0
$password = Get-Content 'c:\temp\tmp1\pw.dat' | ConvertTo-SecureString 
& "C:\Program Files\PuTTY\pscp.exe" -P 2222 -pw $password 'c:\temp\tmp1\test.txt' 'root@localhost:/home/root/temp'

The above code just got hanging; However, the code below worked. 

$password='mypw'
& "C:\Program Files\PuTTY\pscp.exe" -P 2222 -pw $password 'c:\temp\tmp1\test.txt' 'root@localhost:/home/root/temp'

Any suggestion? I do not think I typed the password wrong since I did it several times. Furthermore, I expect an error message if the password was typed wrong. By the way, the objective of the script is to transfer the file to a linux box.

Seaport
  • 153
  • 2
  • 14
  • What do you expect should happens when you passing `SecureString` as command line parameter to executable? That is will be replaced with plaintext content of `SecureString`? (hint: it does not) – user4003407 May 09 '19 at 16:21
  • @PetSerAl, I understand your point. My intention is to protect the password of the linux root. Maybe SecureString is not the right technique to use? I admitted that so far all example codes I found on SecureString are about using it to create a credential object. If I am on the wrong path, is there another way to protect the password? – Seaport May 09 '19 at 16:36
  • is the password in plain text in the pw.dat? Also will you be the only person running this script from the same user? – ArcSet May 09 '19 at 16:39
  • @PetSerAl. All your questions are right to the point. pw.dat file is generated from the code read-host -AsSecureString | ConvertFrom-SecureString | out-file. My windows login will run the scipt all the time, either manually or via a scheduled task. – Seaport May 09 '19 at 16:45
  • OK i have a solution for you then. Give me a sec to write it. – ArcSet May 09 '19 at 16:53

1 Answers1

2

As stated in a comment the .dat file is created using

read-host -AsSecureString | ConvertFrom-SecureString | out-file

So there are 2 ways I know of doing this.

$EncryptedString = read-host -AsSecureString | ConvertFrom-SecureString

$SecureString = $EncryptedString | ConvertTo-SecureString

$Pointer = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecureString)

$PlainTextPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($Pointer)

$PlainTextPassword

The secret here is the [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecureString) which turns the string into a bytes and returns a pointer to where it is located

The next part [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($Pointer) goes to the pointer and turns the bytes into a string.

The other way would be turning the secure string into a PSCredential. 

$EncryptedString = read-host -AsSecureString | ConvertFrom-SecureString

$SecureString = $EncryptedString | ConvertTo-SecureString

$PlainTextPassword = ([PsCredential]::new("DoesntMatter",$SecureString)).GetNetworkCredential().Password

$PlainTextPassword

This turns the Secure String into a PSCredential where you can get the NetworkCredential's password which is in plain text.

ArcSet
  • 6,518
  • 1
  • 20
  • 34