, so do this at your own risk.

First, choose your password and write it to a file:

PS C:\> read-host -assecurestring | convertfrom-securestring | out-file C:\securestring.txt                                
*******                                                                                                                 
In the future, you won't have to enter your credentials over and over again, instead you can just read in your password from the file, and create a new PSCredential object from that. Then you can use that credential to perform various tasks like connecting to ftp servers and such, like so:
PS C:\> $pass = cat C:\securestring.txt | convertto-securestring                                                            
PS C:\> $mycred = new-object -typename System.Management.Automation.PSCredential -argumentlist "test",$pass                
PS C:\> get-ftp -server 10.0.1.1 -cred $mycred -list *.vb                                                                             
                                                                                                                        
                                                                                                                        
DirEntry : -rw-------    1 1036     100          1044 Dec 07 17:39 AssemblyInfo.vb                                      
FileName : AssemblyInfo.vb                                                                                              
FileSize : 1044                                                                                                         
FileTime : Dec 07 17:39                                                                                                 
IsDir    : False                                                                                                        
                                                                                                                        
                                                                                                                        
PS C:\> get-bufferhtml | out-file sample.html                                                                           

Technorati : , , ,

Print | posted on Friday, February 16, 2007 1:21 PM

Feedback

# re: Using PSCredentials without a prompt

Left by Lee at 2/28/2007 11:26 PM
Gravatar Actually, keeping your password in a public location is not a security risk. SecureStrings are designed explicitly to guard agains that risk -- when an attacker has access to the memory (or file, for that matter) that contains the encrypted password.

To solve the security issues, the Data Protection API (DPAPI, the stuff that backs the SecureString class) requires information from your user account in order to decrypt the string.

Lee

# re: Using PSCredentials without a prompt

Left by Lance at 3/1/2007 8:14 AM
Gravatar Hi Lee, you are right, but the point I made is still valid. A script that uses get-credential requires a physical prompt, so even someone who is able to logon to my machine would still have to know the credential password. However for the workaround shown in this post, the same is not true: anyone with access to the file has access to the script.

I suppose we're talking about two different levels of security.

# re: Using PSCredentials without a prompt

Left by Marcel at 3/27/2007 11:40 AM
Gravatar > However for the workaround shown in this post, the same is not true: anyone with access to the file has access to the script.

I'm not sure I understood that correctly. The point Lee was making was that only the person that created the password file can decrypt it. Try it out, log on with different credentials and try getting the password. Thus, even if they have access to the password file, unless they have your credentials, they won't be able to get the password.

# re: Using PSCredentials without a prompt

Left by Lance at 3/27/2007 10:02 PM
Gravatar Marcel, if you were to walk over to my computer and run these commands:

PS C:\> $pass = cat C:\securestring.txt | convertto-securestring
PS C:\> $mycred = new-object -typename System.Management.Automation.PSCredential -argumentlist "test",$pass
PS C:\> get-ftp -server 10.0.1.1 -cred $mycred -list *.vb

you would be able to successfully login to my ftp account. That is the only minor security issue I was referring to.

# re: Using PSCredentials without a prompt

Left by Eric Greer at 6/27/2007 8:31 AM
Gravatar Awesome! Thanks!

# re: Using PSCredentials without a prompt

Left by Cody at 11/24/2009 12:10 AM
Gravatar Lance, you wrote, "Marcel, if you were to walk over to my computer and run these commands... you would be able to successfully login to my ftp account". This is assuming that when he walked over to your computer that you were already logged in using the account which you had used to originally create the secure string, right? B/c the point, if I understand correctly, is that if he walked over to your computer and logged onto the machine with different credentials, he couldn't decrypt that file. Am I misunderstanding your point?

so that I understand properly,

# re: Using PSCredentials without a prompt

Left by Cody at 11/24/2009 12:39 AM
Gravatar Apologies for the stray "so that I understand properly"; I mistakenly didn't remove that line of text from my response.

# re: Using PSCredentials without a prompt

Left by Lance Robinson at 2/18/2010 5:50 PM
Gravatar Sorry for not responding to this one:

the answer to Mike's question:
the file has to be created by the account who will later try to read it. So either have the service create the file, or have the service run as the account that creates the file.

# re: Using PSCredentials without a prompt

Left by Tommy Becker at 5/21/2013 2:24 PM
Gravatar read-host -assecurestring | convertfrom-securestring | out-file C:\securestring.txt
$pass = cat C:\securestring.txt | convertto-securestring
$mycred = new-object -typename System.Management.Automation.PSCredential -argumentlist "test",$pass
$mycred.GetNetworkCredential().Password

There's always a way to get it back... Be very careful.

# re: Using PSCredentials without a prompt

Left by Jason Colotario at 11/22/2013 1:39 AM
Gravatar Tommy,

I am familiar with the method of extracting actual credentials (read the article). That said, could you elaborate and specify under what circumstances someone could extract the actual credentials? In the scenario within this thread, is that the attacker would need to hack the client originating the remote session? Or could a sniffer grab the packets, analyze and extract the credentials?

Thanks a million!

# re: Using PSCredentials without a prompt

Left by manju at 1/21/2014 4:49 AM
Gravatar how I can connect to a remote machine without prompt?

Your comment:





 
 

Copyright © Lance Robinson

Design by Bartosz Brzezinski

Design by Phil Haack Based On A Design By Bartosz Brzezinski