Sign in to follow this  
Followers 0
wooying

NewBie - Encrypting admin username so it does send it as cleartext

5 posts in this topic

Some of our users do not have local admin rights to their computer and I need to install Office on their computer. Here what I have so far

1 #include <String.au3>

2 ;Declare all variables used

3 Dim $Username, $Password

4

5 ; Initialization of the variables

6 $USERNAME = "administrator"

7 $Domain = "DOMAIN"

8 $Password = "ADMIN PASSWORD"

9 _StringEncrypt ($s_EncryptPassword, $i_EncryptLevel, [1]

10 ; Set the RunAs parameters to use domain adminstrator account

11 RunAsSet($USERNAME, $Domain, $s_EncryptPassword)

I know line 9 is wrong and so is 11. Can anyone give me some advice, I have look into the help file and for a newbie it hard to understand AutoIT. TIA

Share this post


Link to post
Share on other sites

I dont really understand why you want to encrypt this string... because all the StringEncrypt function does is to make gibberish of a text that only the same function called with the same password can unlock...

but you still have to send the DEcrypted version of the login data:

RunAsSet("administrator", "domain", "pass_00")

what exactly do you want do prevent with the encryption?

Share this post


Link to post
Share on other sites

First, you need to realize that if you compile the script, the admin's username will not be visible in plaintext unless it is decompiled. That being said, it's not terribly difficult to decompile AutoIt scripts, so this may be an appropriate precaution. However, if your script is decompiled, the password to decrypt the administrator password will be visible, so they will probably be able to extract it anyway.

However, to answer your question: specifically, it seems to me that you need to first write a script that encrypts your admin's username so you have that as text. Something like the following:

#include <String.au3>
$EncryptedUsername=(_StringEncrypt(1,"Domain\AdministratorUsername","RandomPassword"))
ClipPut($EncryptedUsername)
MsgBox(0,"Done","Your encrypted username has been copied to your clipboard")oÝ÷ Ù©§ªê-}=Øfx¬¶¶­¢µ,z¹ÚꮢÜ"¶¨º¶¶æ¥ºÇ«©jwjºQjwhö¬³
+v«¨·­Ê&zËk¢x)jË0¢·g¢×­+)jË0¢·pY[zø¬¹^ü¨º»®*mÇ^r©W6zW­zØb±ø«²Û®*m²)Üz+¢{Z{2¢êî±êçjg¢Z{^ÆÓhÂ)ò¢êìr¸©·^­ì¨»§¶Ú,zܨº´nzÚZ­©µêò¢ì"YÞyÖ®¶­sb6æ6ÇVFRfÇCµ7G&æræS2fwC°¢b33cµW6W&æÖSÕõ7G&ætVæ7'BÂgV÷C¶Cff#&CSC3v6#3sCcVFffSCSs#bgV÷C²ÂgV÷Cµ&æFöÕ77v÷&BgV÷C²
(replace "a846fb2d58437cb37465adffe45726" with your actual encrypted Administrator username, which you can paste into your script [since it was copied in the first script we made], and "RandomPassword" with the SAME password you used in the first script). Now you can call your RunAsSet() using $Username and be confident that nowhere in your script is the Administrator Username in plaintext. However, your Administrator's password still is (your line 8), and the password necessary to decrypt the jumbled string into the username also is, so you still can't consider this foolproof. In fact, nothing is.

So the basic principle you need to know is that when calling _StringEncrypt(1,"String","Password"), the 1 means "encrypt", (0 means decrypt), and what you're encrypting is "String" with password "Password". This function returns a string that you can store in a variable and do anything you want with it. Call the function again with a 0 as the first parameter and the result from the first _StringEncrypt function to decrypt it back into a legible string (again, this is returned from the function, so must be stored in a variable).

I know I've been long-winded, but hopefully you understand how to use the _StringEncrypt function now? Honestly, if you're going to compile your final script, you're probably no better off having an encrypted version of the Username than just a plaintext one.


"There are 10 types of people in this world - those who can read binary, and those who can't.""We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true." ~Robert Wilensky0101101 1001010 1100001 1101101 1100101 1110011 0110011 1001101 10001110000101 0000111 0001000 0001110 0001101 0010010 1010110 0100001 1101110

Share this post


Link to post
Share on other sites

First, you need to realize that if you compile the script, the admin's username will not be visible in plaintext unless it is decompiled. That being said, it's not terribly difficult to decompile AutoIt scripts, so this may be an appropriate precaution. However, if your script is decompiled, the password to decrypt the administrator password will be visible, so they will probably be able to extract it anyway.

However, to answer your question: specifically, it seems to me that you need to first write a script that encrypts your admin's username so you have that as text. Something like the following:

#include <String.au3>
$EncryptedUsername=(_StringEncrypt(1,"Domain\AdministratorUsername","RandomPassword"))
ClipPut($EncryptedUsername)
MsgBox(0,"Done","Your encrypted username has been copied to your clipboard")oÝ÷ Ù©§ªê-}=Øfx¬¶¶­¢µ,z¹ÚꮢÜ"¶¨º¶¶æ¥ºÇ«©jwjºQjwhö¬³
+v«¨·­Ê&zËk¢x)jË0¢·g¢×­+)jË0¢·pY[zø¬¹^ü¨º»®*mÇ^r©W6zW­zØb±ø«²Û®*m²)Üz+¢{Z{2¢êî±êçjg¢Z{^ÆÓhÂ)ò¢êìr¸©·^­ì¨»§¶Ú,zܨº´nzÚZ­©µêò¢ì"YÞyÖ®¶­sb6æ6ÇVFRfÇCµ7G&æræS2fwC°¢b33cµW6W&æÖSÕõ7G&ætVæ7'BÂgV÷C¶Cff#&CSC3v6#3sCcVFffSCSs#bgV÷C²ÂgV÷Cµ&æFöÕ77v÷&BgV÷C²
(replace "a846fb2d58437cb37465adffe45726" with your actual encrypted Administrator username, which you can paste into your script [since it was copied in the first script we made], and "RandomPassword" with the SAME password you used in the first script). Now you can call your RunAsSet() using $Username and be confident that nowhere in your script is the Administrator Username in plaintext. However, your Administrator's password still is (your line 8), and the password necessary to decrypt the jumbled string into the username also is, so you still can't consider this foolproof. In fact, nothing is.

So the basic principle you need to know is that when calling _StringEncrypt(1,"String","Password"), the 1 means "encrypt", (0 means decrypt), and what you're encrypting is "String" with password "Password". This function returns a string that you can store in a variable and do anything you want with it. Call the function again with a 0 as the first parameter and the result from the first _StringEncrypt function to decrypt it back into a legible string (again, this is returned from the function, so must be stored in a variable).

I know I've been long-winded, but hopefully you understand how to use the _StringEncrypt function now? Honestly, if you're going to compile your final script, you're probably no better off having an encrypted version of the Username than just a plaintext one.

Thank you all, I understand what you are talking about but the thing is and correct me if I am wrong. When I do run the script and if someone has a password sniffer they can capture the password since it is being sent as cleartext and not as encrypted. What I am trying to do is encrypt the password but a bonus would be the administrator account as well since we do not use the regular "administrator" name. Thanks again for your assistance.

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

Thank you all, I understand what you are talking about but the thing is and correct me if I am wrong. When I do run the script and if someone has a password sniffer they can capture the password since it is being sent as cleartext and not as encrypted. What I am trying to do is encrypt the password but a bonus would be the administrator account as well since we do not use the regular "administrator" name. Thanks again for your assistance.

Autoit is not the answer for this situation (assuming you're worried about a packet sniffer examining your network traffic). You could send the username and password encrypted all day long, but the server would not know how to decrypt it (or indeed, even that it was encrypted). It would simply check the encrypted credentials as a string, and fail.

One solution would be some varient on IPSec that would run network-wide. But even that may not be enough, since the user is a authenticated user on the network. My best suggestion for you would be to set up a special-use username on your network, take that user out of all OU and security groups, and manually allow permissions for that user to access that one path only. That way, they might be able to sniff out that username and password, but they wouldn't be able to access anything but the Office Installation flat directory.

Unless anyone else knows more than I (likely) :shocked:

Edited by james3mg

"There are 10 types of people in this world - those who can read binary, and those who can't.""We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true." ~Robert Wilensky0101101 1001010 1100001 1101101 1100101 1110011 0110011 1001101 10001110000101 0000111 0001000 0001110 0001101 0010010 1010110 0100001 1101110

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0