Geeks With Blogs

News

qrcode

Lance Robinson

Create Your Badge

Lance Robinson is a software engineer in Durham, Chapel Hill, Raleigh, and surrounding areas. More about Lance.

 Subscribe


Lance's TextBox » About Me » My Resume »Twitter

You cannot use get-credential without some type of prompt (although you can do it without the pop-up dialog), however you can save your securestring password to a file, reload it for later, and manually create a credential without a prompt. Of course the problem with this is that your password will be exposed to anyone with access to the file, so do this at your own risk.

First, choose your password and write it to a file:

PS C:\> read-host -assecurestring | convertfrom-securestring | out-file C:\securestring.txt                                
*******                                                                                                                 
In the future, you won't have to enter your credentials over and over again, instead you can just read in your password from the file, and create a new PSCredential object from that. Then you can use that credential to perform various tasks like connecting to ftp servers and such, like so:
PS C:\> $pass = cat C:\securestring.txt | convertto-securestring                                                            
PS C:\> $mycred = new-object -typename System.Management.Automation.PSCredential -argumentlist "test",$pass                
PS C:\> get-ftp -server 10.0.1.1 -cred $mycred -list *.vb                                                                             
                                                                                                                        
                                                                                                                        
DirEntry : -rw-------    1 1036     100          1044 Dec 07 17:39 AssemblyInfo.vb                                      
FileName : AssemblyInfo.vb                                                                                              
FileSize : 1044                                                                                                         
FileTime : Dec 07 17:39                                                                                                 
IsDir    : False                                                                                                        
                                                                                                                        
                                                                                                                        
PS C:\> get-bufferhtml | out-file sample.html                                                                           

Technorati : , , ,

Posted on Friday, February 16, 2007 1:21 PM | Back to top


Comments on this post: Using PSCredentials without a prompt

# re: Using PSCredentials without a prompt
Requesting Gravatar...
Actually, keeping your password in a public location is not a security risk. SecureStrings are designed explicitly to guard agains that risk -- when an attacker has access to the memory (or file, for that matter) that contains the encrypted password.

To solve the security issues, the Data Protection API (DPAPI, the stuff that backs the SecureString class) requires information from your user account in order to decrypt the string.

Lee
Left by Lee on Feb 28, 2007 11:26 PM

# re: Using PSCredentials without a prompt
Requesting Gravatar...
Hi Lee, you are right, but the point I made is still valid. A script that uses get-credential requires a physical prompt, so even someone who is able to logon to my machine would still have to know the credential password. However for the workaround shown in this post, the same is not true: anyone with access to the file has access to the script.

I suppose we're talking about two different levels of security.
Left by Lance on Mar 01, 2007 8:14 AM

# re: Using PSCredentials without a prompt
Requesting Gravatar...
> However for the workaround shown in this post, the same is not true: anyone with access to the file has access to the script.

I'm not sure I understood that correctly. The point Lee was making was that only the person that created the password file can decrypt it. Try it out, log on with different credentials and try getting the password. Thus, even if they have access to the password file, unless they have your credentials, they won't be able to get the password.
Left by Marcel on Mar 27, 2007 11:40 AM

# re: Using PSCredentials without a prompt
Requesting Gravatar...
Marcel, if you were to walk over to my computer and run these commands:

PS C:\> $pass = cat C:\securestring.txt | convertto-securestring
PS C:\> $mycred = new-object -typename System.Management.Automation.PSCredential -argumentlist "test",$pass
PS C:\> get-ftp -server 10.0.1.1 -cred $mycred -list *.vb

you would be able to successfully login to my ftp account. That is the only minor security issue I was referring to.

Left by Lance on Mar 27, 2007 10:02 PM

# re: Using PSCredentials without a prompt
Requesting Gravatar...
Awesome! Thanks!
Left by Eric Greer on Jun 27, 2007 8:31 AM

# re: Using PSCredentials without a prompt
Requesting Gravatar...
Lance, you wrote, "Marcel, if you were to walk over to my computer and run these commands... you would be able to successfully login to my ftp account". This is assuming that when he walked over to your computer that you were already logged in using the account which you had used to originally create the secure string, right? B/c the point, if I understand correctly, is that if he walked over to your computer and logged onto the machine with different credentials, he couldn't decrypt that file. Am I misunderstanding your point?

so that I understand properly,
Left by Cody on Nov 24, 2009 12:10 AM

# re: Using PSCredentials without a prompt
Requesting Gravatar...
Apologies for the stray "so that I understand properly"; I mistakenly didn't remove that line of text from my response.
Left by Cody on Nov 24, 2009 12:39 AM

# re: Using PSCredentials without a prompt
Requesting Gravatar...
Sorry for not responding to this one:

the answer to Mike's question:
the file has to be created by the account who will later try to read it. So either have the service create the file, or have the service run as the account that creates the file.
Left by Lance Robinson on Feb 18, 2010 5:50 PM

# re: Using PSCredentials without a prompt
Requesting Gravatar...
read-host -assecurestring | convertfrom-securestring | out-file C:\securestring.txt
$pass = cat C:\securestring.txt | convertto-securestring
$mycred = new-object -typename System.Management.Automation.PSCredential -argumentlist "test",$pass
$mycred.GetNetworkCredential().Password

There's always a way to get it back... Be very careful.
Left by Tommy Becker on May 21, 2013 2:24 PM

# re: Using PSCredentials without a prompt
Requesting Gravatar...
Tommy,

I am familiar with the method of extracting actual credentials (read the article). That said, could you elaborate and specify under what circumstances someone could extract the actual credentials? In the scenario within this thread, is that the attacker would need to hack the client originating the remote session? Or could a sniffer grab the packets, analyze and extract the credentials?

Thanks a million!
Left by Jason Colotario on Nov 22, 2013 1:39 AM

# re: Using PSCredentials without a prompt
Requesting Gravatar...
how I can connect to a remote machine without prompt?
Left by manju on Jan 21, 2014 4:49 AM

# re: Using PSCredentials without a prompt
Requesting Gravatar...
Can anyone explain why Powershell, for example in the case of opening a remote session to a workgroup computer, is unable to simply use Managed Credentials?

I've got safe and automatic full access to this server, c$, computer management... yet powershell demands to be given credentials from either a prompt or a publicly stored file.
Left by Pat on Jul 15, 2014 10:31 PM

Your comment:
 (will show your gravatar)


Copyright © Lance Robinson | Powered by: GeeksWithBlogs.net | Join free