Sign in to follow this  
Followers 0
FATIHTALI

can I save my password in script

22 posts in this topic

I have big network.

We dont want administrator on our network. Everybody will be standart user.

But some special process need to administrator privillage.

If I run program with this script it will work. But I dont want to lost my password.

How can I save my password in my script.

RunAs("administrator","domain","password",0,"c:\xxxx.exe",@SystemDir)


Startup Agent It is my small Startup Agent. You can install programs on startup Domain pc without Admin rights.

Share this post


Link to post
Share on other sites



RunAs("administrator","domain","password",0,"c:\xxxx.exe",@SystemDir)

Use a varibles

$passv = "password"
RunAs("administrator","domain",$passv,0,"c:\xxxx.exe",@SystemDir)

No good in English :( If I write with errors, excuse me...

Share this post


Link to post
Share on other sites

with this way.

Can I proteckt my code for hexeditor or decomplier?

can they see my password with hexeditor?


Startup Agent It is my small Startup Agent. You can install programs on startup Domain pc without Admin rights.

Share this post


Link to post
Share on other sites

I used Medic84 code, compiled it and then checked the resulting exe. You can't find the password because the code seems to be encrypted.

So you can't find the password using an hex editor.

But you CAN find the password (the whole code) when you use an decompiler. A post some days ago mentioned it to be still possible.

$passv = "password"
RunAs("administrator","domain",$passv,0,"c:\xxxx.exe",@SystemDir)

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

You shouldnt store plain passwords in your script.At least use some encryption functions.

De compilation is still very EASY and ever obfuscator doesnt help much.

Share this post


Link to post
Share on other sites

Well yes but at least it is a little bit more secure then nothing.

It wont be so easy for a 8 year old with google access to see your pass.

Anyway - decompiling is against the EUA.

Share this post


Link to post
Share on other sites

Well yes but at least it is a little bit more secure then nothing.

It wont be so easy for a 8 year old with google access to see your pass.

Anyway - decompiling is against the EUA.

I don't think a 8 year old with Google access knows what EULA is, and even if he does he's not going to care.

Share this post


Link to post
Share on other sites

So, if you write a encrypted password and write a unencripting function, hacker still to find the right password.

P.s. I think you understand what I mean. Once again, sorry for my English :D


No good in English :( If I write with errors, excuse me...

Share this post


Link to post
Share on other sites

Share this post


Link to post
Share on other sites

Thank you everybody.

I will recode my program.


Startup Agent It is my small Startup Agent. You can install programs on startup Domain pc without Admin rights.

Share this post


Link to post
Share on other sites

Do a conversion of your password with MD5. Use an MD5 UDF like the following link and this way, your password will not be revealed even if it is decompiled. Apparently there is no way to reverse crack an MD5 hash.

So essentially, your password should be stored in your script as the MD5 computed output of your real password, then you use an MD5 conversion to dynamically take input from the program to authenticate against the stored MD5 password.

If I have more time in the next few hours, I will post an example.

http://www.dailycupoftech.com/?page_id=135

Justin

Share this post


Link to post
Share on other sites

Sorry, use this updated UDF. The previous example is no longer applicable.

http://www.autoitscript.com/forum/index.php?showtopic=81484&st=0&p=584701&hl=md5%20udf&fromsearch=1&#entry584701

Share this post


Link to post
Share on other sites

Using the above UDF, I have created an example CLI app that only accepts the password 'password'. However, note that this password is not stored in the code at all and cannot be decrypted (Unless authenticated against a "known MD5 result" database - very unlikely for your password).

#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Change2CUI=y
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
#include <Hash39.au3>

$passwordMD5 = "5f4dcc3b5aa765d61d8327deb882cf99" ; This is the MD5 version of the password 'password' . This is what a hacker would see

$password = _Hash("md5", $CmdLine[1])

Switch $password
    Case "5f4dcc3b5aa765d61d8327deb882cf99"
        MsgBox(0, "Password correct", "The password you typed is correct")
    Case Else
        MsgBox(0, "Password incorrect", "The password you typed is incorrect")

EndSwitch

Justin

Share this post


Link to post
Share on other sites

#17 ·  Posted (edited)

Apparently there is no way to reverse crack an MD5 hash.

Cute. MD5 is not considered a very secure hashing algorithm. Proves of collisions have been found and bruteforcing them is getting easier by the minute. For example, if you have a new high-end graphics card you can achieve around 1 billion hashes/s without any real problems. Also, since most passwords are just random words people come up with most passwords will be found within minutes using a hybrid dictionary/bruteforce attack.

So essentially, your password should be stored in your script as the MD5 computed output of your real password, then you use an MD5 conversion to dynamically take input from the program to authenticate against the stored MD5 password.

Since Windows doesn't accept an MD5 hash as password what are you going to do with the hash?

Edited by monoceres

Broken link? PM me and I'll send you the file!

Share this post


Link to post
Share on other sites

Cute. MD5 is not considered a very secure hashing algorithm. Proves of collisions have been found and bruteforcing them is getting easier by the minute. For example, if you have a new high-end graphics card you can achieve around 1 billion hashws/s without any real problems. Also, since most passwords are just random words people come up with most passwords will be found within minutes using a hybrid dictionary/bruteforce attack.

Since Windows doesn't accept an MD5 hash as password what are you going to do with the hash?

Well, I guess I'm not up to date on MD5 issues, however with the UDF you use many other hashing algorithms : CRC, Adler, MD5, SHA, HAVAL, RIPEMD, Tiger, WHIRLPOO

Also, Windows doesn't have to support MD5 if you are using the provided UDF. Check out my example and replace MD5 with whatever hashing mechanism you want.

This should still provide him with what he is looking for.

Justin

Share this post


Link to post
Share on other sites

Nevermind, I get what you are saying about Windows not accepting the hash password. This example would only work for script authentication and not passing to the Windows system.

Justin

Share this post


Link to post
Share on other sites

B):);)

I don't think a 8 year old with Google access knows what EULA is, and even if he does he's not going to care.

Thats very offensive LOL im 11 B) Got a problem??? I know what an EULA is and I DO CARE!!! OMG B)

i can make hacks,trainers and virisis(all kinds) and i'm 11!!!

B)


Hi.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0