Passing a Password Variable

Fredrich Radloff

September 15, 2021 20:36

Hello,
I'm trying to run an uninstaller that requires a password to work properly. I can make it work by feeding the password in the command line field as normal, but I would prefer to store it as a secure variable. Is this possible to do natively in PDQ? I've been stumbling through passing an AES encrypted password file and then trying to read it, but I'm hoping for an easier way.

Comments

6 comments

Colby Bouma
September 15, 2021 21:08

No, Deploy can't do that natively. It sounds like you already found this blog, but just in case: https://www.pdq.com/blog/secure-password-with-powershell-encrypting-credentials-part-2/

1
Fredrich Radloff
September 15, 2021 21:49

I was afraid you'd say that. Yes, I've been working with that blog post. I think that works correctly, but this particular .exe installer doesn't like being called from Powershell.

I'm pretty sure I'm just formatting my Powershell incorrectly and this is purely a Powershell issue at this point. Attempting to create the script in ISE and running it locally, it seems like it doesn't run the same as it does from PDQ.

I've tried different forms of passing arguments:
& .\installer.exe /silentswitch /otherswitch /uninstallpassword $password
.\installer.exe /silentswitch /otherswitch /uninstallpassword $password
Start-Process ".\installer.exe" -ArgumentList "/silentswitch /otherswitch /uninstallpassword $password"
Start-Process ".\installer.exe" -ArgumentList "/silentswitch","/otherswitch","/uninstallpassword $password"
and so on.

1
Colby Bouma
September 15, 2021 22:00

Does it throw an error, or does it just fail silently? Does the password have any special characters or spaces in it? Have you tried outputting the password (using a fake password) to make sure the decryption is working on the target?

1
Fredrich Radloff
September 16, 2021 14:36
It fails silently. Hmm, yeah I didn't think to escape special characters. Uh, how can I even do that in a secure string?
*2 seconds of Google later*
I'll try a hex string and see how that goes, I guess?

Yeah, when I've tried outputting the variable it just prints out "System.Security.SecureString" which, I suspected was supposed to happen. Here's my current horrible code:
```
$PasswordFile = "pass.txt"
$KeyFile = "AES.key"
$Key = Get-Content $KeyFile
$CPass = (Get-Content $PasswordFile | ConvertTo-SecureString -Key $Key)
$app = '.\genericantivirusinstaller.exe'
$arg1 = '/switch1'
$arg2 = '/switch2'
$arg3 = '/removeswitch 1'
$arg4 = '/uninstallpassword ' + "$CPass"

& $app $arg1 $arg2 $arg3 $arg4
```
When I output $CPass is when I get the above mentioned output. It might be that I've messed up the conversion of the password into a secure string. Even doing ConvertFrom-SecureString -AsPlainText throws an error....
*An additional second of Google and caffeine heightened reading comprehension*
Okay, so I missed the fact that this parameter, -AsPlainText, was added in Powershell 7... which I'm not running.

I'll continue blundering through this until I find out where I went wrong.
0
Colby Bouma
September 16, 2021 19:24 (Edited September 16, 2021 19:27)

Oops. It's been a long time since I've worked with SecureString objects. I forgot that they made it difficult to convert them back to plaintext.

https://stackoverflow.com/a/57431985

Sorry about sharing that as a screenshot. Zendesk keeps marking my comment as spam when I try to post the actual text.

0
Fredrich Radloff
September 16, 2021 20:12

Yep, that did it. I was able to get the plain text with the -AsPlainText parameter in PS 7, but I didn't have any intention of putting 7 on my endpoints.

However, your code snippet worked for me! I was about to mess with BSTR, whatever that is. Thanks! Now, I've got a working Deploy package!

0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post