2

I have a simple batch file:

@echo off
set username=user
set password=pass
::do some things with the username and password

the user could just call the batch file from cmd, and type set after my batch file has run it's course and see the username and password. Is there any way to fix this? (excluding bat to exe converters)

Jahwi
  • 426
  • 3
  • 14
  • 1
    They could also see the username and password by opening the batch file in Notepad, or `type`-ing it from the command line. You're not worried about those things? – Joe White Aug 15 '15 at 19:37
  • 1
    You can append as last command `set "password="` to delete the environment variable `password` before exiting batch. Or you use `setlocal` and `endlocal`. But every user can simple open the batch file also in a text editor like Notepad and read the password. Credentials should be never stored in a batch file if not only used by yourself and only you can read and execute the batch file according to NTFS permissions. But even in this case putting credentials into a batch file is insecure even if converted to an executable. – Mofi Aug 15 '15 at 19:37
  • @Joe I am. I've got that covered. Thanks anyway guys! – Jahwi Aug 15 '15 at 19:43
  • A user can control-c out of the batch file and examine the environment variables to find the password also. – foxidrive Aug 15 '15 at 19:47
  • exactly the exploit i tried against another batch file and I wanted to protect mine against it. @foxdrive what do you think i should do? – Jahwi Aug 15 '15 at 19:51
  • @foxdrive It seems using setlocal enabledelayedexpansion at the beginning of your batch file (and turning all your %'s to !'s) does the trick. I still need to test extensively before adding anything of the sort to my batch file. – Jahwi Aug 15 '15 at 19:53
  • 1
    @Jahwi If this is for a high-profile task in which security is essential, it probably shouldn't be programmed in batch. – UnknownOctopus Aug 15 '15 at 19:53
  • @UnknownOctopus I'm trying to make an ftp powered batch MMORPG (i know, It's stupid) and I've plugged every hole except that one. – Jahwi Aug 15 '15 at 19:55
  • Check `runas` command.It is designed for such cases.With it you can call a second batch put in a protected folder where will be harder for the users to see the content.Though it's also not so bad idea to convert the batch to exe- you can do this without external tools - http://stackoverflow.com/questions/28174386/how-can-a-bat-file-be-converted-to-exe-without-third-party-tools – npocmaka Aug 15 '15 at 20:06

1 Answers1

1

Prompt for password then save it

This script here to use the password associated with a batch file from a hidden stream attached to the file, prompt for the password if not present and save it. If you know how to work out what is going on in the batch you could do the same and get the password to work with, but to a casual observer it is not at all obvious how it works.

Password entry obscured from batch file

Script to prompt for and enter password in hidden manner.

Password hidden using ADS

Script to store password in an extra data stream with the batch file that you can't see but is there and can be read by the batch file itself.

Hackoo
  • 18,337
  • 3
  • 40
  • 70