Created
March 17, 2019 14:24
-
-
Save adamrushuk/6f2b9fdbd4f0891fd9b9f42e190aedba to your computer and use it in GitHub Desktop.
KeePass PowerShell examples
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Requires -RunAsAdministrator | |
| # Testing KeePass automation against KeePass v2.39.1 | |
| # Vars | |
| $masterKeyCredential = New-Object -TypeName 'PSCredential' -ArgumentList ('KPMasterUser', (ConvertTo-SecureString -String 'Passw0rd123!' -AsPlainText -Force)) | |
| $repoPath = 'C:\Code\KeePass\KeePassDB' | |
| $databaseName = 'KeePassDatabase' | |
| $databasePath = Join-Path -Path $repoPath -ChildPath "$databaseName.kdbx" | |
| $databaseProfileName = 'KeePassDatabaseProfile01' | |
| $testGroupName = 'TestAccounts' | |
| $domain = 'LAB' | |
| $serviceAccountNames = @( | |
| 'svc_admin' | |
| 'svc_sql' | |
| 'svc_ldap' | |
| ) | |
| Install-Module 'PoShKeePass' -Force -Verbose | |
| Import-Module 'PoShKeePass' -Force -Verbose | |
| <# | |
| (Get-Module PoshKeePass).Path | |
| Get-Command -Module PoShKeePass | |
| #> | |
| #region Create new database | |
| New-Item -Path (Split-Path -Path $databasePath) -ItemType Directory -Force -Verbose | |
| # ! This will overwrite an existing Database with same path | |
| $keePassDatabaseParams = @{ | |
| DatabasePath = $databasePath | |
| # KeyPath = 'C:\Code\KeePass\testKeePassDatabase.key' # not implemented yet | |
| MasterKey = $masterKeyCredential | |
| Verbose = $true | |
| } | |
| New-KeePassDatabase @keePassDatabaseParams | |
| # Create connection profile in module path, eg C:\Program Files\WindowsPowerShell\Modules\PoShKeePass\2.1.1.8\KeePassConfiguration.xml | |
| # Requires ADMIN rights for this part only | |
| $keePassConnectionParams = @{ | |
| DatabaseProfileName = $databaseProfileName | |
| DatabasePath = $databasePath | |
| UseMasterKey = $true | |
| Verbose = $true | |
| } | |
| $dbConfiguration = Get-KeePassDatabaseConfiguration -DatabaseProfileName $databaseProfileName | |
| if ($null -eq $dbConfiguration) { | |
| Write-Host "STARTED: Creating new KeePass Database Configuration" -ForegroundColor 'Green' | |
| New-KeePassDatabaseConfiguration @keePassConnectionParams | |
| } else { | |
| Write-Host "SKIPPING: KeePass Database Configuration already exists" -ForegroundColor 'Yellow' | |
| } | |
| #endregion | |
| #region Groups | |
| #Create First-level group | |
| $newKeePassGroupSplat = @{ | |
| KeePassGroupName = $testGroupName | |
| KeePassGroupParentPath = $databaseName # this is the DatabaseName for first-level groups | |
| DatabaseProfileName = $databaseProfileName | |
| MasterKey = $masterKeyCredential | |
| Verbose = $true | |
| } | |
| New-KeePassGroup @newKeePassGroupSplat | |
| # Get groups | |
| Get-KeePassGroup -DatabaseProfileName $databaseProfileName -AsPlainText -MasterKey $masterKeyCredential | |
| #endregion | |
| #region Create entries | |
| $keePassNewEntryParams = @{ | |
| UserName = "$domain\svcAccount01" | |
| KeePassEntryGroupPath = "$databaseName/$testGroupName" # full path | |
| KeePassPassword = $(New-KeePassPassword -upper -lower -digits -length 32) | |
| Title = 'Test Service Account' | |
| DatabaseProfileName = $databaseProfileName | |
| MasterKey = $masterKeyCredential | |
| Verbose = $true | |
| } | |
| New-KeePassEntry @keePassNewEntryParams | |
| $keePassNewEntryParams = @{ | |
| UserName = "$domain\svcAccount02" | |
| KeePassEntryGroupPath = "$databaseName/$testGroupName" # full path | |
| KeePassPassword = $(New-KeePassPassword -upper -lower -digits -length 32) | |
| Title = 'Test Service Account 02' | |
| DatabaseProfileName = $databaseProfileName | |
| MasterKey = $masterKeyCredential | |
| Verbose = $true | |
| } | |
| New-KeePassEntry @keePassNewEntryParams | |
| # Create entries from Service Account array | |
| foreach ($serviceAccountName in $serviceAccountNames) { | |
| $keePassNewEntryParams = @{ | |
| UserName = "$domain\$serviceAccountName" | |
| KeePassEntryGroupPath = "$databaseName/$testGroupName" # full path | |
| KeePassPassword = $(New-KeePassPassword -upper -lower -digits -length 32) | |
| Title = $serviceAccountName | |
| DatabaseProfileName = $databaseProfileName | |
| MasterKey = $masterKeyCredential | |
| Verbose = $true | |
| } | |
| New-KeePassEntry @keePassNewEntryParams | |
| } | |
| #endregion | |
| #region Get entries | |
| $keePassGetEntryParams = @{ | |
| DatabaseProfileName = $databaseProfileName | |
| MasterKey = $masterKeyCredential | |
| AsPSCredential = $true | |
| Verbose = $true | |
| } | |
| $entries = Get-KeePassEntry @keePassGetEntryParams | |
| $entries | |
| $entries.Credential | |
| $entries[0] | Get-Member | |
| $entries[0] | Format-List * | |
| $entries[0].Credential | Get-Member | |
| $entries[0].Credential.GetNetworkCredential().password | |
| # Get specific entry | |
| $keePassGetSingleEntryParams = @{ | |
| UserName = "$domain\svcAccount01" | |
| DatabaseProfileName = $databaseProfileName | |
| MasterKey = $masterKeyCredential | |
| AsPSCredential = $true | |
| AsPlainText = $true # ! This is insecure and may be deprecated in future versions | |
| Verbose = $true | |
| } | |
| $keePassEntryObject = Get-KeePassEntry @keePassGetSingleEntryParams | |
| $keePassEntryObject | |
| #endregion | |
| #region Update entry | |
| $updateKeePassEntryParams = @{ | |
| KeePassEntry = $keePassEntryObject | |
| Title = 'My New Title' | |
| KeePassPassword = $(ConvertTo-SecureString -String 'MyNewPassword' -AsPlainText -Force) | |
| KeePassEntryGroupPath = "$databaseName/$testGroupName" | |
| DatabaseProfileName = $databaseProfileName | |
| MasterKey = $masterKeyCredential | |
| Confirm = $false | |
| Verbose = $true | |
| } | |
| Update-KeePassEntry @updateKeePassEntryParams | |
| #endregion | |
| #region Example usage | |
| # Credential - Old Method (hard-coded) | |
| $adminCredential = New-Object -TypeName 'PSCredential' -ArgumentList ('LAB\svc_admin', (ConvertTo-SecureString -String 'Password1234' -AsPlainText -Force)) | |
| $adminCredential | |
| # Credential - New Method (dynamic) | |
| $keePassDefaultParams = @{ | |
| DatabaseProfileName = $databaseProfileName | |
| MasterKey = $masterKeyCredential | |
| AsPSCredential = $true | |
| Verbose = $true | |
| } | |
| $adminCredential2 = (Get-KeePassEntry @keePassDefaultParams -UserName 'LAB\svc_admin').Credential | |
| $adminCredential2 | |
| # Credentials - New Method (ConfigData) | |
| $ConfigData = @{ | |
| AllNodes = @( | |
| # This will be ran on all nodes | |
| @{ | |
| # LCM | |
| NodeName = '*' | |
| PSDscAllowPlainTextPassword = $true | |
| PSDscAllowDomainUser = $true | |
| } | |
| @{ | |
| NodeName = 'dc01' | |
| # Always wrap in an array for role selection logic | |
| Role = @('DomainController') | |
| } | |
| ) | |
| # Define role data here to ensure roles and nodes are not tightly coupled | |
| Role = @{ | |
| DomainController = @{ | |
| LdapUsername = 'LAB\svc_ldap' # <--- TARGET THIS USERNAME with $ConfigData.Role.DomainController.LdapUsername | |
| } | |
| } | |
| } | |
| $ldapCredential = (Get-KeePassEntry @keePassDefaultParams -UserName $ConfigData.Role.DomainController.LdapUsername).Credential | |
| $ldapCredential | |
| # Sometimes we need the plain text password | |
| $ldapCredential.GetNetworkCredential().password | |
| #endregion |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment