DSInternals icon indicating copy to clipboard operation
DSInternals copied to clipboard

Published 20 hours ago verified publisher icon MichaelGrafnetter

DSAccount XML Serialization

Open arnydo opened this issue 6 years ago • 5 comments

Working on auditing multiple domains and exported the results of Get-ADReplAccount via ... | Export-CliXML report.xml.

Upon importing the XML and piping to Test-PasswordQuality the following error is received.

Test-PasswordQuality : The input object cannot be bound to any parameters for the command either because the command
does not take pipeline input or the input and its properties do not match any of the parameters that take pipeline
input.

The only difference I can see between the original object and the imported XML object is that the XML version is deserialized.

Is there any way that we can follow this process to import saved XMLs and then pipe them to Test-PasswordQuality?

Full process:

> Get-ADReplAccount -All -NamingContext "dc=domain,dc=io" -Server dc1 | Export-CLIXML report.xml

> Import-CLIXML report.xml | Test-PasswordQuality -WeakPasswordHashesSortedFile "file.txt"

arnydo avatar Sep 06 '19 13:09 arnydo

Hi @arnydo , for this to work, one would have to implement XML serialization in the DSAccount class and its subclasses. The default one does not go deep enough. But even if it worked, I would strongly discourage anyone from using it. Writing password hashes of all accounts into a cleartext file and copying such files between computers might expose passwords and other sensitive data to unwanted audience, which is a huge security risk.

MichaelGrafnetter avatar Sep 06 '19 15:09 MichaelGrafnetter

Good point. Trying to compare against HIBP list and didn't want to lug the 20+ GB file around. I will find an alternative that doesn't jeopardize the sensitive info.

Thank you!

arnydo avatar Sep 06 '19 16:09 arnydo

It is recommended to have a dedicated Privileged Access Workstation for this purpose. In a multi-forest environment, you could either use runas /netonly... or Get-ADReplAccount -Credential... to connect to DCs under different identities.

BTW, I am working on cross-domain password duplicate discovery using Test-PasswordQuality.

MichaelGrafnetter avatar Sep 06 '19 16:09 MichaelGrafnetter

BTW, I am working on cross-domain password duplicate discovery using Test-PasswordQuality.

This would be great. Looking forward to it!

Considering the security implications for the proposed task...this issue can be closed, unless you had another idea.

Thanks again.

arnydo avatar Sep 09 '19 12:09 arnydo

Well, I still want to implement Export-CliXml support, because I have never done such thing and I want to learn how to do it. So I will leave this issue open as a reminder for myself.

MichaelGrafnetter avatar Sep 09 '19 13:09 MichaelGrafnetter