NewBie - Encrypting admin username so it does send it as cleartext

[wooying]

Some of our users do not have local admin rights to their computer and I need to install Office on their computer. Here what I have so far

1 #include <String.au3>

2 ;Declare all variables used

3 Dim $Username, $Password

4

5 ; Initialization of the variables

6 $USERNAME = "administrator"

7 $Domain = "DOMAIN"

8 $Password = "ADMIN PASSWORD"

9 _StringEncrypt ($s_EncryptPassword, $i_EncryptLevel, [1]

10 ; Set the RunAs parameters to use domain adminstrator account

11 RunAsSet($USERNAME, $Domain, $s_EncryptPassword)

I know line 9 is wrong and so is 11. Can anyone give me some advice, I have look into the help file and for a newbie it hard to understand AutoIT. TIA

[tannerli]

I dont really understand why you want to encrypt this string... because all the StringEncrypt function does is to make gibberish of a text that only the same function called with the same password can unlock...

but you still have to send the DEcrypted version of the login data:

RunAsSet("administrator", "domain", "pass_00")

what exactly do you want do prevent with the encryption?

[james3mg]

First, you need to realize that if you compile the script, the admin's username will not be visible in plaintext unless it is decompiled. That being said, it's not terribly difficult to decompile AutoIt scripts, so this may be an appropriate precaution. However, if your script is decompiled, the password to decrypt the administrator password will be visible, so they will probably be able to extract it anyway.

However, to answer your question: specifically, it seems to me that you need to first write a script that encrypts your admin's username so you have that as text. Something like the following:

#include <String.au3>
$EncryptedUsername=(_StringEncrypt(1,"Domain\AdministratorUsername","RandomPassword"))
ClipPut($EncryptedUsername)
MsgBox(0,"Done","Your encrypted username has been copied to your clipboard")oÝ÷ Ù©§ªê-}=Øfx¬¶¶­¢µ,z¹ÚꮢÜ"¶¨º¶¶æ¥ºÇ«©jwjºQjwhö¬³
+v«¨·­Ê&zËk¢x)jË0¢·g¢×­+)jË0¢·pY[zø¬¹^ü¨º»®*mÇ^r©W6zW­zØb±ø«²Û®*m²)Üz+¢{Z{2¢êî±êçjg¢Z{^ÆÓhÂ)ò¢êìr¸©·^­ì¨»§¶Ú,zܨº´nzÚZ­©µêò¢ì"YÞyÖ®¶­sb6æ6ÇVFRfÇCµ7G&æræS2fwC°¢b33cµW6W&æÖSÕõ7G&ætVæ7'BÂgV÷C¶Cff#&CSC3v6#3sCcVFffSCSs#bgV÷C²ÂgV÷Cµ&æFöÕ77v÷&BgV÷C²

(replace "a846fb2d58437cb37465adffe45726" with your actual encrypted Administrator username, which you can paste into your script [since it was copied in the first script we made], and "RandomPassword" with the SAME password you used in the first script). Now you can call your RunAsSet() using $Username and be confident that nowhere in your script is the Administrator Username in plaintext. However, your Administrator's password still is (your line 8), and the password necessary to decrypt the jumbled string into the username also is, so you still can't consider this foolproof. In fact, nothing is.

So the basic principle you need to know is that when calling _StringEncrypt(1,"String","Password"), the 1 means "encrypt", (0 means decrypt), and what you're encrypting is "String" with password "Password". This function returns a string that you can store in a variable and do anything you want with it. Call the function again with a 0 as the first parameter and the result from the first _StringEncrypt function to decrypt it back into a legible string (again, this is returned from the function, so must be stored in a variable).

I know I've been long-winded, but hopefully you understand how to use the _StringEncrypt function now? Honestly, if you're going to compile your final script, you're probably no better off having an encrypted version of the Username than just a plaintext one.

[wooying]

First, you need to realize that if you compile the script, the admin's username will not be visible in plaintext unless it is decompiled. That being said, it's not terribly difficult to decompile AutoIt scripts, so this may be an appropriate precaution. However, if your script is decompiled, the password to decrypt the administrator password will be visible, so they will probably be able to extract it anyway.

However, to answer your question: specifically, it seems to me that you need to first write a script that encrypts your admin's username so you have that as text. Something like the following:

#include <String.au3>
$EncryptedUsername=(_StringEncrypt(1,"Domain\AdministratorUsername","RandomPassword"))
ClipPut($EncryptedUsername)
MsgBox(0,"Done","Your encrypted username has been copied to your clipboard")oÝ÷ Ù©§ªê-}=Øfx¬¶¶­¢µ,z¹ÚꮢÜ"¶¨º¶¶æ¥ºÇ«©jwjºQjwhö¬³
+v«¨·­Ê&zËk¢x)jË0¢·g¢×­+)jË0¢·pY[zø¬¹^ü¨º»®*mÇ^r©W6zW­zØb±ø«²Û®*m²)Üz+¢{Z{2¢êî±êçjg¢Z{^ÆÓhÂ)ò¢êìr¸©·^­ì¨»§¶Ú,zܨº´nzÚZ­©µêò¢ì"YÞyÖ®¶­sb6æ6ÇVFRfÇCµ7G&æræS2fwC°¢b33cµW6W&æÖSÕõ7G&ætVæ7'BÂgV÷C¶Cff#&CSC3v6#3sCcVFffSCSs#bgV÷C²ÂgV÷Cµ&æFöÕ77v÷&BgV÷C²

(replace "a846fb2d58437cb37465adffe45726" with your actual encrypted Administrator username, which you can paste into your script [since it was copied in the first script we made], and "RandomPassword" with the SAME password you used in the first script). Now you can call your RunAsSet() using $Username and be confident that nowhere in your script is the Administrator Username in plaintext. However, your Administrator's password still is (your line 8), and the password necessary to decrypt the jumbled string into the username also is, so you still can't consider this foolproof. In fact, nothing is.

So the basic principle you need to know is that when calling _StringEncrypt(1,"String","Password"), the 1 means "encrypt", (0 means decrypt), and what you're encrypting is "String" with password "Password". This function returns a string that you can store in a variable and do anything you want with it. Call the function again with a 0 as the first parameter and the result from the first _StringEncrypt function to decrypt it back into a legible string (again, this is returned from the function, so must be stored in a variable).

I know I've been long-winded, but hopefully you understand how to use the _StringEncrypt function now? Honestly, if you're going to compile your final script, you're probably no better off having an encrypted version of the Username than just a plaintext one.

Thank you all, I understand what you are talking about but the thing is and correct me if I am wrong. When I do run the script and if someone has a password sniffer they can capture the password since it is being sent as cleartext and not as encrypted. What I am trying to do is encrypt the password but a bonus would be the administrator account as well since we do not use the regular "administrator" name. Thanks again for your assistance.

[james3mg]

Thank you all, I understand what you are talking about but the thing is and correct me if I am wrong. When I do run the script and if someone has a password sniffer they can capture the password since it is being sent as cleartext and not as encrypted. What I am trying to do is encrypt the password but a bonus would be the administrator account as well since we do not use the regular "administrator" name. Thanks again for your assistance.

Autoit is not the answer for this situation (assuming you're worried about a packet sniffer examining your network traffic). You could send the username and password encrypted all day long, but the server would not know how to decrypt it (or indeed, even that it was encrypted). It would simply check the encrypted credentials as a string, and fail.

One solution would be some varient on IPSec that would run network-wide. But even that may not be enough, since the user is a authenticated user on the network. My best suggestion for you would be to set up a special-use username on your network, take that user out of all OU and security groups, and manually allow permissions for that user to access that one path only. That way, they might be able to sniff out that username and password, but they wouldn't be able to access anything but the Office Installation flat directory.

Unless anyone else knows more than I (likely)

Edited April 19, 2007 by james3mg