• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > R&D > Research > Generating Time-based One-time Passwords With PowerShell

Generating Time-based One-time Passwords With PowerShell

February 5, 2015 By jamcut

In this post I will be explaining how to leverage PowerShell to create a time-based one-time password (TOTP).  If you are not familiar with the concept of one-time passwords, the key point is that they are passwords that can be used only (drum roll) one time.  If you require more information please see this Wikipedia article. If you have ever used RSA’s SecurID or Google’s Authenticator app, you are using a one-time password, and a time-based one at that.

We encountered a situation where we wanted to have the ability to create a TOTP using PowerShell.  I assumed that there would have been a library or module available already but didn’t find one after a few quick searches, so I decided to look into writing a script from scratch.  Disclaimer: I am not much of a coder in any language (least of all PowerShell), so hate tweets are welcome.  Being somewhat familiar with Python, I decided to try to use this Python module as a starting point.  However, I left several features out due to lack on necessity for our purposes.  I also had to take a look at the RFC which was interesting as it is the first one that I have ever had to read deeply into a security concept.  After getting comfortable with the concepts, finishing the research, and receiving a lot of help from steiner, I came up with the following:

(Side note: I had originally planned to turn this into a fully featured PowerShell module, but other things took precedence, and I haven’t spent much time with it lately.)

While there isn’t anything particularly groundbreaking here, it is now relatively simple to generate a TOTP on a Windows system without installing any third party programs.  You don’t even have to write the script to disk if you use PowerShell’s “Invoke-Expression” cmdlet as follows:

IEX (New-Object Net.WebClient).DownloadString("https://gist.githubusercontent.com/jamcut/9f1c88ea81e2d84a8fe3/raw/0878bbc1b46801e5e8d1080610facfa06eb8ee28/psotp.ps1")

Since TOTPs are typically used in authentication, you may be wondering what an attacker would want with something like this.  This would probably be useful in exfiltrating data after a successful breach.  This would give the client (infected system) the ability to encrypt data by taking a dynamically generated value which could be then combined with a known value, such as the hostname.  Hash these values and use the result as a key to encrypt data before transmission to a server (attacker system).  The server could then calculate the TOTP, or several possibilities based on the time the data was received, and decrypt the information with relative ease.  Additionally, it can still be used with authentication in malware, the possibilities are really only limited by one’s imagination.  The following image shows both the Python and PowerShell implementations generating the same TOTP.

Generating a TOTP in Python and PowerShell
Generating a TOTP in Python and PowerShell

It should be noted that the Python implementation requires the shared secret to be base32 encoded while the PowerShell requires base64.

 

[Tweet “Generating Time-based One-time Passwords With PowerShell”]
Post Views: 950
Share this...
Email this to someone
email
Share on Facebook
Facebook
Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin
Share on Reddit
Reddit

jamcut

Primary Sidebar

King Phisher Release

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • Sophos UTM Home Edition – 3 – The Setup 10,683 views
  • DLL Injection Part 1: SetWindowsHookEx 10,383 views
  • Leveraging MS16-032 with PowerShell Empire 9,875 views
  • Bypassing Gmail’s Malicious Macro Signatures 9,759 views
  • How to Bypass SEP with Admin Access 8,321 views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2019 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.