In the previous tip, we asked Active Directory to validate user account passwords. The same can be done with local accounts. Your PowerShell code can use local account passwords to manage access to scripts or partial script functionality. Of course, you could also use the code below to create your own brute-force password penetration tool.
By default, below script uses your current user name. Make sure $UserName is the user account name for a local user account:
# specify local user name and password to test $UserName = $env:USERNAME $Password = Read-Host -Prompt "Enter password to test" # test password Add-Type -AssemblyName System.DirectoryServices.AccountManagement $type = [DirectoryServices.AccountManagement.ContextType]::Machine $PrincipalContext = [DirectoryServices.AccountManagement.PrincipalContext]::new($type) $PrincipalContext.ValidateCredentials($UserName,$Password)
Your learning points:
- PowerShell can ask the local Windows user database to verify a password. This way, you can use Passwords maintained by Windows to decide whether a script should execute or what it should the user enable to do
- Keep in mind that it is bad security practice to ask users for their passwords because they cannot know what you are going to do with their password.
psconf.eu – PowerShell Conference EU 2019 – June 4-7, Hannover Germany – visit www.psconf.eu There aren’t too many trainings around for experienced PowerShell scripters where you really still learn something new. But there’s one place you don’t want to miss: PowerShell Conference EU – with 40 renown international speakers including PowerShell team members and MVPs, plus 350 professional and creative PowerShell scripters. Registration is open at www.psconf.eu, and the full 3-track 4-days agenda becomes available soon. Once a year it’s just a smart move to come together, update know-how, learn about security and mitigations, and bring home fresh ideas and authoritative guidance. We’d sure love to see and hear from you!