Security Testing for Powershell-Based Keypass

Ask your PowerShell-related questions, including questions on cmdlet development!
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
This topic is 7 years and 5 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Locked
User avatar
roebix3
Posts: 11
Last visit: Fri Jan 27, 2023 12:58 am

Security Testing for Powershell-Based Keypass

Post by roebix3 »

Hi There!

As suggested Im posting my request here:

I'm an 22-Years old ICT-Trainee at my second Year in Switzerland.

Now one of my actual projects is a Keypass purely made in PowerShell. It will be an OpenSource project for everyone. Now I finished my Alpha and would like to test the security of my application.
Therefore I'm looking for tester who would like to Test my Programm.

Are some of you interested in giving a try, and test the security of my application?
So I could learn a lot of my mistakes and enhance my skills.

Finally I want to help other Trainees archieving skills in programming and show with my example how they can start such a project.

If you want I can tell you more about the encryption Methods I'm using.

I hope you enjoy my Idea. (-:

Greets.


Ps. I'm so sorry for my bad english.
User avatar
dan.potter
Posts: 709
Last visit: Wed Nov 14, 2018 11:39 am

Re: Security Testing for Powershell-Based Keypass

Post by dan.potter »

sure, post your psf here.
User avatar
roebix3
Posts: 11
Last visit: Fri Jan 27, 2023 12:58 am

Re: Security Testing for Powershell-Based Keypass

Post by roebix3 »

dan.potter wrote:sure, post your psf here.
It's a multiform Project, shall I make a post for every File?


/edit I'll Post a One Drive Link in here.



https://1drv.ms/u/s!AiamppDdqWJW1BRG83knXFXdu8VO


Here's the link to the Alpha. (-:
Last edited by roebix3 on Mon Oct 03, 2016 12:18 pm, edited 2 times in total.
User avatar
dan.potter
Posts: 709
Last visit: Wed Nov 14, 2018 11:39 am

Re: Security Testing for Powershell-Based Keypass

Post by dan.potter »

you can zip it and post if you want.
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: Security Testing for Powershell-Based Keypass

Post by jvierra »

The OneDrive link does not work. Post the PSF or project in this forum.
User avatar
roebix3
Posts: 11
Last visit: Fri Jan 27, 2023 12:58 am

Re: Security Testing for Powershell-Based Keypass

Post by roebix3 »

dan.potter wrote:you can zip it and post if you want.
I just updated the Link.
User avatar
roebix3
Posts: 11
Last visit: Fri Jan 27, 2023 12:58 am

Re: Security Testing for Powershell-Based Keypass

Post by roebix3 »

Maybe I tell you something about the way I encrypt the Passwords, and how the Authentification works:

For Authentification I'm Hashing the MasterKey with HMAC and Compare it with it.

For Standard I Encrypt the Passwords with Rjindael (AES).
For each "Database" I create a new Intersecting Vector.
To make Sure you Can't use Password guessing Attacks, Im generating a Random 512 Byte Array for each Password.
For the Password itself I'm using the DB-IV.
Im generating the Salt in a special Way:
I take the DB -IV and the MasterKey in the non-HMAC form, put dem together and hash them with HMAC. The resulting HMAC key is my salt.

For generating the AES-Key I'm also using the Non-HMAC form of the MasterKey.

The encrypted password itselt is at the end a concatenation of the 512Byte Array -> To string with the Password I want to encrypt.

In this way I think I can make sure, there's no way to Guess the MasterKey.
Even if you have the SourceCode you won't be able to decrypt the Passwords without the original Masterkey.

Theres only one Problem I see at the moment: I have to save the MasterKey in a Variable. I still didn't found a better workaround for that..


Hope these information are helpfull for you!
User avatar
dan.potter
Posts: 709
Last visit: Wed Nov 14, 2018 11:39 am

Re: Security Testing for Powershell-Based Keypass

Post by dan.potter »

The export-clixml is already encrypted and can only be opened by the user and computer that generated it.

I have used a similar function to store passwords in sql but for my local credsafe I just use the export-clixml functionality. Upon opening I authenticate my smartcard with pin and start a timer to detect when my computer is locked (which I always do). When I unlock my computer and try to access the credsafe I'm prompted to re-authenticate again. If smartcard is authenticated and the username on the smartcard matches hardcoded username in the script I can continue otherwise the form is closed.


I would recommend clearing the clipboard after five seconds or so.
This topic is 7 years and 5 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Locked