hell0we Posted January 14, 2011 Share Posted January 14, 2011 Hi everyone, Sorry if this sounds basic, but we all start off as n00bs sometime . I want to use a script to use the runas feature of autoit to run some commands as the local admin of a group of computers. My question is, how secure is the password saved in the script when the script is compiled to exe, can the script be reverse engineered to gain access to the password? runas ("admin","testpc","admintest",0,"c:\windows\system32\notepad.exe") Link to comment Share on other sites More sharing options...
Moderators Melba23 Posted January 14, 2011 Moderators Share Posted January 14, 2011 hell0we, Welcome to the Autoit forum. Searching the forums will provide you with a lot more information in greater detail, but in brief: - Your plain language script is within the compiled .exe, but in compressed form. It is not immediately viewable with a hex editor, but is by no means secure as it is expanded in memory when the .exe is run. - Obfuscator (part of the full SciTE4AutoIt3 package) will obscure your script by changing variable and constant names (and a lot more!), which makes it harder to decompile but again does not render the .exe secure. So, compiling an AutoIt script will prevent quick snooping, but a determined, experienced hacker can relatively easily get your source - including passwords, specific filenames, etc - or the encryption routines you have used in your script to encrypt/decrypt them if they are stored in another file. Probably not what you wanted to hear, sorry! M23 Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind Open spoiler to see my UDFs: Spoiler ArrayMultiColSort ---- Sort arrays on multiple columnsChooseFileFolder ---- Single and multiple selections from specified path treeview listingDate_Time_Convert -- Easily convert date/time formats, including the language usedExtMsgBox --------- A highly customisable replacement for MsgBoxGUIExtender -------- Extend and retract multiple sections within a GUIGUIFrame ---------- Subdivide GUIs into many adjustable framesGUIListViewEx ------- Insert, delete, move, drag, sort, edit and colour ListView itemsGUITreeViewEx ------ Check/clear parent and child checkboxes in a TreeViewMarquee ----------- Scrolling tickertape GUIsNoFocusLines ------- Remove the dotted focus lines from buttons, sliders, radios and checkboxesNotify ------------- Small notifications on the edge of the displayScrollbars ----------Automatically sized scrollbars with a single commandStringSize ---------- Automatically size controls to fit textToast -------------- Small GUIs which pop out of the notification area Link to comment Share on other sites More sharing options...
Mat Posted January 14, 2011 Share Posted January 14, 2011 Adding to what Melba said, it's all about getting it in proportion. No matter what security systems you use, a determined and knowledgeable hacker given enough time will get to what they want. What you need to think about is how secure it needs to be, and that depends on what the prospective hacker would stand to gain from getting such a password. Usually the answer is "Very little". In which case, _StringEncrypt + obfuscator + compiling is more than adequate. If lots of money is involved then I would definitely look at other solutions. One good idea would be to have a semi-admin, who can do some normal unimportant tasks, but it not allowed to do some of the more dangerous tasks. Then it's not so much of a problem any more. AutoIt Project Listing Link to comment Share on other sites More sharing options...
hell0we Posted January 14, 2011 Author Share Posted January 14, 2011 Cheers chaps, I will obfuscate the file, setup another local admin account for running what i need to run and if by some freak chance i get a computing geek in there that does have the time then i will re-image the computers if they play up realisticaly it's a controlled environment so it's an acceptable risk. Thanks for your help chaps. Aus. Link to comment Share on other sites More sharing options...
BrewManNH Posted January 14, 2011 Share Posted January 14, 2011 In the AD that I maintain I created a user that I use to join computers to our domain, the user name and password is stored in plaintext in the SysPrep file. It's in plaintext so it's not very secure, but I have also made it so that this user can't log in to any computer, can't do much of anything except to join computers to the domain. It's like Mat said, you can make it so that the user that you want to have in your script only has credentials to do only so much on your systems, so if someone gets the username and password they can't do all that much with it. If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag GudeHow to ask questions the smart way! I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from. Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays. - ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script. - Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label. - _FileGetProperty - Retrieve the properties of a file - SciTE Toolbar - A toolbar demo for use with the SciTE editor - GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI. - Latin Square password generator Link to comment Share on other sites More sharing options...
Cars0n66 Posted February 21, 2011 Share Posted February 21, 2011 (edited) If you Google around you might find it. there are things to look at your source sadly. It seriously will always be a problem to deal with in any type of programing C, Java, python. your source is obtainable through some guy with no life just spending days/weeks/months of countless work, just to undo your work. and sad as it is there are more and more everyday so to answer your question your password is somewhat not secure. one suggestion you could rar the .exe and put a password lock on it.but it sounds like you want your password in your .exe to be protected. And you want to have your .exe just open ready for use. so my rar suggestion might not be good solution for you. Edited February 22, 2011 by Cars0n66 Link to comment Share on other sites More sharing options...
Moderators Melba23 Posted February 21, 2011 Moderators Share Posted February 21, 2011 Cars0n66,I would remove all reference to a "decompiler" from your last post NOW!It is not acceptable to even mention such things here. M23 Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind Open spoiler to see my UDFs: Spoiler ArrayMultiColSort ---- Sort arrays on multiple columnsChooseFileFolder ---- Single and multiple selections from specified path treeview listingDate_Time_Convert -- Easily convert date/time formats, including the language usedExtMsgBox --------- A highly customisable replacement for MsgBoxGUIExtender -------- Extend and retract multiple sections within a GUIGUIFrame ---------- Subdivide GUIs into many adjustable framesGUIListViewEx ------- Insert, delete, move, drag, sort, edit and colour ListView itemsGUITreeViewEx ------ Check/clear parent and child checkboxes in a TreeViewMarquee ----------- Scrolling tickertape GUIsNoFocusLines ------- Remove the dotted focus lines from buttons, sliders, radios and checkboxesNotify ------------- Small notifications on the edge of the displayScrollbars ----------Automatically sized scrollbars with a single commandStringSize ---------- Automatically size controls to fit textToast -------------- Small GUIs which pop out of the notification area Link to comment Share on other sites More sharing options...
Valik Posted February 21, 2011 Share Posted February 21, 2011 If you Google around you might find it. I once lost the source to my .exe and i found Some dude who made a AutoIT script to decompile a AutoIT.exe file. I have tested it and it works.and his decompiler still works on the new Au3 .exe files. so to answer your question your password is somewhat not secure. one suggestion you could rar the .exe and put a password lock on it.but it sounds like you want your password in your .exe to be protected. And you want to have your .exe just open ready for use.so my rar suggestion might not be good solution for you.Congratulations, you just admitted you violated the AutoIt license agreement. Why shouldn't I ban you from this forum? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now