Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <# I wrote this trio of code snippets to create a keyfile that will be used to encrypt a password file.
- The resulting encrypted password file can be then referenced along with the key file
- to generate a login object that will be stored as a variable in the powershell session TEMPORARILY.
- This prevents the storage and passing of credentials via plain text, however there should be NTFS
- permissions in place on the folder where these files are stored, as they can easily be decrypted.
- Unfortunately, I couldn't figure out how to obfuscate the commands using Base64, due
- to the inability to pass arguments using an encoded command. Please be aware, CredSSP needs to be enabled
- on both the client computer and server computer in order to utilize the Invoke-Command cmdlet.
- Execute each code block separately. #>
- <# ---------------------------------------------------------------------------------- #>
- <# this code block will generate the key file used to encrypt our portable password file #>
- $KeyFile = Read-Host "Path where keyfile will be saved"
- <# You can use 16 bytes (128-bit), 24 bytes (192-bit), or 32 bytes (256-bit) for AES #>
- $Key = New-Object Byte[] 32
- <# this class call will create a randomly generated array using the keylength specified in the previous variable #>
- [Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($Key)
- $Key | out-file $KeyFile
- <# ---------------------------------------------------------------------------------- #>
- <# This is the code block to generate the fully encrypted and portable password file.
- Make sure to run this in the service account's (or whatever account you choose) context.#>
- $PasswordFile = Read-Host "Path where the secure password file will be saved"
- $KeyFile = Read-Host "Enter the path to keyfile"
- $password = Read-Host -AsSecureString "Please enter your password"
- $Key = Get-Content $KeyFile
- $Password | ConvertFrom-SecureString -key $Key | Out-File $PasswordFile
- <# ---------------------------------------------------------------------------------- #>
- <# this is the code block to be added to the script that requires secure credentials to be passed for automation #>
- <# this line should utilize the service account that will be used to execute the remote powershell command on the target server #>
- $User = 'domain\username'
- $PasswordFile = "path" <# path where the securestring password file will be saved #>
- $KeyFile = "path" <# path where keyfile will be saved #>
- $key = Get-Content $KeyFile
- $serviceaccount = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User,(Get-Content $PasswordFile | ConvertTo-SecureString -Key $key)
- <# The $serviceaccount variable will be your credentials, to be used in whatever function you need them for #>
- <# ---------------------------------------------------------------------------------- #>
- <# The below commands will be used on the client computer and the server to
- allow CredSSP credentials to be passed from the client to the server. #>
- Enable-WSManCredSSP -Role Client -DelegateComputer FQDN <# Execute this on the client server running the script #>
- Enable-WSManCredSSP –Role Server -Force <# Execute this command on the server hosting the script to be executed #>
- Get-WSManCredSSP <# Check the CredSSP settings #>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement