PowerShell Credentials

👾 Overview

PowerShell Credential Objects, or PSCredentials, are objects which “securely” stores a username and password for a user. The password is stored in cleartext, and the password is stored in a SecureString which is easily converted to cleartext. These objects can be used to execute commands as a given user, but they can also be stored in files allowing you to extract the underlying username/password.

📂 Extracting Credentials from XML

PSCredentials can be exported to an XML file with the Export-Clixml commandlet, which exports the username in cleartext, and a representation of the SecureString password.

Here’s an example file from the chain Lustrous on VulnLab for the local administrator on the machine LUSMS:

<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>System.Management.Automation.PSCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
      <S N="UserName">LUSMS\Administrator</S>
      <SS N="Password">[SNIPPED]</SS>
    </Props>
  </Obj>
</Objs>

To extract the password we need to load this file as a PSCredential Object, and use GetNetworkCredential to display the password.

# 1. Load the file as a Credential Object
$credObject = Import-Clixml -Path .\[Your XML File].xml
 
# 2. Display the username and password
$credObject.GetNetworkCredential() | fl

Example output:

*Evil-WinRM* PS C:\Users\ben.cox\Desktop> $credObject.GetNetworkCredential() | fl
 
UserName       : Administrator
Password       : [SNIPPED]
SecurePassword : System.Security.SecureString
Domain         : LUSMS

👷‍♂ Creating a PSCredential

PSCredentials can be created using the Get-Credential commandlet. Usually this prompts for a password, but this can be avoided by converting it to a SecureString.

# Prompts for password
$credObject = Get-Credential -credential [USERNAME]
 
# Doesn't prompt for password
$password = "[PASSWORD]" | ConvertTo-SecureString -AsPlainText -Force\
$credObject = New-Object System.Management.Automation.PSCredential ('[USERNAME]', $password)

✨ Using PSCredentials

Alternatively, PSCredentials can be passed to other commandlets to execute them as a given user. Many commandlets have the -Credential object which will allow you to execute a commandlet using that credential object.

Invoke-Command is uniquely useful because it will allow you to use a PSCredential on either a local or remote machine to run a command.

# Running 'whoami' with a credential on localhost
Invoke-Command -ComputerName "localhost" -Credential $credObject -ScriptBlock { whoami } 
 
# Running 'whoami' with a credential on a remote machine
Invoke-Command -ComputerName "[HOSTNAME or IP]" -Credential $credObject -ScriptBlock { whoami } 

📝 Resources

🔗 Hyperlink	ℹ️ Info
Microsoft Learn	Export-Clixml usage.
Microsoft Learn	Get-Credential usage.