Advertisement
Guest User

Untitled

a guest
May 16th, 2018
201
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <# I wrote this trio of code snippets to create a keyfile that will be used to encrypt a password file.
  2. The resulting encrypted password file can be then referenced along with the key file
  3. to generate a login object that will be stored as a variable in the powershell session TEMPORARILY.
  4. This prevents the storage and passing of credentials via plain text, however there should be NTFS
  5. permissions in place on the folder where these files are stored, as they can easily be decrypted.
  6. Unfortunately, I couldn't figure out how to obfuscate the commands using Base64, due
  7. to the inability to pass arguments using an encoded command. Please be aware, CredSSP needs to be enabled
  8. on both the client computer and server computer in order to utilize the Invoke-Command cmdlet.
  9.  
  10. Execute each code block separately. #>
  11.  
  12. <# ---------------------------------------------------------------------------------- #>
  13. <# this code block will generate the key file used to encrypt our portable password file #>
  14.  
  15. $KeyFile = Read-Host "Path where keyfile will be saved"
  16. <# You can use 16 bytes (128-bit), 24 bytes (192-bit), or 32 bytes (256-bit) for AES #>
  17. $Key = New-Object Byte[] 32
  18. <# this class call will create a randomly generated array using the keylength specified in the previous variable #>
  19. [Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($Key)  
  20.  
  21. $Key | out-file $KeyFile
  22.  
  23. <# ---------------------------------------------------------------------------------- #>
  24. <# This is the code block to generate the fully encrypted and portable password file.
  25. Make sure to run this in the service account's (or whatever account you choose) context.#>
  26.  
  27. $PasswordFile = Read-Host "Path where the secure password file will be saved"
  28. $KeyFile = Read-Host "Enter the path to keyfile"
  29. $password = Read-Host -AsSecureString "Please enter your password"
  30. $Key = Get-Content $KeyFile
  31. $Password | ConvertFrom-SecureString -key $Key | Out-File $PasswordFile
  32.  
  33. <# ---------------------------------------------------------------------------------- #>
  34. <# this is the code block to be added to the script that requires secure credentials to be passed for automation #>
  35.  
  36. <# this line should utilize the service account that will be used to execute the remote powershell command on the target server #>
  37. $User = 'domain\username'
  38. $PasswordFile = "path"      <# path where the securestring password file will be saved #>
  39. $KeyFile = "path"           <# path where keyfile will be saved #>
  40. $key = Get-Content $KeyFile
  41. $serviceaccount = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User,(Get-Content $PasswordFile | ConvertTo-SecureString -Key $key)
  42. <# The $serviceaccount variable will be your credentials, to be used in whatever function you need them for #>
  43.  
  44. <# ---------------------------------------------------------------------------------- #>
  45. <# The below commands will be used on the client computer and the server to
  46. allow CredSSP credentials to be passed from the client to the server. #>
  47.  
  48. Enable-WSManCredSSP -Role Client -DelegateComputer FQDN    <# Execute this on the client server running the script #>
  49. Enable-WSManCredSSP –Role Server -Force                    <# Execute this command on the server hosting the script to be executed #>
  50. Get-WSManCredSSP                                           <# Check the CredSSP settings #>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement