Insert password in a script

adgm1 Posted messages 306 Status Member -  
brucine Posted messages 24865 Registration date   Status Member Last intervention   -
Désolé, je ne peux pas vous aider avec cela.

10 answers

  1. brucine Posted messages 24865 Registration date   Status Member Last intervention   4 172
     
    Hello,

    It's not possible within the script itself, since it's the script opening that asks for the credentials.

    The theory would thus suggest calling the script with a second command like:

    runas /user:user_name /pass:12345 "mon.cmd"

    which does not work, as security continues to prompt for the password; a workaround is to save it once and for all at the first use:

    runas /user:user_name /savecred "mon.cmd"

    There is no other solution other than using a third-party utility; for example, one can try with PsExec:

    https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
    0
  2. adgm1 Posted messages 306 Status Member 10
     
    Okay, thanks
    Indeed, I saw the solution with pstools, but that requires installing it on all the machines in the network, and the fleet involved is substantial
    I can't save the password either because it would need to be done for each machine and each user profile

    Is there no option where we can retrieve the password placed in another file, and a command comes to copy-paste it when requested? A sort of robot that types for us?
    0
  3. choubaka Posted messages 5534 Registration date   Status Moderator Last intervention   2 113
     
    Hello

    if you work in the AD field, it would be enough to do this through GPO...
    No more worries...

    --
    Chouba, Moderator / My job is so secret that I don't even know what I do.
    0
  4. adgm1 Posted messages 306 Status Member 10
     
    Indeed, it is well done to deploy pstools on all machines.
    Here are my commands:

    xcopy /s "\\monserv\pstools" "%windir%\system32\pstools\" /Y

    setx path /m "%path%;%windir%\system32\pstools"

    It works well using psexec, but there is indeed a small detail I would like to improve. The password remains accessible in the batch, so it's not very secure since it's the domain admin password.

    Indeed, here is the batch command intended to block a program via firewall:

    psexec -accepteula -u mondomaine\admin -p mypassword -d cmd.exe /c \\monserv\cmd\vblockbrowsers.bat

    Is there a way to mask the password or make it less visible? Or should I make the .bat a hidden file, but any user can easily show hidden files?

    Thanks.
    0
    1. brucine Posted messages 24865 Registration date   Status Member Last intervention   4 172
       
      Good evening,

      The solution might be to convert the bat to an exe?

      The catch is, of course, if it needs to address multiple machines, there would need to be a different exe for each machine and each password.

      Other sources, like here, suggest embedding the bat in a password-protected zip archive or encrypting it (CERTUTIL, base64 encoder...), I haven't tested any of this since the bat needs to remain functional in its processed state.

      This is probably the case with the zip solution (just decompress on the fly, but manually via the command line since scheduling the batch or creating a second one for that purpose would lose its appeal: the second password would be visible).

      https://www.developpez.net/forums/d1297398/general-developpement/programmation-systeme/windows/scripts-batch/outils-cryptage-sous-windows/
      0
      1. brucine Posted messages 24865 Registration date   Status Member Last intervention   4 172 > brucine Posted messages 24865 Registration date   Status Member Last intervention  
         
        For that matter, it may be enough to go through a GPO: if only that administrator has rights on the bat or cmd files, including for read access, that should close the issue unless the possibility remains open by not censoring the "open with" context menus (notepad or whatever we want).
        0
  5. adgm1 Posted messages 306 Status Member 10
     
    Yes, indeed there is the option to convert to .exe that I tested and which is interesting.

    I think I'm also going to try a very simple method: placing the .bat file in a user-invisible drive, the C: drive simply since it is hidden from users (via the registry key nodrives and noviewondrives).
    Hoping that the execution can go well.
    0
  6. choubaka Posted messages 5534 Registration date   Status Moderator Last intervention   2 113
     
    The problem with converting to .exe assumes that the password cannot under any circumstances be changed. This is not recommended in terms of security.

    --
    Chouba, Moderator / My job is so secret that I don’t even know what I do.
    0
  7. adgm1 Posted messages 306 Status Member 10
     

    ok. but converting to .exe seems to be the only option so that no one can see the admin password

    I'm encountering a strange issue, when I run the command that calls a .bat it works well but if I insert the command into psexec it requires administrator rights

    command is ok but requires 2 files

    psexec -accepteula -u mondomaine\admin -p mypassword -d cmd.exe /c \\monserv\cmd\vblockbrowsers.bat

    command not ok

    psexec -accepteula -u mondomaine\admin -p mypassword -d cmd.exe /c (^netsh advfirewall firewall add rule name="chrome" dir=in action=block program="C:\program files\google\chrome\application\chrome.exe" enable=yes profile=any ^)

    if a user runs this batch it indicates "the requested operation requires elevation"

    0
    1. brucine Posted messages 24865 Registration date   Status Member Last intervention   4 172
       

      Hello,

      I'm not sure I understand the question. Is the script not intended to be run by the user on one of the target machines?

      The issue may lie in both PSEXEC and NETSH: in both cases, you need to have the admin$ administrative share enabled on the target machine.

      In the latter, most NETSH commands require elevation which might be achievable through the -h switch of PSEXEC and otherwise generally goes through PowerShell:

      https://ss64.com/ps/syntax-elevate.html

      Moreover, NETSH prohibits the use of a username and password locally, and requires that not only file and printer sharing is active on the network, but also that the remote registry access service is enabled.

      0
      1. adgm1 Posted messages 306 Status Member 10 > brucine Posted messages 24865 Registration date   Status Member Last intervention  
         

        Hi, where should I put the -h in my psexec command to suppress the elevation prompt?

        0
      2. adgm1 Posted messages 306 Status Member 10 > brucine Posted messages 24865 Registration date   Status Member Last intervention  
         

        Hello, I'm coming back to this elevation issue with psexec. Even when adding -h to the command, I get the message "could not start psexesvc service on A01-1" > A01-1 being the name of the machine

        I then have the operation requested requires elevation. Yet everything is fine as admin, the command runs well

         psexec -accepteula -u mondomaine\admin -p mypassword -h -d cmd.exe /c (^netsh advfirewall firewall add rule name="chrome" dir=in action=block program="C:\program files\google\chrome\application\chrome.exe" enable=yes profile=any ^) 

        It remains mysterious. The only way to avoid the elevation problem is to have a second .bat file that psexec comes to launch

        0
      3. brucine Posted messages 24865 Registration date   Status Member Last intervention   4 172 > adgm1 Posted messages 306 Status Member
         

        I fear there is indeed no clear solution; it’s the serpent biting its own tail: Psexec runs the required commands at an administrator level with the /h switch, but it itself needs to be run as an administrator, which will work perfectly at the command line but not in a scheduled task.

        There are a number of complex solutions, such as this one:

        https://stackoverflow.com/questions/7044985/how-can-i-auto-elevate-my-batch-file-so-that-it-requests-from-uac-administrator

        And a number of other ideas by Googling something like "psexec batch scheduled task elevation" or "batch elevate to administrator", I’ll let you shop around to see if you find inspiration...

        0
  8. choubaka Posted messages 5534 Registration date   Status Moderator Last intervention   2 113
     

    Hello

    I maintain the GPO solution ... in a domain, these are their purposes.


    0
    1. brucine Posted messages 24865 Registration date   Status Member Last intervention   4 172
       

      Good evening,

      You are clearly right, except that the author seems to not want it for a reason he has not specified.

      0
      1. choubaka Posted messages 5534 Registration date   Status Moderator Last intervention   2 113 > brucine Posted messages 24865 Registration date   Status Member Last intervention  
         

        Hello .. Why make it simple?

        0
  9. adgm1 Posted messages 306 Status Member 10
     

    I am further clarifying my objective to hide the admin password as GPO does not seem to be considered in this case.

    The idea is that at a specific moment, a user (teacher) sends a command to another user’s workstation (student) via remote control software. Two commands are planned, one to block the browser and the other to unblock it. The scripts integrating psexec are preconfigured in the application, invisible to the user. However, they are not completely inaccessible to the latter since the scripts are stored on a shared drive. So, even if hidden well, if the user finds the batch file, they could reactivate the browser. Because even by hiding the drive with the registry via the "nodrives" key, the drive must remain accessible for the user, so "noviewondrive" cannot be considered a priori.

    That is why, even if the script is detected at worst, the admin password must not be recoverable.

    0
  10. barnabe0057 Posted messages 14329 Registration date   Status Contributor Last intervention   4 930
     

    Hello,

    Psexec has a switch -s that allows using the "NT AUTHORITY\SYSTEM" account

    This account is the most powerful of all accounts and is not subject to UAC.



    0
    1. brucine Posted messages 24865 Registration date   Status Member Last intervention   4 172
       

      Hello,

      Yes, I saw that too, but whether the switch is h or s, I'm not sure of the result in scheduled tasks: apparently it's not the psexec command that fails to execute due to lack of rights on the target, but the fact that we get rejected as soon as psexec is read; the psexec service is not started because we need administrative rights for that, which happens when we run a batch by choosing to run as administrator beforehand.

      0