Solved

Safe way to use a password in a bat or cmd file?

Posted on 2016-07-26
8
56 Views
Last Modified: 2016-08-02
I have a program I need to run several sessions of at a time so I am looking at scripting it to open and log on to each one. For the exe I have the syntax but don't want to use my password in a unencrypted format.

It would look something like this
appsRUS.exe -b servername1 -u domain\myaccount -p compootersarecool

I need to make the -p part encrypted and not use plain text in a script.
0
Comment
Question by:REIUSA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 74

Assisted Solution

by:Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy earned 125 total points
ID: 41729674
This has been asked here before --- See this Question

But if you read through that thread you will see what I'm about to ask -- why are you doing this?  Because it sounds like you have come up with a solution to do something which really should be done a different way.
0
 

Author Comment

by:REIUSA
ID: 41729689
Thanks for the link. I am just trying to make it easier to open multiple sessions to different sites and free up about 20 minutes of my morning.

Even if I could figure out a way to do a run as on the script that would carry over to the command that would work.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 41729706
What do you mean multiple sessions to different sites?  Do you mean web sites?  Remote App login?  RDP?
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 

Author Comment

by:REIUSA
ID: 41729733
Using a local client .exe connecting to different application servers for each region.

The application is the vsphere client connecting to different vcenter servers across the globe.

What I am trying to do is set up a script that I can click on and it will open the exe and connect to each site individually. I have the syntax that will work with the exe just don't want to put my password in a plain text file.
0
 
LVL 85

Accepted Solution

by:
oBdA earned 250 total points
ID: 41729743
There's no safe way in batch, sorry, You can obfuscate it, but everybody who knows a little bit about batch will be able to retrieve the password.
You can use the Powershell script below; it allows you to save the credentials as an "Alternate Data Stream" (ADS) in the file object.
The credentials in the ADS will be encrypted and can only be retrieved on the machine where it was saved, and only from the user who saved it, so it's reasonably safe.
Call the script with the argument -SaveCredential to save the credentials.
Note that some Editors (like Notepad++) remove ADS on saving, others do not (like Notepad), so you might have to re-save the password after script changes, depending on the editor.
The ADS will be copied with the script file itself as long as the target is NTFS, and will be lost otherwise.
[CmdletBinding()]
Param(
	[switch]$SaveCredential
)
$Application = "appsRUS.exe"

$ScriptItem = Get-Item -Path $MyInvocation.MyCommand.Path
$StreamName = 'MetaData'
If ($SaveCredential) {
	$gcArgs = @{'Message' = "Logon information for $($Application)"}
	$gcArgs['UserName'] = Try {([Management.Automation.PSSerializer]::Deserialize((Get-Content -Path $ScriptItem.FullName -Stream $StreamName -ErrorAction SilentlyContinue))).UserName} Catch {''}
	If ($Credential = Get-Credential @gcArgs) {
		Try {
			$LastWriteTimeUtc = $ScriptItem.LastWriteTimeUtc
			Set-Content -Path $ScriptItem.FullName -Value ([Management.Automation.PSSerializer]::Serialize($Credential)) -Stream $StreamName -ErrorAction Stop
			$ScriptItem.LastWriteTimeUtc = $LastWriteTimeUtc
		} Catch {
			Throw "Could not save credentials: $($_.Exception.Message)"
		}
	} Else {
		"No credentials were entered, logon information was not saved!" | Write-Warning
	}
	Exit
} Else {
	If ($StreamData = (Get-Content -Path $ScriptItem.FullName -Stream $StreamName -ErrorAction SilentlyContinue)) {
		Try {
			$Credential = [Management.Automation.PSSerializer]::Deserialize($StreamData)
		} Catch {
			Throw "You are not authorized to use this script."
		}
	} Else {
		Throw "File is corrupted, password information is not available."
	}
}
$Username = $Credential.UserName
$Password = $Credential.GetNetworkCredential().Password

$ServerList = @(
	'servername1'
	'servername2'
)
ForEach ($Server In $ServerList) {
	"Starting $($Application) on $($Server) ..."
	& $Application -b $Server -u $Username -p "`"$($Password)`""
}

Open in new window

0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 41729766
If you used the VSphere Web Client instead of the .exe then you could easily couple that with something like LastPass which would automatically fill in the credentials for you while keeping them all very secure.

Any reason that wouldn't work for you?
0
 
LVL 34

Assisted Solution

by:sarabande
sarabande earned 125 total points
ID: 41729793
you should consider a solution where you only provide the update information at a share, and let the servers fetch the update theirselves. the only thing you have to do is to establish a mechanism where the servers know that a new update was available.

or, you were using a service at your computer and services at the target computers. all these services could be installed by using a special account at their own computer which cannot be used for interactive login. then do the job you want to do by sending the updates directly between the services. i would use tcp/ip or udp sockets for this.

doing so, no login, no username, no passwords were involved.

note, any script which uses a password in plain text could be interrupted exactly at the statement where the password was transfered. if using obfuscation you can't really stop experts from hacking this. this must not necessarily be an attack. it simply could be the decision of your boss while you were not available. nevertheless if a bundle of server passwords have become into wrong hands and need to be exchanged, it was you who was blamed for when you come back.

Sara
0
 
LVL 16

Expert Comment

by:Brian Pringle
ID: 41729924
Have you considered turning the batch file into an executable?  

http://bat2exe.net/
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will learn how to make Android Gesture Tutorial and give different functionality whenever a user Touch or Scroll android screen.
Although it can be difficult to imagine, someday your child will have a career of his or her own. He or she will likely start a family, buy a home and start having their own children. So, while being a kid is still extremely important, it’s also …
Simple Linear Regression
Starting up a Project

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question