Reversing PowerShell 'SecureString' For Fun And Profit

Something that I needed to do in an engagement recently and thought it might be useful to you guys. Here's a little function and demonstration to show just how insecure it is to store an encrypted PowerShell 'SecureString' WITH the key to decrypt it in a script file (or anywhere for that matter)

Just goes to show that no matter how secure a technology you create, in the end it all comes down to the underpaid, overworked IT staff that have to implement it, and the managerial guidelines that they need to work within.

# Reverse-SecureString

Version: 1.0 (20130729)

Created By: Glenn 'devalias' Grant (http://devalias.net)

License: The MIT License (MIT) - Copyright (c) 2013 Glenn 'devalias' Grant (see http://choosealicense.com/licenses/mit/ for full license text)

function Reverse-SecureString([string]$secureString,[string]$key) { $objSecString=ConvertTo-SecureString -String $secureString -Key ([Byte[]]$key.Split(" ")) $secString=[System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($objSecString) $plaintext=[System.Runtime.InteropServices.Marshal]::PtrToStringAuto($secString) return $plaintext }

Example SecureString decryption

$password = "76492d1116743f0423413b16050a5345MgB8AFAAVwBiAGkAegBjAEcANQA5AEMAOABVAFoAUQBoADMAZAA1AEUAcgBGAHcAPQA9AHwAYgAxAGUAYwA0AGQA YwBkADUANQAwAGUAYQBmADYAMwA5AGEANwAyADAAMwBmADAANwA3AGUANgA3ADYAYgA0AGIANgA4ADYAZAA3ADkAZgBkAGYAMgAzADcAMQA2ADkAYgA3AGMA YwA0AGUAZQA1AGIANAA5ADEAZABjADQAZQA5ADgANQAxADUAYwBmADgAZQBjADMAMgBmADgANgBhADAANQBlADAANgBkAGIAZABlAGMAZAA2ADcAMwBmAGYA YwA5ADMAZQAwADYAZAA5AGMAMwAyAGUANgAyAGUAMAA3ADcAYgBkADIAYQAzAGIAOAA3ADQAMwA2ADIAMAA2AA==" $key = "114 138 230 113 215 43 58 173 155 129 196 29 105 162 10 25 187 79 18 221 142 29 155 43 28 20 19 40 103 83 110 240" $passPlaintext = Reverse-SecureString "$password" "$key" Write-Host $passPlaintext # This should output: TotallySecurePasswordLol!