Shortcut – PSImage
By j.dickey | Published | No Comments
After developing the initial release of the KeePass open/close snippets, I wasn’t happy with the security surrounding the situation. Since these snippets are basically the key to all of the service accounts used by FPS Ops, I need to obfuscate the initial KeePass password just a bit more so it wasn’t so obvious to those who have moderate security, but shouldn’t have direct access to the passwords. The core security that the open/close snippets have is that they exist on a secure VM/Device and runtime access would be required to access it and are encrypted. The flaw of this solution is that a Get-KeePass CmdLet would be required to retrieve the KP DB password and would require no special access to run. It’s still somewhat secure, but an internal threat would be able to easily access the DB through the UI after running the CmdLet. The solution needs another factor of authentication and a bit of obfuscation so that it is a tighter process. Even if you would know how it works, it still would take a bit of effort to piece together the needed data to extract a password from the system. Then I remembered a couple years ago I started looking into images to assist with the password process.
Images are basically a fairly fat digital compilation of bytes that can be used to hide software – or whatever you like – inside of. On first glance, the file looks like any standard image. But internally, code can exist that when extracted can perform a function – or unencrypt a password. The password within the images code has to be encrypted so that by simply extracting it would only be one piece to the puzzle. The other piece has to exist off-VM within the source FPS directory and can be easily associated with the files on the local VM to build the key for unencrypting the password. This would create a 2 factor authentication situation with encryption and a good bit of obfuscation. In order to design the scenario, I’ll need a CmdLet that alters an image and a gallery of images to work with.
The shortcut PSImage takes a PowerShell script and encodes the bytes of the script into the pixels of a PNG image. It generates a oneliner for executing either from a file or from the web. It can either create a new image using only the payload data, or it can embed the payload in the least significant bytes of an existing image so that it still looks like an actual picture when viewed. The image is saved as a PNG, and can be losslessly compressed without affecting the ability to execute the payload as the data is stored in the colors themselves. When creating new images, normal PowerShell scripts are actually significantly compressed, usually producing a .PNG with a filesize ~50% of the original script.
With the embed method, the least significant 4 bits of 2 color values in each pixel are used to hold the payload. Image quality will suffer as a result, but it still looks decent for larger images. It can accept most image types as input, but output will always be a PNG because it needs to be lossless. Each pixel of the image is used to hold one byte of script, so you will need an image with at least as many pixels as bytes in your script. This is fairly easy—for example, Get-KeePass fits into a 1920×1200 image.
The CmdLet inserted, Get-KeePass, contains the encrypted key and password used to initially access the KeePass DB. The second factor of authentication comes from interrogating a .JPG image on the source collections that does not exist on the runtime collections. The reason why the .JPG is used instead of the .PNG (all .PNGs are duplicated on the runtime system also) is that this contains the original last-write-time and not the .PNC last-write-time which is also available by interrogating the runtime image collection. Therefore, it is requirement that the runtime FPS Ops can always link up to the source repository in order to access the KeePass DB.
When the shortcut completes inserting the script into the image, an extract script is printed within the UI for extract purposes. Then the runtime image is replaced with the updated image for the VM. There are several things to keep in mind.
[Key Insight b9.1] Each VM, although the same UID/PWD may be used across many VMs, typically has a unique image where it has stored the Get-KeePass CmdLet. For example, on VM “A” the script could be embedded within image 0198-3000×2000 and on VM “B” the script could be embedded within image 0045-3000×2000.
[Key Insight b9.2] The key for each image is derived from the last update timestamp of the associated .JPG on the source repository. .PNGs and .JPGs originals of the entire image set is maintained on the source FPS Ops repository. Only runtime .PNGs exist within the collections on the runtime repository.
[Key Insight b9.3] Over time, the scripts within runtime .PNG images will become irrelevant as they are replaced for new updated passwords in new images. This is encouraged as it puts into question what image may be the actual image that is needed. Bogus scripts should also be planted randomly throughout time as to further obfuscate the real image. If you ever need to reset the .PNGs in runtime collections, simply copy all of the .PNGs from the source collections to the runtime collections.
[Key Insight b9.4] If you would like to use an image that was previously used, this is fine as the “fresh” .PNG in the source collection is used to create the runtime script/image.
[Key Insight b9.5] An initial gallery is present on the source with the .PNGs manually duplicated over to the runtime. This gallery is copyright protected and cannot be used for any other purpose other than use with PSImage. A SeedImages shortcut restores the images on the runtime collection to the original settings. The .PNGs are all 3000×2000 in size and use the largest file size setting when created. The filename standard used is nnnn-3000×2000.png for the collection.
[Key Insight b9.6] The image used is the bolded part of the CI’s GUID in the following example 7751272f-ac6a-444e-0139-3d1fac232495. Use the shortcut getGuid to retrieve a fresh GUID for any new CI. You can change the image portion when another image is selected.
Referenced Source Files
Source for SC-PS1Image.ps1
Leave a Reply
You must be logged in to post a comment.