How to retrieve passwords from Password safe cache tool?

Question

We have ran the pspca command and in the logs it states it was able to get credentials for some of the accounts. Now that we know it has stored the passwords somewhere locally, how can we retrieve the passwords?

droache · Answer

Here’s a starter script to get you started. This also retrieves Secrets from Secrets Safe if you are caching those as well. If you are not caching Secrets you can rem out or remove that portion of the script.

#Force TLS 1.2
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

$baseUrl = "https://yourCacheServerIp:Port/BeyondTrust/api/public/v3/"; # replace yourCacheServerIp:Port with the IP/Port of your cache server
$apiKey = 'yourAPIkey' # replace with your API key (same as cache server API)
$runAsUser = "APIuser"; # replace with your API user account name (same as cache server username)

$headers = @{ Authorization="PS-Auth key=${apiKey}; runas=${runAsUser}";}

$ErrorActionPreference = 'SilentlyContinue'
#Verbose logging?
$verbose = $True;

$ResultsCSV = "C:\Scripts\SecretsCache\SecretsOuput\creds.CSV"
$ResultsTxt = "C:\Scripts\SecretsCache\SecretsOuput\creds.txt"
$SecretsCsv = "C:\Scripts\SecretsCache\SecretsOuput\secrets.csv"

if (Test-Path $ResultsCSV) { Remove-Item $ResultsCSV }
if (Test-Path $ResultsTxt) { Remove-Item $ResultsTxt }
if (Test-Path $SecretsCsv) { Remove-Item $SecretsCsv }

add-type "
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem)
{
return true;
}
}
";
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy;

#Sign in API with error handling
try
{
#Sign-In
if ($verbose) { "Signing-in.."; }
$signInResult = Invoke-RestMethod -Uri "${baseUrl}Auth/SignAppIn" -Method POST -Headers $headers -SessionVariable session;
if ($verbose) { "..Signed-in as {0}" -f $signInResult.UserName; ""; }
}
catch
{ "";"Exception:";
if ($verbose)
{$_.Exception
$_.Exception | Format-List -Force;
}
else
{
$_.Exception.GetType().FullName;
$_.Exception.Message;
}
}

# --- Get passwords ---
$requests = Invoke-RestMethod -Uri "${baseUrl}Requests" -Method Get -WebSession $session

foreach ($request in $requests) {
$ManagedAccountPassword = Invoke-RestMethod -Uri "${baseUrl}Credentials/$($request.RequestID)" -Method GET -WebSession $session -Verbose

$Spacer = '-------------------------------'

$Spacer| Out-File -FilePath $ResultsTxt -Append

'Managed System Name = ' + $request.SystemName | Out-File -FilePath $ResultsTxt -Append
'Domain if Domain user = ' + $request.DomainName| Out-File -FilePath $ResultsTxt -Append
'Managed Account Name = ' + $request.AccountName | Out-File -FilePath $ResultsTxt -Append
'Managed Account Password = ' + $ManagedAccountPassword | Out-File -FilePath $ResultsTxt -Append

$Spacer| Out-File -FilePath $ResultsTxt -Append

"$request.SystemName, $request.DomainName, $request.AccountName, $ManagedAccountPassword" | Out-File -FilePath $ResultsCSV -Append
}

# -------------------
# --- Get secrets ---
# -------------------

$secrets = Invoke-RestMethod -Uri "${baseUrl}Secrets-Safe/Secrets" -Method Get -WebSession $session
#$secrets
foreach ($secret in $secrets) {
"$secret.FolderPath; $secret.Username; $request.Password; $secret.Title; $secret.Description" | Out-File -FilePath $SecretsCsv -Append
write-host $secret.Username $secret.Password

}

# -----------------

#Sign-Out
if ($verbose) { "Signing-out.."; }
$signOutResult = Invoke-RestMethod -Uri "${baseUrl}Auth/Signout" -Method POST -Headers $headers -WebSession $session;
if ($verbose) { "..Signed-out"; ""; }

if ($verbose) { "Done!"; }

write-host found $requests.Count Cached accounts