Obfuscating passwords in script

  • This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.
Aug 16, 2008
124
0
#1
Hi,

is there a technique/command how to obfuscate passwords in a batch file?

In Python I used to decode rot13 or base64 to achieve this.

I'm not interested in lengthy scripts, just asking if it can be done in say, two, three lines.

I'm aware of input /p, but I need it without interaction.

Thorsten
 
May 26, 2008
481
3
#2
You could use BATCOMP but of course that encodes/compresses the entire file. (You'd want to keep the original elsewhere in some secure location in case you need to modify it in the future.)
 
#3
On Sun, 05 Jun 2011 06:22:14 -0400, thorsten <> wrote:

|is there a technique/command how to obfuscate passwords in a batch file?

A while back, I started to write pair of plugin functions, a command ("ENCRYPT
name string") to store named encrypted strings (registry, probably) and a
variable function (@DECRYPT[name]) to recall and decrypt them at runtime. But I
didn't get very far with the WIN32 crypto API.

I also considered an encryption algorithm of my own automatically using the
username as an encryption key and storing the strings in an HKCU key (ought to
work, eh?). I could make it a lot stronger than ROT13.

I might get back to one of those projects.
 
#4
Hallo thorsten,


> is there a technique/command how to obfuscate passwords in a batch
> file?
>
> In Python I used to decode rot13 or base64 to achieve this.
>
> I'm not interested in lengthy scripts, just asking if it can be
> done in say, two, three lines.
If you really need only such simple obfuscation (for your kids?), you
might consider storing the ascii values of the password characters in
your script..

Have a look at the @ascii or @unicode and @char functions.

Best regards,

* Klaus Meinhard *
<www.4dos.info>
 
Aug 9, 2009
133
0
#5
something like this - set open0=%@fileopen[sometxt.bat:what.txt,w,t]
set w=%@filewrite[%open0,whattever]
set c=%@fileclose[%open0]

stream hidden from general seekers


> -----Original Message-----
> From: thorsten
> Sent: Sunday, 5 June 2011 10:22 p.m.
> Subject: [Support-t-2905] Obfuscating passwords in script
>
>
> Hi,
>
> is there a technique/command how to obfuscate passwords in a
> batch file?
>
> In Python I used to decode rot13 or base64 to achieve this.
>
> I'm not interested in lengthy scripts, just asking if it can
> be done in say, two, three lines.
>
> I'm aware of input /p, but I need it without interaction.
>
> Thorsten
 
Jan 19, 2011
559
7
Norman, OK
#6
In Python I used to decode rot13 or base64 to achieve this.
If you're still running Python, you might look at @PYTHON command (assuming you're not running TCC/LE which does not support it.)
Free base64 [en|de]coder is available with C source at http://www.fourmilab.ch/webtools/base64/.
Will have to check for built in options.
 

samintz

Scott Mintz
May 20, 2008
1,203
11
Solon, OH, USA
#7
I wrote a batch file a while back that
converts a file to base64.

setlocal
setdos /x-45678
set fh=%@fileopen[%1,r,b]
set r=%@filereadb[%fh,3]
set base64=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
set ofs=0
do while %r != **EOF**
set
wds=%@words[%r]
set
w=%@eval[(%@word[0,%r] SHL 16) + (%@word[1,%r] SHL 8) + %@word[2,%r]]

rem
Deconstruct the three bytes (24 bits) into the four 6-bit chunks
echos
%@instr[%@eval[(%w SHR 18) AND 0x3F],1,%base64]
echos
%@instr[%@eval[(%w SHR 12) AND 0x3F],1,%base64]
iff
%wds ge 2 then

echos %@instr[%@eval[(%w SHR 6) AND 0x3F],1,%base64]
else

echos endiff
iff
%wds ge 3 then

echos %@instr[%@eval[%w AND 0x3F],1,%base64]
else

echos endiff
set
/a ofs+=4
iff
%ofs ge 72 then

echo.

set ofs=0
endiff
set
r=%@filereadb[%fh,3]
enddo
set fh=%@fileclose[%fh]
if %ofs != 0 echo.
endlocal


The following will take a single base64
encoded line and decode it. I didn't have the time to finish making
it work with files.

setlocal
setdos /x-45678
set base64=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/set ofs=0
set wds=%@len[%1]
rem TCC strips trailing equal signs.
So just add some on the end so we won't have issues.
set i=%1=set resultdo while %ofs LT %wds
set
b1=%@instr[%ofs,1,%i]
set
ofs=%@inc[%ofs]
set
b2=%@instr[%ofs,1,%i]
set
ofs=%@inc[%ofs]
set
b3=%@instr[%ofs,1,%i]
set
ofs=%@inc[%ofs]
set
b4=%@instr[%ofs,1,%i]
set
ofs=%@inc[%ofs]

set
i1=%@eval[%@regexindex[%b1,%base64] AND 0x3F]
set
i2=%@eval[%@regexindex[%b2,%base64] AND 0x3F]
set
i3=%@eval[%@regexindex[%b3,%base64] AND 0x3F]
set
i4=%@eval[%@regexindex[%b4,%base64] AND 0x3F]


set
w1=%@eval[(%i1 SHL 2) OR (%i2 SHR 6)]
set
w2=%@eval[((%i2 SHL 4) AND 0xF0) OR (%i3 SHR 2)]
set
w3=%@eval[((%i3 SHL 6) AND 0xC0) OR %i4]

set
result=%[result]%@char[%w1]
iff
%@ascii[%b3] != 61 then

set result=%[result]%@char[%w2]

iff %@ascii[%b4] != 61 then

set result=%[result]%@char[%w3]

endiff
endiff
enddo
echo %result
endlocal

You could put the above into a b64decode.btm
file, then create a decode function:
function decode=`%@execstr[b64decode
%1]`

and use it within your script as follows:

set password=%@decode[U3VwZXJTZWNyZXRQYXNzd29yZA0K]

If you run the first script (named base64):
base64 con
it will get its input from the command
line and display the encoded result to the display. Just hit Ctrl+Z or
Ctrl+C to terminate.
-Scott


> > -----Original Message-----
> > From: thorsten
> > Sent: Sunday, 5 June 2011 10:22 p.m.
> > Subject: [Support-t-2905] Obfuscating passwords in script
> >
> >
> > Hi,
> >
> > is there a technique/command how to obfuscate passwords in a

> > batch file?
> >
> > In Python I used to decode rot13 or base64 to achieve this.
> >
> > I'm not interested in lengthy scripts, just asking if it can

> > be done in say, two, three lines.
> >
> > I'm aware of input /p, but I need it without interaction.
> >
> > Thorsten
>
 

samintz

Scott Mintz
May 20, 2008
1,203
11
Solon, OH, USA
#8
Well, that got gortched up in translation...

It would seem that trailing equal signs get stripped out by the email interface.

let's try again from web interface this time:

Code:
Base64.btm

setlocal
setdos /x-45678
set fh=%@fileopen[%1,r,b]
set r=%@filereadb[%fh,3]
set base64=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
set ofs=0
do while %r != **EOF**
        set wds=%@words[%r]
        set w=%@eval[(%@word[0,%r] SHL 16) + (%@word[1,%r] SHL 8) + %@word[2,%r]]

        rem Deconstruct the three bytes (24 bits) into the four 6-bit chunks
        echos %@instr[%@eval[(%w SHR 18) AND 0x3F],1,%base64]
        echos %@instr[%@eval[(%w SHR 12) AND 0x3F],1,%base64]
        iff %wds ge 2 then
               echos %@instr[%@eval[(%w SHR 6) AND 0x3F],1,%base64]
        else
               echos  =       
        endiff
        iff %wds ge 3 then
               echos %@instr[%@eval[%w AND 0x3F],1,%base64]
        else
               echos =
        endiff
        set /a ofs+=4
        iff %ofs ge 72 then
               echo. 
               set ofs=0
        endiff
        set r=%@filereadb[%fh,3]
enddo
set fh=%@fileclose[%fh]
if %ofs != 0 echo.
endlocal
The following will take a single base64 encoded line and decode it. I didn't have the time to finish making
it work with files.

b64decode.btm:

Code:
setlocal
setdos /x-45678
set base64=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=
set ofs=0
set wds=%@len[%1]
rem TCC strips trailing equal signs.  So just add some on the end so we won't have issues.
set i=%1==
set result=
do while %ofs LT %wds
        set b1=%@instr[%ofs,1,%i]
        set ofs=%@inc[%ofs]
        set b2=%@instr[%ofs,1,%i]
        set ofs=%@inc[%ofs]
        set b3=%@instr[%ofs,1,%i]
        set ofs=%@inc[%ofs]
        set b4=%@instr[%ofs,1,%i]
        set ofs=%@inc[%ofs]
        
        set i1=%@eval[%@regexindex[%b1,%base64] AND 0x3F]
        set i2=%@eval[%@regexindex[%b2,%base64] AND 0x3F]
        set i3=%@eval[%@regexindex[%b3,%base64] AND 0x3F]
        set i4=%@eval[%@regexindex[%b4,%base64] AND 0x3F]
         
        set w1=%@eval[(%i1 SHL 2) OR (%i2 SHR 6)]
        set w2=%@eval[((%i2 SHL 4) AND 0xF0) OR (%i3 SHR 2)]
        set w3=%@eval[((%i3 SHL 6) AND 0xC0) OR %i4]

        set result=%[result]%@char[%w1]
        iff %@ascii[%b3] != 61 then
               set result=%[result]%@char[%w2]
               iff %@ascii[%b4] != 61 then
                       set result=%[result]%@char[%w3]
               endiff
        endiff
enddo
echo %result
endlocal
You could put the above into a b64decode.btm
file, then create a decode function:
Code:
function decode=`%@execstr[b64decode %1]`
and use it within your script as follows:
Code:
set password=%@decode[U3VwZXJTZWNyZXRQYXNzd29yZA0K]
If you run the first script (named base64):
base64 con
it will get its input from the command
line and display the encoded result to the display. Just hit Ctrl+Z or
Ctrl+C to terminate.
-Scott
 
#10
What about not storing the passwords, but instead store the hash using @MD5 or @SHA256/384/512? Store the hashed password then just compare the hash of the entered password to the stored hash. You won't be able to recover the initial password doing it this way though.
 
#11
On Mon, 06 Jun 2011 15:35:34 -0400, JohnQSmith <> wrote:

|What about not storing the passwords, but instead store the hash using @MD5 or @SHA256/384/512? Store the hashed password then just compare the hash of the entered password to the stored hash. You won't be able to recover the initial password doing it this way though.

That wouldn't help if the password were being sent elsewhere. For example, one
might want to

iftp "ftp://name:%@DECRYPT["site pw"]@site"

whete "site pw" is the name of an encrypted password.
 
#12
Searched for something completely different and stumbled upon this old thread.
It got me thinking ... how could this be solved with "2011-TCC" (now there are better options)

One possibility:
- create dummy.btm with content: set password=secret
- encrypt this: batcomp dummy.btm MyScript.btm
- Contents of MyScript.btm: PK"lot of gibberish"

- edit MyScript.btm:
Code:
setlocal
goto :STEP2
PK"lot of gibberish"
:STEP2
   findstr /b "PK" %_batchname > x.btm
   call x.btm
   del x.btm
   echo password=%password
- Done.
 
Jul 29, 2016
36
1
#13
Searched for something completely different and stumbled upon this old thread.
It got me thinking ... how could this be solved with "2011-TCC" (now there are better options)

One possibility:
- create dummy.btm with content: set password=secret
- encrypt this: batcomp dummy.btm MyScript.btm
- Contents of MyScript.btm: PK"lot of gibberish"

- edit MyScript.btm:
Code:
setlocal
goto :STEP2
PK"lot of gibberish"
:STEP2
   findstr /b "PK" %_batchname > x.btm
   call x.btm
   del x.btm
   echo password=%password
- Done.

I actually found a major weakness with BATCOMP compressed/encrypted batch files.

Simply use the LOG command to turn on command logging prior to running the batch file and then turn logging back off again afterwards. The command logging will log and list all commands that are run (after variable/alias expansion), including those run from batch files, even if those batch files are compressed/encrypted.

Obviously TCC has to have some kind of hard-coded key stored in itself, or it wouldn't be able to decrypt the batch file in memory so it could run.
 
#14
A few things come to mind.

First, there are lots of command line variations of the unix "crypt", and you could just pipe things through that using @line[] and @execstr.

Personally, what I find the best way to handle passwords is to set them in the global environment (set /S), and pull them out as %APP_PW% strings. That way, even if I share the batch file, or someone gets it, is does them no good without the source PC. I use this a lot when moving data between my home and work computers. Each PC has the password in the environment, so the scripts can decrypt the USB device, but in transit, if I were to lose my USB disk, the password itself doesn't exist on the disk to be stolen. It also means I can use 128 character passwords, rather than something easily typeable and crackable.