Powershell验证本地凭据

时间:2014-11-07 19:00:50

标签: powershell passwords wmi remote-access password-encryption

因此,在我的脚本中,我不仅希望用户在变量中输入和存储凭据,还能够验证密码是否与目标系统上的管理员密码相匹配。到目前为止,我发现这样做的唯一方法是将未加密的实际密码放在脚本中,并将其与用户输入的密码进行比较。这是一个巨大的安全漏洞,为了解决这个问题,我想知道我是否可以使用gwmi查询(SID?)作为对象来获取管理员密码,并将其与用户输入的安全字符串进行比较。

这是我现在使用的有缺陷的代码。

Do
{
    $password = $null
    $password = read-host "Enter the Administrator Password" -assecurestring
    $AdminPass = ConvertTo-SecureString "adminpassword" -AsPlainText -Force
    $pwd1_text = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($password))
    $pwd2_text = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($AdminPass))
    if ($pwd1_text -cne $pwd2_text) {Write-Host -ForegroundColor Red "Incorrect Password"; $password = $null}
    $count ++
    $tries = 3 - $count
    if ($password -eq $null) {Write-Host -ForegroundColor Yellow "$tries Attempts Remaining"}
    if ($count -eq 3) {Write-Host -ForegroundColor Red "$count Unsuccessful Password Attempts. Exiting..."; exit} 
}While ($password -eq $null)
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist "$ComputerName\Administrator",$password

1 个答案:

答案 0 :(得分:1)

这是我编写的一个函数,它针对域或本地计算机测试PSCredential对象:



 
function Test-Credential {
<#
	.SYNOPSIS
		Takes a PSCredential object and validates it against the domain (or local machine, or ADAM instance).

	.PARAMETER cred
		A PScredential object with the username/password you wish to test. Typically this is generated using the Get-Credential cmdlet. Accepts pipeline input.
		
	.PARAMETER context
		An optional parameter specifying what type of credential this is. Possible values are 'Domain' for Active Directory accounts, and 'Machine' for local machine accounts. The default is 'Domain.'
	
	.OUTPUTS
		A boolean, indicating whether the credentials were successfully validated.

	.NOTES
		Created by Jeffrey B Smith, 6/30/2010
#>
	param(
		[parameter(Mandatory=$true,ValueFromPipeline=$true)]
		[System.Management.Automation.PSCredential]$credential,
		[parameter()][validateset('Domain','Machine')]
		[string]$context = 'Domain'
	)
	begin {
		Add-Type -AssemblyName System.DirectoryServices.AccountManagement
		$DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::$context) 
	}
	process {
		$DS.ValidateCredentials($credential.GetNetworkCredential().UserName, $credential.GetNetworkCredential().password)
	}
}
&#13;
&#13;
&#13;

如果要对远程计算机上的本地帐户进行测试,则需要在远程计算机上加载此功能,并根据本地&#39;本地&#39;来测试凭据。机器通过远程处理(Invoke-Command),但它应该是可能的。

相关问题
最新问题