Well, to apply the concept, I have decided to extend System.Security.SecureString by creating a new Monad XML type file called "my.types.mshxml"(the name is from Monad Technology blog) at $MshHome(for most of people, it should be "C:\Program Files\Microsoft Command Shell\v1.0") and then extended SecureString to include a script property called UnsecureString.
UnsecureString decodes SecureString's content.
*NOTE: I won't go into details on how you can view SecureString content. If you would like to know how you can view a secure string content and want to find out more about Windows Data Proctection, please refer to following sites
- /\/\o\/\/'s blog: Get-credential and Decrypting a SecureString in MSH
- MSDN: Windows Data Protection(or follow the link on Mow's blog)
My.Types.MshxmlThen, as you see in Monad Technology Blog, load the newly created custom type data:<?xml version="1.0" encoding="utf-8" ?>
<Types>
<Type>
<Name>System.Security.SecureString</Name>
<Members>
<ScriptProperty>
<Name>UnsecureString</Name>
<GetScriptBlock>
[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($this))
</GetScriptBlock>
</ScriptProperty>
</Members>
</Type>
</Types>
Update-TypeData $MshHome\My.Types.Mshxml
Let's see if System.Security.SecureString has been extended or not
Now, you can see that SecureString type has been extended with "UnsecureString".MSH>$admin = get-credential administrator
MSH>($admin.password).getType().fullName
System.Security.SecureString
MSH>$admin.password | get-member -MemberType ScriptProperty | format-list
TypeName : System.Security.SecureString
Name : UnsecureString
MemberType : ScriptProperty
Definition : System.Object UnsecureString {get=[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($this));}
From this point on,
where *** secret *** is your decoded password string.MSH>$admin.password
System.Security.SecureString
MSH>$admin.password.UnsecureString
*** secret ***
But this raises a couple of questions.
- Displaying clear, unsecure string for the credential object is a security threat
- I can't answer "IMPORTANT" note posted on Monad Technolog Blog site
<IMPORTANT POINT>
Whenever you are adding some functions, you should make a conscious decision about whether those functions are best exposed as a "function" or as a "type extension".
</IMPORTANT POINT>
Will anyone be able to justify the need for extending SecureString to display clear string?
Well it's all up to you whether you would want to or not. (I just like to mess around...)
Tags : Monad msh
No comments:
Post a Comment