Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DSAccount XML Serialization #96

Open
arnydo opened this issue Sep 6, 2019 · 5 comments
Open

DSAccount XML Serialization #96

arnydo opened this issue Sep 6, 2019 · 5 comments

Comments

@arnydo
Copy link

arnydo commented Sep 6, 2019

Working on auditing multiple domains and exported the results of Get-ADReplAccount via ... | Export-CliXML report.xml.

Upon importing the XML and piping to Test-PasswordQuality the following error is received.

Test-PasswordQuality : The input object cannot be bound to any parameters for the command either because the command
does not take pipeline input or the input and its properties do not match any of the parameters that take pipeline
input.

The only difference I can see between the original object and the imported XML object is that the XML version is deserialized.

Is there any way that we can follow this process to import saved XMLs and then pipe them to Test-PasswordQuality?


Full process:

> Get-ADReplAccount -All -NamingContext "dc=domain,dc=io" -Server dc1 | Export-CLIXML report.xml

> Import-CLIXML report.xml | Test-PasswordQuality -WeakPasswordHashesSortedFile "file.txt"
@MichaelGrafnetter MichaelGrafnetter changed the title Test-PasswordQuality : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its properties do not match any of the parameters that take pipeline input. DSAccount XML Serialization Sep 6, 2019
@MichaelGrafnetter
Copy link
Owner

Hi @arnydo , for this to work, one would have to implement XML serialization in the DSAccount class and its subclasses. The default one does not go deep enough.
But even if it worked, I would strongly discourage anyone from using it. Writing password hashes of all accounts into a cleartext file and copying such files between computers might expose passwords and other sensitive data to unwanted audience, which is a huge security risk.

@arnydo
Copy link
Author

arnydo commented Sep 6, 2019

Good point. Trying to compare against HIBP list and didn't want to lug the 20+ GB file around.
I will find an alternative that doesn't jeopardize the sensitive info.

Thank you!

@MichaelGrafnetter
Copy link
Owner

It is recommended to have a dedicated Privileged Access Workstation for this purpose. In a multi-forest environment, you could either use runas /netonly... or Get-ADReplAccount -Credential... to connect to DCs under different identities.

BTW, I am working on cross-domain password duplicate discovery using Test-PasswordQuality.

@arnydo
Copy link
Author

arnydo commented Sep 9, 2019

BTW, I am working on cross-domain password duplicate discovery using Test-PasswordQuality.

This would be great. Looking forward to it!

Considering the security implications for the proposed task...this issue can be closed, unless you had another idea.

Thanks again.

@MichaelGrafnetter
Copy link
Owner

Well, I still want to implement Export-CliXml support, because I have never done such thing and I want to learn how to do it. So I will leave this issue open as a reminder for myself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants