I'm trying to figure out how i could manually (on a linux machiene) encrypt / hash the password in the Autounattended.xml for the AdministratorPassword.
Right now i have an hash from the Windows Tool generated like:
<UserAccounts>
<AdministratorPassword>
<Value>eAB4AEgANwAtAEgASAAyAGYAQQBkAG8AaQBuAGkAcwB0AHIAYQB0AG8AcgAQAGEAcwBzAHcAbwByAGQA</Value>
<PlainText>false</PlainText>
</AdministratorPassword>
</UserAccounts>
I would like to know how i have to hash a password in linux to put the hashed string into the Autounattended.xml for an automatic windows installation.
Right now i do not find any clues about how the password is hashed, and it seems for now i only can generate an hashed password via the Windows unattended generation tool..
The hash is a base64 representation of the actual password concatened with AdministratorPassword string. But I'm not absolutely sure because your hasn't exactly this string.
Related
I have a windows bat which is called by the Windows task scheduler every 5 mins. In there I am connecting to a network drive, something like this
net use G: \hostname\shared mypassword /user:myuserid /persistent:yes
it works with no issue, but I don't want to put the password in the bat file as a plain txt. is there anyway to protect my password or put a encrypted password or store it somewhere safe in there to make it secure?
Use an environment variable.
Net use .... %password%
Then define the variable in the context which the batch runs. This is better than script source because the script is mobile, it can be copied from this machine to that, it can end up in the source control and so on. It is not more secure against a local host attack, i.e. If one user could see the password in the script it is also likely to find it in the environment.
There are more advanced solutions if you are willing to switch to PowerShell. https://social.technet.microsoft.com/wiki/contents/articles/4546.working-with-passwords-secure-strings-and-credentials-in-windows-powershell.aspx
You could use a Md5 generator (or hash code generator written by your own) to generate a password from any file in your computer. Whenever you run it, the batch file will generate the password from that specific file by the generator.
Your password is no longer in plain text, but hidden in generator and the corresponding file.
hope it helps.
I need to change the password on a user for over a hundred system. I want to do this with ansible. Which is easy. However the user module on ansible requires a hashed password. I am concerned because there are a few older hosts which may not support newer types of hashing. I want to be able to programmatically identify what password hashing algorithms are available, and use the appropriate password hash to change. Or is there perhaps a better way to handle this whole sale.
I have considered the following:
echo username:password | chpasswd
and run that using the command module. That should use whatever the default algorithm is. Is there any cause for concern with this method?
In my mind, the ideal way would be to figure the supported hashes for each machine and then generate the proper hash for each machine.
The approach you list should work Just make sure you at "no_log: yes" to your task to ensure the password doesn't end up in the log file.
With either approach you're going to need have a way of getting the password(s) into ansible to use with the user module. Not sure if the passwords will be in a CSV file, yaml file or some other format. You could consider using vault to lock things down a bit more.
I want to create two external tools, one for encrypt using gpg and the other for decrypt. I will encrypt using simetric AES, so I should prompt the password.
I want to prompt the password only one time because if I want to encrypt or decrypt more than one time each time the password will be prompt all times that I do this operation.
So I want to store the password to a variable.
So, one external tool will be set password using:
#!/bin/sh
PASSWD="$(zenity --password --title=Authentication)\n"
And then the external tools one for encrypt and the other for decrypt.
My question if I can share the stored variable PASSWD between the other tools, and if it is secure way to do it. Where it will be stored.
If I use:
export $PASSWD
When this variable will be erased? Everybody could acces to it?
Thanks!
I wrote a helper script in Ruby to handle my file synchronization through some servers. It was used only in my intranet and authentication was made by SSH keys. But now I want to use it where I can't use SSH keys and I want to store the passwords in a config file.
I know, there are some encryption libraries like bcrypt or OpenSSL, but I have a problem with that:
I start my script and enter my passphrase and it is stored in a variable to decrypt my passwords.
My code is open source.
So everybody, who has access with my user to my computer (which would be the first barrier, which I'd like to extend) and looks into the memory (where my passphrase is stored) can decrypt my password file. How is that handled in applications which are relevant to security?
Edith says as a reply to DevDude (but here, because I want to keep my specifications in my question):
But then this configuration file would be plain text and not encrypted. And when I encrypt this file there are two more issues in my opinion:
The super_secret_pwd would be stored in a variable, so when I would search in the memory of the computer, I would find it, wouldnt I?
The master password for encryption would be in the memory as plain text, too.
So the big question is: Is it possible to read plain text variables from the memory? As I know it is possible in C and a big security issue.
What you are looking for is to use a YAML file with the password/API keys. and never check this file into your repo.
Then you can reference this file on your initializers, and maybe make the password a global variable or x, use configatron, etc.
This is basically how production applications work, they read their important settings from a YAML file stored on the server itself.
This is what I use:
#c = configatron
# Per environment settings
app_settings = YAML.load_file('config/secret_stuff.yml')
#c.password = app_settings['super_secret_pwd']
Do not use ENVIRONMENT variables because they have all sort of security issues. They are an antipattern.
If a password is stored with reversable encryption in Active Directory, how does an administrator/developer extract and decrypt this password?
Specifically, I'm referring to this setting.
The following series of blog posts explains some details:
Passwords stored using reversible encryption: how it works (part 1)
Passwords stored using reversible encryption: how it works (part 2)
The author of this blog, Niels Teusink, also made the source code of his tool RevDump available for download.
It goes without saying that reversible encryption should not be used globally and only in very exceptional cases.
Although Dirk's answer is correct, the RevDump tool only works on Windows Server 2003, as newer versions of Windows store the reversibly encrypted passwords in a different way. Therefore I have created a new tool that supports Windows Server 2008+.
Simplest usage example:
Get-ADReplAccount -SamAccountName April -Domain Adatum -Server LON-DC1
Sample output (partial):
DistinguishedName: CN=April Reagan,OU=IT,DC=Adatum,DC=com
Sid: S-1-5-21-3180365339-800773672-3767752645-1375
SamAccountName: April
SamAccountType: User
NTHash: 92937945b518814341de3f726500d4ff
SupplementalCredentials:
ClearText: Pa$$w0rd