Jump to content



Photo

Secure use of passwords in batch files?


  • Please log in to reply
66 replies to this topic

#1 unknownsoldierX

unknownsoldierX

    Neowinian

  • Tech Issues Solved: 1
  • Joined: 09-March 05

Posted 22 July 2010 - 02:23

I have a series of batch files that run a robocopy backup to a TrueCrypt container on a remote machine.

1. backups.bat on local machine uses psexec to start backup_share.bat on the remote machine.
2. backup_share.bat mounts the TrueCrypt container and shares folders inside.
3. backups.bat runs robocopy.
4. backups.bat uses psexec to run backups_unmount.bat
5. backups_unmount.bat unmounts the TrueCrypt volume.

All of this requires my username and passwords in the batch files. Is there a more secure way to do this?

backups.bat
@echo off

D:\Programs\PsTools\psexec.exe -h \\DOWNSTAIRS -u username -p password D:\Locked\backups_share.bat

rem Run robocopy...
"D:\Programs\backups (robo).bat"

D:\Programs\PsTools\psexec.exe -h \\DOWNSTAIRS -u username -p password D:\Locked\backups_unmount.bat

PAUSE

backups_share.bat
@echo off

rem Mount True Crypt Volume
D:\TrueCrypt\TrueCrypt.exe /v D:\Locked\backups /l G /p password /q

rem Share folders
Net share share1$=G:\share1 /grant:username,FULL
Net share share2$=G:\share2 /grant:username,FULL

backups_unmount.bat
@echo off

rem Unmount Truecrypt volume
D:\TrueCrypt\TrueCrypt.exe /d /q



#2 medium_pimpin

medium_pimpin

    Boner Soup

  • Joined: 22-February 06
  • Location: Lexington, KY USA
  • OS: Windows 7/Linux Mint

Posted 22 July 2010 - 02:40

There's no way to pass an encrypted key via Windows CMD. I'm not sure about a PowerShell script.

#3 OP unknownsoldierX

unknownsoldierX

    Neowinian

  • Tech Issues Solved: 1
  • Joined: 09-March 05

Posted 22 July 2010 - 03:18

I found some info about encrypting passwords with PowerShell.

http://www.vistax64....used-batch.html
http://powershell.co...edia/p/248.aspx

PowerShell looks way more complicated than what I'm doing. I'm not sure how to begin.

#4 Solid Knight

Solid Knight

    Neowinian Senior

  • Joined: 22-February 08
  • Location: New Orleans, LA

Posted 22 July 2010 - 05:26

You could make an .exe in any language of your choice and there are plenty of articles on how. It shouldn't be to rough since you're just using this .exe to issue CLI commands.

#5 Raa

Raa

    Resident president

  • Tech Issues Solved: 4
  • Joined: 03-April 02
  • Location: NSW, Australia

Posted 22 July 2010 - 05:30

There's always a chance someone will decode your complied exe, or sniff it out in memory.

They did this at work with VBS files and passwords inside, and people got the contents from extracting the exe's and using memory viewers.

#6 Solid Knight

Solid Knight

    Neowinian Senior

  • Joined: 22-February 08
  • Location: New Orleans, LA

Posted 22 July 2010 - 05:40

There's always a chance someone will decode your complied exe, or sniff it out in memory.

They did this at work with VBS files and passwords inside, and people got the contents from extracting the exe's and using memory viewers.


I forgot to specify that you'd use encryption. Although I think by trying to have all this handled automatically he's biting off more than he can chew.

#7 Raa

Raa

    Resident president

  • Tech Issues Solved: 4
  • Joined: 03-April 02
  • Location: NSW, Australia

Posted 22 July 2010 - 05:44

I think i'd agree.
Nothing's foolproof, either way.

#8 OP unknownsoldierX

unknownsoldierX

    Neowinian

  • Tech Issues Solved: 1
  • Joined: 09-March 05

Posted 22 July 2010 - 05:52

It would be ideal to have something more foolproof, but for the moment, all I need is a way to hide my passwords. As long as they are not plaintext, and out of the hands of the average user, that's good enough.

#9 +Xinok

Xinok

    Resident Reresident

  • Joined: 28-May 04
  • Location: Shikaka
  • OS: Windows 7 x64
  • Phone: Galaxy S3 (Wicked)

Posted 22 July 2010 - 06:11

I just tested this program. The batch file doesn't appear to be visible in plain text, so your password should be "hidden".

http://www.battoexeconverter.com/

Encrypts batch file source to keep your code secret.

Users of your scripts cannot view/change your code after it is encrypted by the compiler. Any actions performed by the script can be kept secret.


If you want to take it a step further, this is a free EXE obfuscator which will make it more difficult to disassemble, although not impossible.
http://www.funradar.com/

#10 Prt Scr

Prt Scr

    Neowinian

  • Joined: 22-February 09
  • Location: Sydney, Australia

Posted 22 July 2010 - 06:17

theres a million ways to do it

you could always write a short FREE autoit (http://www.autoitscript.com) cli script which you can obsfucate the contents of

#11 OP unknownsoldierX

unknownsoldierX

    Neowinian

  • Tech Issues Solved: 1
  • Joined: 09-March 05

Posted 22 July 2010 - 06:26

I assume I need to change the lines in my batch files. Change .bat's to .exe's. Do I have to change anything else?

#12 Prt Scr

Prt Scr

    Neowinian

  • Joined: 22-February 09
  • Location: Sydney, Australia

Posted 22 July 2010 - 07:02

I assume I need to change the lines in my batch files. Change .bat's to .exe's. Do I have to change anything else?


If you like ill work you up a basic autoit script, its format is similar to most scripting languages, easy to figure out

Let me know

#13 OP unknownsoldierX

unknownsoldierX

    Neowinian

  • Tech Issues Solved: 1
  • Joined: 09-March 05

Posted 22 July 2010 - 07:27

I don't see any mention of security or encryption on the Autoit site.

#14 Prt Scr

Prt Scr

    Neowinian

  • Joined: 22-February 09
  • Location: Sydney, Australia

Posted 22 July 2010 - 09:09

I don't see any mention of security or encryption on the Autoit site.


Yeah well they spend more time developing it than they do on the web page :)

If you download AutoIT v3 and SciTE Editor also available on the AutoIT site, if you then compile a script with SciTe (Tools->Compile), you'll find the encryption stuff on the Obfuscate Tab....


obfusc.JPG

#15 Prt Scr

Prt Scr

    Neowinian

  • Joined: 22-February 09
  • Location: Sydney, Australia

Posted 22 July 2010 - 09:35

For example, heres a bare bones script ive hacked up in about 10 minutes (havent used AutoIT for a while), still adding error checking for the drive mapping, but ive tested the truecrypt mounting/unmounting
Also have no idea what your robocopy command line would be so thats blank, just a matter of the right RunAsWait line there...and error checking
Talking of error checking, TrueCrypt has pathetic exit code support, so it either fails on the command line or if you say try and mount an already mounted drive, you get a message box warning you of this, not a console exit code, so error checking is limited for TrueCrypt


Currently it runs at the command line and outputs errors or information to the console (command line), it can always pop up message boxes etc if you need. Ill post a finished version after i eat some dinner
If you go Tools->Compile on the first tab theres an option Create CUI instead of GUI.EXE, ticking this makes a console .exe, which is what i assumed you were looking for

Note: The opening section contains the compilation options (obfuscation etc already
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Change2CUI=y
#AutoIt3Wrapper_Run_Obfuscator=y
#Obfuscator_Parameters=/cs=1 /cn=1 /cf=1 /cv=1 /sf=1 /sv=1
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****


Partial quick script:
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Change2CUI=y
#AutoIt3Wrapper_Run_Obfuscator=y
#Obfuscator_Parameters=/cs=1 /cn=1 /cf=1 /cv=1 /sf=1 /sv=1
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****


;====TrueCrypt Settings =========
;$TC_Exe - path to truecrypt executable
$TC_Exe = "D:\TrueCrypt\TrueCrypt.exe"
;truecrypt container path
$TC_Path = "i:\test"
; truecrypt driveletter assign
$TC_DriveLetter = "x"
;truecrypt password
$TC_Password =  "test123"



;====Netowork Share Settings =========
;MapDriveMachineName - name of machine that has drive you wish to map, if on same machine, then you can use @ComputerName , no quotations marks around this, its an autoit macro.
$MapDriveMachineName = "computername"
;MapDrivePath1 - the 1st path on the machine you wish to share
$MapDrivePath1 = "\path"
;MapDrivePath2 - the 2nd path on the machine you wish to share
$MapDrivePath2 = "\path"
;NetworkDomain - name of domain that contains your user credentials, if on same machine, then you can use @ComputerName , no quotations marks around this, its an autoit macro.
$NetworkDomain = "domain"
;NetworkUsername - your network username
$NetworkUsername = "username"
;NetworkPassword - your network password
$NetworkPassword = "password"




;Mount True Crypt Volume
$TCMount = RunAsWait($NetworkUsername, $NetworkDomain, $NetworkPassword, 0, "D:\TrueCrypt\TrueCrypt.exe /q /v " & $TC_Path & " /l" & $TC_DriveLetter & " /p " & $TC_Password)

If NOT @error Or $TCMount = 0 Then

	;write the success of truecrypt monting to the console
	ConsoleWrite(@CRLF & "Successfully mounted: "& $TC_Path & " to Drive: " & $TC_DriveLetter)

	; Map drives
	$Map1_Add = DriveMapAdd("y:", "\\" & $MapDriveMachineName & "\" & $MapDrivePath1, 0, $NetworkDomain & "\" & $NetworkUsername, $NetworkPassword)
	$Map2_Add = DriveMapAdd("z:", "\\" & $MapDriveMachineName & "\" & $MapDrivePath2, 0, $NetworkDomain & "\" & $NetworkUsername, $NetworkPassword)

	; Robocopy stuff


        ;UnMap Drives
	$Map1_Del = DriveMapDel("y:")
	$Map2_Del = DriveMapAdd("z:")

	;Un-Mount True Crypt Volume
	$TCUnMount = RunAsWait($NetworkUsername, $NetworkDomain, $NetworkPassword, 0, "D:\TrueCrypt\TrueCrypt.exe /q /d " & $TC_DriveLetter)
	If @error Or $TCUnMount > 0 Then
		ConsoleWrite(@CRLF & ""Failed to unmount: "& $TC_Path & " from Drive " & $TC_DriveLetter & @CRLF  & "ExitCode: " & @error & "TrueCrypt returned error: " & $TCUnMount)
	EndIf
	ConsoleWrite(@CRLF & "Successfully unmounted: "& $TC_Path & " from Drive: " & $TC_DriveLetter)
	Exit

Else
	;write the failure of truecrypt mounting to the console
	ConsoleWrite("Failed to mount: "& $TC_Path & " to Drive: " & $TC_DriveLetter & @CRLF  & "ExitCode: " & @error & "TrueCrypt returned error: " & $TCMount)
EndIf




Click here to login or here to register to remove this ad, it's free!