Solved

Powershell specifiy a literal "encrypted standard string"?

Posted on 2015-01-28
4
386 Views
Last Modified: 2015-02-06
Hi,

How can I use powershell and manually define a "encrypted standard string" directly without having to read it from a file
then convert it to a secure string.

See my example Method 1 works but I can't get Method 2 to work.

Any suggestions - as I would like to use a secure string in a script without reading it from file or prompting the user.
So just specify the long sequence of characters.

Thanks,

Ward

# Method 1 - this works.

$pw = ConvertTo-SecureString 'hello' –asplaintext –force 

$data1 = $pw | ConvertFrom-SecureString 

$data1 | Out-File -FilePath ".\pw.txt" -Force

$file_data = Get-Content ".\pw.txt" | ConvertTo-SecureString

$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($file_data)
$PlainPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR) 


"Password:  $PlainPassword"
""
$data1

# Method 2 - use literal text

$data2 = @"
01000000d08c9ddf0115d1118c7a00c04fc297eb010000006060907f48c4004f9e68712619c245c6000000000200000000001066000000010000200000006be4552c3584b727a58b044097670bda284c5aac7f
5db1b06d1e3629776a343e000000000e80000000020000200000006b178fa1c6f34251470d87887dd05f16d6d78ccd6be97f758a9fcca28177bf9610000000ca823ec7d654009b5640553b99e614eb40000000
f86406ac343fb8a9f016e516490cc59d441af7bc760ddc19a74779275a8da347909c3df7e3a67304aa50a5a5ae71dc11cfae42ed21a7f50a54b309a2106b0ef0
"@

$file_data = $data2 | ConvertTo-SecureString 

$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($file_data)
$PlainPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR) 

"Password:  $PlainPassword"

Open in new window


Here is the error I get when I try to run it.

PS C:\Users\Ward> C:\Users\Ward\OneDrive\Documents\test1.ps1
Password:  hello

01000000d08c9ddf0115d1118c7a00c04fc297eb010000006060907f48c4004f9e68712619c245c60000000002000000000010660000000100002000000028762f90fd2d364b89b516059c4da6945a31a28b71
9b9ae147b0c5b630df58e7000000000e800000000200002000000051f7b457600ebce6976fbda0dc030f142cf625cf08284a979f1b2b70a4d4fd8f1000000098ed9798da734098fa4fc6312656e4f440000000
c0b0909bd09f4829bea7b5d64aa1def84a3fc34c512a4ec730c35d9150458d18403f1e04b22d13e02340aeeb7e4f4737d125eda2285e1b871d79841cd4af42ad
ConvertTo-SecureString : Input string was not in a correct format.
At C:\Users\Ward\OneDrive\Documents\test1.ps1:27 char:23
+ $file_data = $data2 | ConvertTo-SecureString
+                       ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [ConvertTo-SecureString], FormatException
    + FullyQualifiedErrorId : System.FormatException,Microsoft.PowerShell.Commands.ConvertToSecureStringCommand
0
Comment
Question by:whorsfall
  • 3
4 Comments
 
LVL 83

Expert Comment

by:oBdA
ID: 40574892
Well - this problem results from the here-string containing line breaks, so you need to remove these first before converting the string:
$file_data = $data2.Replace("`r`n", "") | ConvertTo-SecureString 

Open in new window

But then your next problem will probably come up,
A secure string will only be valid for the user who created it, AND on the machine where the string was created.
In other words: as soon as you try to run the script with the embedded password either with another user or on another computer, you'll get ConvertTo-SecureString : Key not valid for use in specified state.
0
 

Author Comment

by:whorsfall
ID: 40574921
Hi,

So now if I run this code below it will fail on a different machine? Even though it seems to work ok now?

Thanks,
Ward,

$data2 = @"
01000000d08c9ddf0115d1118c7a00c04fc297eb010000006060907f48c4004f9e68712619c245c6000000000200000000001066000000010000200000006be4552c3584b727a58b044097670bda284c5aac7f
5db1b06d1e3629776a343e000000000e80000000020000200000006b178fa1c6f34251470d87887dd05f16d6d78ccd6be97f758a9fcca28177bf9610000000ca823ec7d654009b5640553b99e614eb40000000
f86406ac343fb8a9f016e516490cc59d441af7bc760ddc19a74779275a8da347909c3df7e3a67304aa50a5a5ae71dc11cfae42ed21a7f50a54b309a2106b0ef0
"@

$file_data = $data2.Replace("`r`n", "") | ConvertTo-SecureString 

$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($file_data)
$PlainPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR) 

"Password:  $PlainPassword"

Open in new window

0
 
LVL 83

Expert Comment

by:oBdA
ID: 40574983
Yep. Check yourself; here are the first 64 characters from an encoded "hello".
Line 1: Your "hello"
Line 2: My "hello", machine 1, account 1
Line 3: My "hello", machine 1, account 2
Line 4: My "hello", machine 2, account 1
Differences start in column 49:
01000000d08c9ddf0115d1118c7a00c04fc297eb010000006060907f48c4004f
01000000d08c9ddf0115d1118c7a00c04fc297eb0100000005f5ca1d26d1d745
01000000d08c9ddf0115d1118c7a00c04fc297eb010000008da7ed0b833a6147
01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e725ac7e967604f

Open in new window

0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 40576257
Had another look at the options; it should work for you if you use your own key for ConvertTo-SecureString and ConvertFrom-SecureString. Not that this makes the use any safer ...
The following function can be used to easily generate the data; note that the key passed must be either 16, 24, or 32 characters long:
Function Convert-PasswordToData([string]$Password, [string]$Key, [switch]$AsHereString, [int]$BlockLength = 64) {
	$Data = ConvertTo-SecureString $Password -AsPlainText -Force | ConvertFrom-SecureString -Key ([System.Text.Encoding]::ASCII.GetBytes($Key))
	If ($AsHereString) {
		"@'`r`n" + (($Data -split "(\w{$BlockLength})" | ? {$_}) -join "`r`n") + "`r`n'@"
	} Else {
		$Data
	}
}

Open in new window

The following script will decrypt the password again. If you run it as it is, it should give you the password I used:
$Key = "16, 24, or 32 chars long"
$Data = @'
76492d1116743f0423413b16050a5345MgB8ADMAQQBIAEIAbABiAC8AMgBVAGQA
aQA1ADYAWgBiAGYAZgA4ADQAMABWAFEAPQA9AHwAYgBhADMAMgA5AGMANABiAGQA
OABhAGUANQBmADAAYQBmAGEAYgA3ADUAZABjADEAYwBiADAAZgBmADQANQBhADkA
ZgA4ADUAMABlAGMAOAA0AGQAMwA1ADMAOAAwADMAMAAwAGMANwAwADgAMAA5ADgA
ZgAwADQAYgA0ADUAYQA=
'@

$SecureString = $Data.Replace("`r`n", "") | ConvertTo-SecureString -Key ([System.Text.Encoding]::ASCII.GetBytes($Key))
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecureString)
$PlainPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR) 

"Password: $PlainPassword"

Open in new window

0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

This script checks a path to see if a folder exists. If the folder does exist you will get output "The folder has previously been created. No action taken" If not it will create the folder. Then adds one user modify permission to the folder. It …
How to sign a powershell script so you can prevent tampering, and only allow users to run authorised Powershell scripts
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now