Powershell Things

Just some things that I though was interesting that you can do with powershell.

Insecure ways to access windows credential passwords

One of the great things about powershell is that you can prompt the user for credentials using the windows authentication mechanism. I did not realize how insecure these credentials are. In the following snippet(s), the user will be prompted to enter their username & password. The password is stored in a "secure string".

For this example you can access the password through the GetNetworkCredential() method. You can then see the password in plain text!

$cred = Get-Credential
$cred.GetNetworkCredential().Password
$cred.GetNetworkCredential() | fl *

Here we do the same thing but use the SecureStringToBSTR then access the memory directly via the pointer.

$cred = Get-Credential
$UserName = $cred.UserName
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($cred.Password)
$Password = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)

Nmap fun

Did you know you can ingest nmap scans directly into powershell? You can! Via the [xml] cast and using the -oX - flag with nmap, you can have the whole scan converted into a powershell object.

# Nmap must be installed
# winget install nmap
$scan = [xml]$(nmap 10.0.50.0/24 -F -T4 -oX -)
$hosts = $scan.nmaprun.host
$hosts | select @{l='Address';e={$_.address.addr}}, @{l='Ports';e={($_.ports.port.portid) -join ', '}}
$has80 = $hosts | ? {$_.ports.port.portid -eq 80}
$has80.address

TCP / Ping with Test-NetConnection

You can also gain nmap-like functionality through Test-NetConnection

$target = "google.com"
$ports = 80,443
$ports += 3389
$($ports | % {Test-NetConnection $target -Port $_}; Test-NetConnection $target) | ft