none
Possible to uncover password from PSCredential object with ConverFrom-SecureString RRS feed

  • Question

  • Hello,

    I am currently attempting to uncover a password and username from a PSCredential Object utilizing ConvertFrom-SecureString. I have a key and a string of letters and numbers. My issue is that I have a key that looks a bit strange, as if it's only uncovered the first two and last two digits. Is it still possible to reverse this information using the ConvertFrom-SecureString cmdlet?

    I have a key that resembles this: 

    -key (33..55)

    Regards

    Saturday, December 24, 2016 5:09 PM

Answers

  • That is just a shorthand for the full key which is s simple sequence.  If it is the correct sequence it will work.

    \_(ツ)_/

    Saturday, December 24, 2016 8:53 PM

All replies

  • That is just a shorthand for the full key which is s simple sequence.  If it is the correct sequence it will work.

    \_(ツ)_/

    Saturday, December 24, 2016 8:53 PM
  • Hello JRV, 

    Thank you for your response. If I am not mistaken, if I only have the shorthand, I would be unable to convert this to plaintext correct? So -key (33..55) would not be sufficient.

    Saturday, December 24, 2016 9:03 PM
  • If that is the key you used to create the encryption it will work.


    \_(ツ)_/

    Saturday, December 24, 2016 10:00 PM
  • Actually - the key is either too short or too long.  it needs to be 16, 32 0r 64 bytes long. 

    (33..64) is a correct length.


    \_(ツ)_/

    Saturday, December 24, 2016 10:09 PM
  • My main goal is to be able to convert the string to plaintext in the event of an intrusion on my network. So if some one utilizes a method to bypass the policy restriction to create a user account on powershell, I can remove the username and password. So whenever I see an intrusion like this I would want to be able to grab key and convert the strings.

    For example, you would see this bypass method:

    $command = "Write-Host 'My voice is my passport, verify me.'" $bytes = [System.Text.Encoding]::Unicode.GetBytes($command) $encodedCommand = [Convert]::ToBase64String($bytes) powershell.exe -EncodedCommand $encodedCommand

    From this site:

    https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/

    So by having the short-hand of the full sequence would be enough to convert the string, that would be very useful.

    Saturday, December 24, 2016 10:17 PM
  • You cannot decrypt Windows passwords.  They are encrypted with a non reversible algorithm.  It is called one-way encryption.


    \_(ツ)_/

    Saturday, December 24, 2016 10:22 PM
  • Base64 encoding is not encryption.  Anyone can decode it.  It is just a way of passing special characters and compressing the string.


    \_(ツ)_/

    Saturday, December 24, 2016 10:24 PM
  • Right, what I was saying is that you can base64 encode a command that would allow you to bypass the restriction policy, and you could execute a script arbitrarily. Such as creating a  PSCredential Object.

    This is all good and relevant information that you are sharing.

    Thank you kindly.

    Saturday, December 24, 2016 10:34 PM
  • There is no need to encode a command to bypass security.  Any command that you can place on the command line will bypass the restrictions on script execution.  Encoding is only a way to jam a lot of commands into a single string without colliding with command format restrictions such as how to quote strings in a command.

    This has nothing to do with encrypted strings and in no way affects the code.


    \_(ツ)_/

    Saturday, December 24, 2016 10:42 PM