CYBERDOM

Just another day of IR, Threat-Hunting & Microsoft Security

Reveal Cloud Identity with PowerShell

by · August 25, 2017

PowerShell interface has amazing capabilities that can perform great and useful operations with servers and workstations. With Microsoft Office365 and Azure, the PowerShell is relevant than ever, and it does not matter which cloud service is used (EXO, SPSO, Azure, CRM, etc.)

Like any other system and platform, we’re using some identity before taking any actions. Most administrators use the simple way to login to the cloud services from the PowerShell interface without encrypting the password.

In this situation, when a hacker attacks the machine, he can expose the password with few PowerShell commands and less a minute.

Let us say that if the hacker is on your pc, you have a big problem, but now he can take your password and use the global admin on the cloud to perform any actions he wants.

Post Contents Show

How to expose password

When the admin logins to the cloud services, he uses the get-credentials command and some variable of $cred before. Once using this method, the password is “available” for the hacker.

The problem with the Get-Credential cmdlet is that it returns a PSCredential object. In itself, this is not an issue, but it does mean that I can only use the credential object for cmdlets and for other items that know what a PSCredential object is.

Let us start and first connect to the cloud by getting credentials with the following command: $credential=Get-Credential

image

Once I typed my password, we can start to expose the real password behind the scene.
The next step is to know who is the user that we’re using with the following command:
$credential.UserName

image

Now I want the expose the password, but when I’m using this command, I received the following result:

$credential.Password or even using $credential.Password.ToString()

image

Let’s use the command of $credential.Password | ConvertFrom-SecureString to expose the password, and even this won’t help us (but it looks different)

image

So let’s go back to the PSCredential object itself and try again and use the command GetNetworkCredential method from the PSCredential object. It returns the user name and the domain name.

image

In this step, we can use the following command to check the password

$credential.GetNetworkCredential() | fl *

image

Or the following command: $credential.GetNetworkCredential().password

image

So if we recap our scenario, we can use the NetworkCredential object to expose the password.

There are many ways to encrypt the password using PowerShell or even use Multi-Factor Authentication (yes, for admins even from the local network).

Reveal Cloud Identity with PowerShell

by · August 25, 2017

PowerShell interface has amazing capabilities that can perform great and useful operations with servers and workstations. With Microsoft Office365 and Azure, the PowerShell is relevant than ever, and it does not matter which cloud service is used (EXO, SPSO, Azure, CRM, etc.)
Like any other system and platform, we’re using some identity before taking any actions. Most administrators use the simple way to login to the cloud services from the PowerShell interface without encrypting the password.
In this situation, when a hacker attacks the machine, he can expose the password with few PowerShell commands and less a minute.
Let us say that if the hacker is on your pc, you have a big problem, but now he can take your password and use the global admin on the cloud to perform any actions he wants.

How to expose password

When the admin logins to the cloud services, he uses the get-credentials command and some variable of $cred before. Once using this method, the password is “available” for the hacker.
The problem with the Get-Credential cmdlet is that it returns a PSCredential object. In itself, this is not an issue, but it does mean that I can only use the credential object for cmdlets and for other items that know what a PSCredential object is.
Let us start and first connect to the cloud by getting credentials with the following command: $credential=Get-Credential
image
Once I typed my password, we can start to expose the real password behind the scene.
The next step is to know who is the user that we’re using with the following command:
$credential.UserName
image
Now I want the expose the password, but when I’m using this command, I received the following result:

$credential.Password or even using $credential.Password.ToString()

image
Let’s use the command of $credential.Password | ConvertFrom-SecureString to expose the password, and even this won’t help us (but it looks different)
image
So let’s go back to the PSCredential object itself and try again and use the command GetNetworkCredential method from the PSCredential object. It returns the user name and the domain name.
image
In this step, we can use the following command to check the password

$credential.GetNetworkCredential() | fl *

image
Or the following command: $credential.GetNetworkCredential().password
image
So if we recap our scenario, we can use the NetworkCredential object to expose the password.
There are many ways to encrypt the password using PowerShell or even use Multi-Factor Authentication (yes, for admins even from the local network).

Tags:

You may also like...

Leave a Reply

error: Content is Protected !!
%d bloggers like this: