Reveal Cloud Identity with PowerShell
PowerShell interface has amazing capabilities that can perform great and useful operations with servers and workstations. With Microsoft Office365 and Azure, the PowerShell is relevant than ever, and it does not matter which cloud service is used (EXO, SPSO, Azure, CRM, etc.)
Like any other system and platform, we’re using some identity before taking any actions. Most administrators use the simple way to login to the cloud services from the PowerShell interface without encrypting the password.
In this situation, when a hacker attacks the machine, he can expose the password with few PowerShell commands and less a minute.
Let us say that if the hacker is on your pc, you have a big problem, but now he can take your password and use the global admin on the cloud to perform any actions he wants.
How to expose password
When the admin logins to the cloud services, he uses the get-credentials command and some variable of $cred before. Once using this method, the password is “available” for the hacker.
The problem with the Get-Credential cmdlet is that it returns a PSCredential object. In itself, this is not an issue, but it does mean that I can only use the credential object for cmdlets and for other items that know what a PSCredential object is.
Let us start and first connect to the cloud by getting credentials with the following command: $credential=Get-Credential
Once I typed my password, we can start to expose the real password behind the scene.
The next step is to know who is the user that we’re using with the following command:
Now I want the expose the password, but when I’m using this command, I received the following result:
$credential.Password or even using $credential.Password.ToString()
Let’s use the command of $credential.Password | ConvertFrom-SecureString to expose the password, and even this won’t help us (but it looks different)
So let’s go back to the PSCredential object itself and try again and use the command GetNetworkCredential method from the PSCredential object. It returns the user name and the domain name.
In this step, we can use the following command to check the password
$credential.GetNetworkCredential() | fl *
Or the following command: $credential.GetNetworkCredential().password
So if we recap our scenario, we can use the NetworkCredential object to expose the password.
There are many ways to encrypt the password using PowerShell or even use Multi-Factor Authentication (yes, for admins even from the local network).