Security issue with PowerShell

Hi guys,

 after (too) long time I can finally return to Powershell (I spend few months creating batch framework to manage citrix servers, right now it is about 980 scripts).

I was playing with Get-Credential:

$Operator = get-credential

I provided my username/password. If I have a look at object, I can see Password property and GetPassword() method. I tried this, Output is in System.Security.SecureString.

I was just thinking how PowerShell is handling explicit authentication, so I had a look at available properties and methods - GetNetworkCredential grab my eye, so I tried it. And I was really surprised by output:

mzugec>$operator.GetNetworkCredential()

UserName                   Password                   Domain
--------                           --------                         ------
mzugec                       YouPwdInPlainText     MyDomain

 

Replace YouPwdInPlainText with your actual password! So be aware, if you are using get-credentials, it is very easy to retrieve your actual password!

Published Thursday, January 25, 2007 8:47 AM by martin
Filed under: , ,

Comments

# PowerShell Security « Dmitry’s PowerBlog: PowerShell and beyond

Pingback from  PowerShell Security « Dmitry’s PowerBlog: PowerShell and beyond

Friday, July 27, 2007 2:59 AM by PowerShell Security « Dmitry’s PowerBlog: PowerShell and beyond

# re: Security issue with PowerShell

$Operator = get-credentials

should be without "s"

$Operator = get-credential

Saturday, January 12, 2008 12:02 PM by VasekB

# re: Security issue with PowerShell

Thanks for correction, fixed...

Martin

Monday, January 14, 2008 12:19 PM by martin

Leave a Comment

(required) 
(required) 
(optional)
(required)