net user NewAdmin MyPassword /ADDNow, of course, having such a line in a batch file is a Really Bad IdeaTM because you have the password in clear text. The client asked if there was a way that I could obscure the password. I told him that it wouldn't be really secure, and he replied that that was fine; he just wanted to "keep honest people honest."
So here, then is the KHPH method of obscuring passwords in batch files:
Tools needed: Microsoft Script Encoder.
- Create a one line VBScript that echoes your password, like this:
wscript.echo "MyPassword"
Save it as “Pass.vbs” - Encode Pass.vbs using the Microsoft Script Encoder:
screnc.exe Pass.vbs Pass.vbe - Open Pass.vbe in Notepad. Copy out the entire line. Here is what it looks like for the script I wrote above:
#@~^GQAAAA==Akm.bwDR+1tK~JtXKlk/AGMNJVgkAAA==^#~@ - Now, go through the string and find all the DOS reserved characters. According to this page, the DOS reserved characters are
& | ( ) < > ^
For each of these characters, you have to escape them out with a carat (^) symbol, like this:
#@~^^GQAAAA==Akm.bwDR+1tK~JtXKlk/AGMNJVgkAAA==^^#~@ - Now take this string, and add it to the echo command in this batch file fragment:
set _data=%TEMP%\~dt%RANDOM%.vbe
echo #@~^^GQAAAA==Akm.bwDR+1tK~JtXKlk/AGMNJVgkAAA==^^#~@>%_data%
for /f %%a in ('cscript "%_data%" //NOLOGO') do set _t=%%a
del %_data%
net user NewAdmin %_t% /ADD
set _t=
Note: This isn’t real secure – all someone has to do is create and run the vbe file themselves to see what the password is. But it should keep out the non-technical curious.
0 comments:
Post a Comment