Solved

Safe way to use a password in a bat or cmd file?

Posted on 2016-07-26
8
50 Views
Last Modified: 2016-08-02
I have a program I need to run several sessions of at a time so I am looking at scripting it to open and log on to each one. For the exe I have the syntax but don't want to use my password in a unencrypted format.

It would look something like this
appsRUS.exe -b servername1 -u domain\myaccount -p compootersarecool

I need to make the -p part encrypted and not use plain text in a script.
0
Comment
Question by:REIUSA
8 Comments
 
LVL 74

Assisted Solution

by:Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy earned 125 total points
ID: 41729674
This has been asked here before --- See this Question

But if you read through that thread you will see what I'm about to ask -- why are you doing this?  Because it sounds like you have come up with a solution to do something which really should be done a different way.
0
 

Author Comment

by:REIUSA
ID: 41729689
Thanks for the link. I am just trying to make it easier to open multiple sessions to different sites and free up about 20 minutes of my morning.

Even if I could figure out a way to do a run as on the script that would carry over to the command that would work.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 41729706
What do you mean multiple sessions to different sites?  Do you mean web sites?  Remote App login?  RDP?
0
 

Author Comment

by:REIUSA
ID: 41729733
Using a local client .exe connecting to different application servers for each region.

The application is the vsphere client connecting to different vcenter servers across the globe.

What I am trying to do is set up a script that I can click on and it will open the exe and connect to each site individually. I have the syntax that will work with the exe just don't want to put my password in a plain text file.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 83

Accepted Solution

by:
oBdA earned 250 total points
ID: 41729743
There's no safe way in batch, sorry, You can obfuscate it, but everybody who knows a little bit about batch will be able to retrieve the password.
You can use the Powershell script below; it allows you to save the credentials as an "Alternate Data Stream" (ADS) in the file object.
The credentials in the ADS will be encrypted and can only be retrieved on the machine where it was saved, and only from the user who saved it, so it's reasonably safe.
Call the script with the argument -SaveCredential to save the credentials.
Note that some Editors (like Notepad++) remove ADS on saving, others do not (like Notepad), so you might have to re-save the password after script changes, depending on the editor.
The ADS will be copied with the script file itself as long as the target is NTFS, and will be lost otherwise.
[CmdletBinding()]
Param(
	[switch]$SaveCredential
)
$Application = "appsRUS.exe"

$ScriptItem = Get-Item -Path $MyInvocation.MyCommand.Path
$StreamName = 'MetaData'
If ($SaveCredential) {
	$gcArgs = @{'Message' = "Logon information for $($Application)"}
	$gcArgs['UserName'] = Try {([Management.Automation.PSSerializer]::Deserialize((Get-Content -Path $ScriptItem.FullName -Stream $StreamName -ErrorAction SilentlyContinue))).UserName} Catch {''}
	If ($Credential = Get-Credential @gcArgs) {
		Try {
			$LastWriteTimeUtc = $ScriptItem.LastWriteTimeUtc
			Set-Content -Path $ScriptItem.FullName -Value ([Management.Automation.PSSerializer]::Serialize($Credential)) -Stream $StreamName -ErrorAction Stop
			$ScriptItem.LastWriteTimeUtc = $LastWriteTimeUtc
		} Catch {
			Throw "Could not save credentials: $($_.Exception.Message)"
		}
	} Else {
		"No credentials were entered, logon information was not saved!" | Write-Warning
	}
	Exit
} Else {
	If ($StreamData = (Get-Content -Path $ScriptItem.FullName -Stream $StreamName -ErrorAction SilentlyContinue)) {
		Try {
			$Credential = [Management.Automation.PSSerializer]::Deserialize($StreamData)
		} Catch {
			Throw "You are not authorized to use this script."
		}
	} Else {
		Throw "File is corrupted, password information is not available."
	}
}
$Username = $Credential.UserName
$Password = $Credential.GetNetworkCredential().Password

$ServerList = @(
	'servername1'
	'servername2'
)
ForEach ($Server In $ServerList) {
	"Starting $($Application) on $($Server) ..."
	& $Application -b $Server -u $Username -p "`"$($Password)`""
}

Open in new window

0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 41729766
If you used the VSphere Web Client instead of the .exe then you could easily couple that with something like LastPass which would automatically fill in the credentials for you while keeping them all very secure.

Any reason that wouldn't work for you?
0
 
LVL 32

Assisted Solution

by:sarabande
sarabande earned 125 total points
ID: 41729793
you should consider a solution where you only provide the update information at a share, and let the servers fetch the update theirselves. the only thing you have to do is to establish a mechanism where the servers know that a new update was available.

or, you were using a service at your computer and services at the target computers. all these services could be installed by using a special account at their own computer which cannot be used for interactive login. then do the job you want to do by sending the updates directly between the services. i would use tcp/ip or udp sockets for this.

doing so, no login, no username, no passwords were involved.

note, any script which uses a password in plain text could be interrupted exactly at the statement where the password was transfered. if using obfuscation you can't really stop experts from hacking this. this must not necessarily be an attack. it simply could be the decision of your boss while you were not available. nevertheless if a bundle of server passwords have become into wrong hands and need to be exchanged, it was you who was blamed for when you come back.

Sara
0
 
LVL 16

Expert Comment

by:Brian Pringle
ID: 41729924
Have you considered turning the batch file into an executable?  

http://bat2exe.net/
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

In this post we will learn how to connect and configure Android Device (Smartphone etc.) with Android Studio. After that we will run a simple Hello World Program.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Viewers will learn how to properly install Eclipse with the necessary JDK, and will take a look at an introductory Java program. Download Eclipse installation zip file: Extract files from zip file: Download and install JDK 8: Open Eclipse and …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now