I am trying to generate a SHA512 hash password string with salt encoding in powershell..
I found below python one and checked working fine
python -c 'import crypt; print crypt.crypt("welcome#123", crypt.mksalt(crypt.METHOD_SHA512))'
Is there anything similar in powershell...??
Related
Convert .crt, .csr, and .key files to .pfx or .p12 using powershell on Windows server 2016.
I have .cert, .csr, and .key files. But in order to execute the "netsh http add sslcert ..." command, I need the .pfx or .p12 file. And I need this to be done in powershell. Openssl is not an option.
I have accomplished the above using openssl. But Im restricted from downloading software now, so thats not an option any more. Im looking for equivalent of openssl pkcs12 -export -out domain.name.pfx -inkey key.key -in cert.crt command in powershell.
This is an old thread but since I was stuck on the exact same problem and finally found the correct answer that wasn't just everyone shouting to use openssl which sometimes isn't available I thought I'd share here for the next lucky soul.
There is a built-in windows utility call CertUtil which can be called from PS and will do exactly this. It's available out of the box at least as far back as server 2012, cant' speak to older versions.
certutil –MergePFX certfile.cer certfile.pfx
A couple things to keep in mind, the -MergePFX only prompts for the certfile not the key so:
Private key file must have .KEY extension.
Cert and key files must have the same base file name.
Cert and key file must be in the same directory.
If you can use .NET Core 3.0:
Load the certificate via cert = new X509Certificate2(certFile)
If the keyfile is PEM encoded (e.g. starts with "----- BEGIN ") then load it, remember what type it is (human or software), find the base64 contents between the header and footer, and run that through Convert.FromBase64String to get the BER/DER encoded format of the key.
key = RSA.Create()
key.ImportPkcs8PrivateKey(bytes, out _), key.ImportEncryptedPkcs8PrivateKey(password, bytes, out _), or key.ImportRSAPrivateKey(bytes, out _); depending on what format the private key file is in.
certWithKey = cert.CopyWithPrivateKey(key)
File.WriteAllBytes("new.pfx", certWithKey.Export(X509ContentType.Pkcs12, password))
If you can use .NET Core 2.1 / .NET Framework 4.7.2:
Load the cert, as above.
Load the key manually:
RSAPrivateKey
How to get RSACryptoServiceProvider public and private key only in c#
How to parse(Convert to RSAParameters) X.509 private key in C#?
PKCS#8 PrivateKeyInfo
Digital signature in c# without using BouncyCastle
PKCS#8 EncryptedPrivateKeyInfo
X509Certificate2.Import with NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG (ImportEncryptedPkcs8Overwrite method)
Use CopyWithPrivateKey/Export/WriteAllBytes as above
If you're stuck on something older:
You could try loading the cert, manually loading the key into an RSACryptoServiceProvider, using cert.set_PrivateKey, and exporting that. Only works on .NET Framework (eliminated from .NET Core because it has too many side effects, especially when done to a cert already in a persisted certificate store).
I have a powershell.ps1 script that I performed base64 encoding upon as below
$Base64 = [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes('c:\path\to\powershell.ps1'));
Now I have stored this output to base64.txt file.
I tried to launch this script as below via CMD,
powershell.exe -EncodedCommand (Base64String)
But I ended up in the below error
Cannot process the command because the value specified with -EncodedCommand is not properly encoded. The value must be Base64 encoded.
I realized that the CMD is not taking the entire (Base64String). The full length of my (Base64String) is 11,133 characters. But CMD is accepting only 8160 characters.
Is there any way or workaround to run this base64 encoding?
Thanks in advance.
This worked for me (myscript.ps1 contains the base64 encoded command):
powershell -encodedcommand (Get-Content 'myscript.ps1' -Raw)
Which is very similar to what you would do in Bash:
$ powershell -encodedcommand `cat myscript.ps1`
Obs: Addressing some comments, this is sometimes indeed needed. My particular use case was to do a reverse shell while dodging an AV on a windows machine that was detecting my plaintext shell code.
I have a file, file.txt and inside it I have a text computer. When I use openssl to make a MD5 hash out of it, it gives me:
openssl dgst -md5 file.txt
MD5(file.txt)= 6accefe4a7ff62bd935f25a053c5fd3c
And when I use http://www.md5.cz/ to make hash from the word computer it gives me df53ca268240ca76670c8566ee54568a and I dont know why.
In my file theres no newlines and spaces. What is the problem here?
MD5 of computer is df53ca268240ca76670c8566ee54568a.
MD5 of computer\n is 6accefe4a7ff62bd935f25a053c5fd3c.
Your file.txt is having a new line character \n at the end.
gpg --output C:\ecshome\mboxes\store\20150410_030846_1_0001_6pik.msg.
asc --passphrase abcd. --no-default-keyring --decrypt C:\ecshome\mboxes\store\20150410_030846_1_0001_6pik.msg
When I try to decrypt an email message by using gpg from the command prompt, it works. But when I try to decrypt the same with a Perl script by using external command, it shows the "Secret key not available" error (On Windows).
You haven't shown us the way you quote that command in perl, but allow me guess that you haven't taken into account the fact that the backslash is both the Windows directory seperator and the Perl string escape. You should be aware that "\e", the 3rd character in your --output & --decrypt paths, is the character (ESC). The sequences "\m" and "\s" interpolate to 'm' and 's' respectively.
Possible solutions include either delimiting the string with q()/single quotes or doubling up the backslashes in qq()/qx()/double quotes/back quotes.
The problem was with pubkey ring. Apparently its stored for each user under their application data directory if you don't mention any home directory specifically at time of installation. If you execute from Command prompt it will directly take from the present user's applicatin data but from perl it wont check there.U have to specifically Configure GNUPGHOME to that folder (application data) then run the perl script.
I am using signtool.exe to sign exe file.
I am trying to embed my exe file with the .pfx certificate along with the signed hash of exe(generated signed hash using openssl). I am able to sign only with certificate. But I need to embed the signed hash in the exe as well. Probably signtool.exe sign /as could help. /as option does not expect any argument so not able to pass my hash there.
Could someone please help me sign my exe with certificate and hash.
Thanks,
The version of Signtool shipped with the Windows 10 SDK includes the capability to embed a signed hash into an exe.
From the following page:
https://vcsjones.com/2017/05/07/custom-authenticode-signing/
Starting in the Windows 10 SDK, two new command line switches are available, dg and di. Recall that a signature is always performed on a hash on Authenticode. The dg option changes signtool’s behavior to output a digest that you can sign using anything you’d like. Let’s try this on a copy of notepad.exe.
signtool sign /dg "C:\scratch\dir" /fd SHA256 /f public-cert.cer notepad.exe
This takes a file to a public certificate - there is no key in
public-cert.cer. You could also use the /sha1 option to specify a
certificate in the certificate store that also has only a public key.
This will output a few files in the “C:\scratch\dir” directory. The
digest is the one with the “.dig” extension. This file will have the
Base64 encoded digest to sign. Next, using your custom tool, sign the
digest with the private key for the certificate. You should decode the
Base64 signature before signing if the signing API expects a raw
binary digest.
Next, encode your signature in base64 and place it in a file in the
“C:\scratch\dir” directory with the same name as the digest file, with
the “signed” extension. For example, “notepad.exe.dig.signed”.
The next step is to ingest the signed digest along with the rest of
the Authenticode signature to complete the signing.
signtool sign /di "C:\scratch\dir" notepad.exe
This will complete the signing process, and we now have our own signed
copy of notepad.exe. Appending a signature is done just as before,
except with the /as flag.
This provides great flexibility for signers to use non CSP / CNG
signing options, or offloading the signing process. Signtool can now
also sign just a plain digest file using the /ds option. If you have a
dedicated server for performing Authenticode signing, you can now use
the /dg, /ds, /di options so that only a very small file needs to be
moved to the signing server, instead of the entirely binary if they
are large in size.