Finding Secret Passwords in Memory

by Sep 25, 2018

Some scripts may leave variables with sensitive information behind. This can happen by accident, when the global scope is used, or when users call functions and commands “dot-sourced”. Some of these variables may contain data such as user accounts and passwords that are highly attractive to hackers.

Here is a quick test that examines all variables in memory to find credentials, then returns the variable plus the username and clear-text password found inside of it:

Get-Variable | 
    Where-Object Value -is [System.Management.Automation.PSCredential] |
    ForEach-Object {
            Variable = '$' + $_.Name
            User = $_.Value.UserName
            Password = $_.Value.GetNetworkCredential().Password

To test-drive, create a variable with a credential:

PS> $test = Get-Credential
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:

Then, run above code to find the variable in memory.

If you want to minimize this risk, make sure you remove all sensitive variables manually using Remove-Variable. Typically, you can trust the automatic garbage collection, but when it comes to sensitive data, attackers can use many ways to prevent variables from being disposed automatically. When you remove them manually, you are safe.

Twitter This Tip! ReTweet this Tip!