1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Obfuscating passwords in script

Discussion in 'Support' started by thorsten, Jun 5, 2011.

  1. thorsten

    Joined:
    Aug 16, 2008
    Messages:
    124
    Likes Received:
    0
    Hi,

    is there a technique/command how to obfuscate passwords in a batch file?

    In Python I used to decode rot13 or base64 to achieve this.

    I'm not interested in lengthy scripts, just asking if it can be done in say, two, three lines.

    I'm aware of input /p, but I need it without interaction.

    Thorsten
     
  2. Rod Savard

    Joined:
    May 26, 2008
    Messages:
    481
    Likes Received:
    3
    You could use BATCOMP but of course that encodes/compresses the entire file. (You'd want to keep the original elsewhere in some secure location in case you need to modify it in the future.)
     
  3. vefatica

    Joined:
    May 20, 2008
    Messages:
    7,959
    Likes Received:
    30
    On Sun, 05 Jun 2011 06:22:14 -0400, thorsten <> wrote:

    |is there a technique/command how to obfuscate passwords in a batch file?

    A while back, I started to write pair of plugin functions, a command ("ENCRYPT
    name string") to store named encrypted strings (registry, probably) and a
    variable function (@DECRYPT[name]) to recall and decrypt them at runtime. But I
    didn't get very far with the WIN32 crypto API.

    I also considered an encryption algorithm of my own automatically using the
    username as an encryption key and storing the strings in an HKCU key (ought to
    work, eh?). I could make it a lot stronger than ROT13.

    I might get back to one of those projects.
     
  4. K_Meinhard

    Joined:
    May 20, 2008
    Messages:
    310
    Likes Received:
    0
    Hallo thorsten,


    If you really need only such simple obfuscation (for your kids?), you
    might consider storing the ascii values of the password characters in
    your script..

    Have a look at the @ascii or @unicode and @char functions.

    Best regards,

    * Klaus Meinhard *
    <www.4dos.info>
     
  5. Kachupp

    Joined:
    Aug 9, 2009
    Messages:
    133
    Likes Received:
    0
    something like this - set open0=%@fileopen[sometxt.bat:what.txt,w,t]
    set w=%@filewrite[%open0,whattever]
    set c=%@fileclose[%open0]

    stream hidden from general seekers


     
  6. JohnQSmith

    Joined:
    Jan 19, 2011
    Messages:
    559
    Likes Received:
    7
    If you're still running Python, you might look at @PYTHON command (assuming you're not running TCC/LE which does not support it.)
    Free base64 [en|de]coder is available with C source at http://www.fourmilab.ch/webtools/base64/.
    Will have to check for built in options.
     
  7. samintz

    samintz Scott Mintz

    Joined:
    May 20, 2008
    Messages:
    1,190
    Likes Received:
    11
    I wrote a batch file a while back that
    converts a file to base64.

    setlocal
    setdos /x-45678
    set fh=%@fileopen[%1,r,b]
    set r=%@filereadb[%fh,3]
    set base64=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
    set ofs=0
    do while %r != **EOF**
    set
    wds=%@words[%r]
    set
    w=%@eval[(%@word[0,%r] SHL 16) + (%@word[1,%r] SHL 8) + %@word[2,%r]]

    rem
    Deconstruct the three bytes (24 bits) into the four 6-bit chunks
    echos
    %@instr[%@eval[(%w SHR 18) AND 0x3F],1,%base64]
    echos
    %@instr[%@eval[(%w SHR 12) AND 0x3F],1,%base64]
    iff
    %wds ge 2 then

    echos %@instr[%@eval[(%w SHR 6) AND 0x3F],1,%base64]
    else

    echos endiff
    iff
    %wds ge 3 then

    echos %@instr[%@eval[%w AND 0x3F],1,%base64]
    else

    echos endiff
    set
    /a ofs+=4
    iff
    %ofs ge 72 then

    echo.

    set ofs=0
    endiff
    set
    r=%@filereadb[%fh,3]
    enddo
    set fh=%@fileclose[%fh]
    if %ofs != 0 echo.
    endlocal


    The following will take a single base64
    encoded line and decode it. I didn't have the time to finish making
    it work with files.

    setlocal
    setdos /x-45678
    set base64=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/set ofs=0
    set wds=%@len[%1]
    rem TCC strips trailing equal signs.
    So just add some on the end so we won't have issues.
    set i=%1=set resultdo while %ofs LT %wds
    set
    b1=%@instr[%ofs,1,%i]
    set
    ofs=%@inc[%ofs]
    set
    b2=%@instr[%ofs,1,%i]
    set
    ofs=%@inc[%ofs]
    set
    b3=%@instr[%ofs,1,%i]
    set
    ofs=%@inc[%ofs]
    set
    b4=%@instr[%ofs,1,%i]
    set
    ofs=%@inc[%ofs]

    set
    i1=%@eval[%@regexindex[%b1,%base64] AND 0x3F]
    set
    i2=%@eval[%@regexindex[%b2,%base64] AND 0x3F]
    set
    i3=%@eval[%@regexindex[%b3,%base64] AND 0x3F]
    set
    i4=%@eval[%@regexindex[%b4,%base64] AND 0x3F]


    set
    w1=%@eval[(%i1 SHL 2) OR (%i2 SHR 6)]
    set
    w2=%@eval[((%i2 SHL 4) AND 0xF0) OR (%i3 SHR 2)]
    set
    w3=%@eval[((%i3 SHL 6) AND 0xC0) OR %i4]

    set
    result=%[result]%@char[%w1]
    iff
    %@ascii[%b3] != 61 then

    set result=%[result]%@char[%w2]

    iff %@ascii[%b4] != 61 then

    set result=%[result]%@char[%w3]

    endiff
    endiff
    enddo
    echo %result
    endlocal

    You could put the above into a b64decode.btm
    file, then create a decode function:
    function decode=`%@execstr[b64decode
    %1]`

    and use it within your script as follows:

    set password=%@decode[U3VwZXJTZWNyZXRQYXNzd29yZA0K]

    If you run the first script (named base64):
    base64 con
    it will get its input from the command
    line and display the encoded result to the display. Just hit Ctrl+Z or
    Ctrl+C to terminate.
    -Scott




     
  8. samintz

    samintz Scott Mintz

    Joined:
    May 20, 2008
    Messages:
    1,190
    Likes Received:
    11
    Well, that got gortched up in translation...

    It would seem that trailing equal signs get stripped out by the email interface.

    let's try again from web interface this time:

    Code:
    Base64.btm
    
    setlocal
    setdos /x-45678
    set fh=%@fileopen[%1,r,b]
    set r=%@filereadb[%fh,3]
    set base64=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
    set ofs=0
    do while %r != **EOF**
            set wds=%@words[%r]
            set w=%@eval[(%@word[0,%r] SHL 16) + (%@word[1,%r] SHL 8) + %@word[2,%r]]
    
            rem Deconstruct the three bytes (24 bits) into the four 6-bit chunks
            echos %@instr[%@eval[(%w SHR 18) AND 0x3F],1,%base64]
            echos %@instr[%@eval[(%w SHR 12) AND 0x3F],1,%base64]
            iff %wds ge 2 then
                   echos %@instr[%@eval[(%w SHR 6) AND 0x3F],1,%base64]
            else
                   echos  =       
            endiff
            iff %wds ge 3 then
                   echos %@instr[%@eval[%w AND 0x3F],1,%base64]
            else
                   echos =
            endiff
            set /a ofs+=4
            iff %ofs ge 72 then
                   echo. 
                   set ofs=0
            endiff
            set r=%@filereadb[%fh,3]
    enddo
    set fh=%@fileclose[%fh]
    if %ofs != 0 echo.
    endlocal
    
    The following will take a single base64 encoded line and decode it. I didn't have the time to finish making
    it work with files.

    b64decode.btm:

    Code:
    setlocal
    setdos /x-45678
    set base64=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=
    set ofs=0
    set wds=%@len[%1]
    rem TCC strips trailing equal signs.  So just add some on the end so we won't have issues.
    set i=%1==
    set result=
    do while %ofs LT %wds
            set b1=%@instr[%ofs,1,%i]
            set ofs=%@inc[%ofs]
            set b2=%@instr[%ofs,1,%i]
            set ofs=%@inc[%ofs]
            set b3=%@instr[%ofs,1,%i]
            set ofs=%@inc[%ofs]
            set b4=%@instr[%ofs,1,%i]
            set ofs=%@inc[%ofs]
            
            set i1=%@eval[%@regexindex[%b1,%base64] AND 0x3F]
            set i2=%@eval[%@regexindex[%b2,%base64] AND 0x3F]
            set i3=%@eval[%@regexindex[%b3,%base64] AND 0x3F]
            set i4=%@eval[%@regexindex[%b4,%base64] AND 0x3F]
             
            set w1=%@eval[(%i1 SHL 2) OR (%i2 SHR 6)]
            set w2=%@eval[((%i2 SHL 4) AND 0xF0) OR (%i3 SHR 2)]
            set w3=%@eval[((%i3 SHL 6) AND 0xC0) OR %i4]
    
            set result=%[result]%@char[%w1]
            iff %@ascii[%b3] != 61 then
                   set result=%[result]%@char[%w2]
                   iff %@ascii[%b4] != 61 then
                           set result=%[result]%@char[%w3]
                   endiff
            endiff
    enddo
    echo %result
    endlocal
    
    You could put the above into a b64decode.btm
    file, then create a decode function:
    Code:
    function decode=`%@execstr[b64decode %1]`
    
    and use it within your script as follows:
    Code:
    set password=%@decode[U3VwZXJTZWNyZXRQYXNzd29yZA0K]
    
    If you run the first script (named base64):
    base64 con
    it will get its input from the command
    line and display the encoded result to the display. Just hit Ctrl+Z or
    Ctrl+C to terminate.
    -Scott
     
  9. samintz

    samintz Scott Mintz

    Joined:
    May 20, 2008
    Messages:
    1,190
    Likes Received:
    11
    I attached the scripts to this message.
    -Scott

     

    Attached Files:

  10. JohnQSmith

    Joined:
    Jan 19, 2011
    Messages:
    559
    Likes Received:
    7
    What about not storing the passwords, but instead store the hash using @MD5 or @SHA256/384/512? Store the hashed password then just compare the hash of the entered password to the stored hash. You won't be able to recover the initial password doing it this way though.
     
  11. vefatica

    Joined:
    May 20, 2008
    Messages:
    7,959
    Likes Received:
    30
    On Mon, 06 Jun 2011 15:35:34 -0400, JohnQSmith <> wrote:

    |What about not storing the passwords, but instead store the hash using @MD5 or @SHA256/384/512? Store the hashed password then just compare the hash of the entered password to the stored hash. You won't be able to recover the initial password doing it this way though.

    That wouldn't help if the password were being sent elsewhere. For example, one
    might want to

    iftp "ftp://name:%@DECRYPT["site pw"]@site"

    whete "site pw" is the name of an encrypted password.
     
  12. MaartenG

    Joined:
    Aug 3, 2016
    Messages:
    355
    Likes Received:
    8
    Searched for something completely different and stumbled upon this old thread.
    It got me thinking ... how could this be solved with "2011-TCC" (now there are better options)

    One possibility:
    - create dummy.btm with content: set password=secret
    - encrypt this: batcomp dummy.btm MyScript.btm
    - Contents of MyScript.btm: PK"lot of gibberish"

    - edit MyScript.btm:
    Code:
    setlocal
    goto :STEP2
    PK"lot of gibberish"
    :STEP2
       findstr /b "PK" %_batchname > x.btm
       call x.btm
       del x.btm
       echo password=%password
    
    - Done.
     
  13. evensenm

    Joined:
    Jul 29, 2016
    Messages:
    35
    Likes Received:
    1

    I actually found a major weakness with BATCOMP compressed/encrypted batch files.

    Simply use the LOG command to turn on command logging prior to running the batch file and then turn logging back off again afterwards. The command logging will log and list all commands that are run (after variable/alias expansion), including those run from batch files, even if those batch files are compressed/encrypted.

    Obviously TCC has to have some kind of hard-coded key stored in itself, or it wouldn't be able to decrypt the batch file in memory so it could run.
     
  14. Bill de Haan

    Joined:
    Jan 3, 2012
    Messages:
    20
    Likes Received:
    0
    A few things come to mind.

    First, there are lots of command line variations of the unix "crypt", and you could just pipe things through that using @line[] and @execstr.

    Personally, what I find the best way to handle passwords is to set them in the global environment (set /S), and pull them out as %APP_PW% strings. That way, even if I share the batch file, or someone gets it, is does them no good without the source PC. I use this a lot when moving data between my home and work computers. Each PC has the password in the environment, so the scripts can decrypt the USB device, but in transit, if I were to lose my USB disk, the password itself doesn't exist on the disk to be stolen. It also means I can use 128 character passwords, rather than something easily typeable and crackable.
     
  15. MaartenG

    Joined:
    Aug 3, 2016
    Messages:
    355
    Likes Received:
    8
    Wow, that IS a major weakness. Good catch!
     

Share This Page