How to save information with bash in the system? - bash

I am using command line with bash in Mac OS X. I will ask in my script:
Enter your password?
>
Do you want to save it and do not ask this more?
The password is to unzip a file. To do this, it always has to be entered, but I want it to only be entered once.
I can easily save it in a text file, but that is too obvious.
So I want to save it in the system. Windows has the "Windows Registry". Is there a similar system in Mac OS X (or Unix) that I can save it in and it will not be lost?
Or is there another way to save the password and it will be more secure? I know if someone runs the script with debug mode (showing how the command line is created) he will easy find the password, but he will have to get the computer, so is a kind of physical security.

You could do it the way system passwords are stored: use a plain text file but store a checksum instead of plain text password. It would be best of the file wasn't accessible to the user, but even if it is, it's not that easy to reverse a checksum. Suppose you read the password into variable password. Then, you could do something like echo "$password" | sha1sum - > password_file. Then at next login, run the password provided by user through the same command and compare results. This way you can check if they entered the correct password without storing the password in cleartext.

Either use your OS's keyring (OSX has something like this), or store it in plain text. Don't pretend that you are secure when you are not. If you cannot store things securely, then store them in plain sight, so the user is not given a false sense of security.

Related

How to hide a password in a .bat file?

I'd like help in setting password in a batch file but without exposing password.
If I SET password="abc123", I don't want abc123 to be visible in the batch file, as other people will be running the .bat file.
There is unfortunately no good solution to hide a password in batch
Even if you crypt it, change it to HEX, hide it in an Alternative Data Stream (ADS) or whatever you want.
At a moment you have to test the value in your code with an IF test.
At this point the password, crypted or not, will be visible or settedin a variable that can be echoed.
You can also compress your BAT in a self-extracting .EXE, but this is very easy to crack, while the .BAT file have to be decompressed before you run it (in the %temp% folder).
So there is no way to really hide a password in a .BAT file
You can try this method : Password hidden using ADS
create and save your batch file
use the ECHO command to 'place' your password into an ADS attached
to your batch file
use redirection to read the password from the ADS (Alternative Data
Stream) file

How to retrieve a saved ftp password from phpStorm?

I know that technically, this question should be asked on phpStorm's forums, but being a popular IDE (I bet an eventual solution would also work for other popular IDEs from JetBrains), I'm thinking:
someone on SO might know and share the answer (faster than I'd get it from vendor)
the question answer might be useful and valuable to other coders (for that matter, even if I shall need to go on the vendor's forum I will get back with the answer here, when I find it)
If there is any need of context: I accidentally switched the connection type of a saved connection from ftp to local folder and when I switched back, the saved credentials were gone.
The question: Can I retrieve the saved password...
Angle 1: ...from this computer?
Angle 2: ...from another computer that has the same credentials saved, which I could access via TeamViewer, but has the password ●●●●●●(hidden)?
Edit: This method can only be used in the version of 2016.1 or before. For newer version (probably 2016.2), they changed the encode method. There is no clue for me to decode it.
Open C:\Users\.WebIde100\config\options\webServers.xml
Find your FTP and get the encrypted password from the password attribute.
Decrypt the password. I have written a PHP script to decrypt the string:
$pwd = "Your encrypted password here.";
$decrypted = '';
while (strlen($pwd) > 0) {
$decrypted .= chr(hexdec(substr($pwd, 0, 4)) ^ hexdec('dfaa'));
$pwd = substr($pwd, 4, strlen($pwd) - 1);
}
echo $decrypted;
If you trust my tools, you can use https://louislam.net/phpstorm-decrypt-password
If you use KeePass database file to store passwords, you can easely set password for that file, save and then open in KeePass manager, or migrate to other PHPStorm.
Go to Settings/Preferences | Appearance & Behavior | System Settings
| Passwords, enter new master password and save.
Open /.PhpStorm2017.1/config/c.kdbx (in "Keepass 2" or "Keeweb") with saved master password.
Here it is!
See answer here
Retrieve saved (hidden) SSH password from PhpStorm 2017.1
One way that just worked for me was to install Wireshark.
Use a capture filter of 'ftp', and do a "Test connection" inside PHPStorm.
Now stop the capture and examine what you've sniffed. The password will be in there.
I know this is a 1 year old question, but for everyone else, you can try to copy the selected (hidden) password with CTRL+C, and paste it in a text document (tested with 2016.3 on Debian).
For OSX users
Open keychain -> select the System Roots keychain (on the left side) -> search for IntelliJ.
If you click it you will see the ftp-username in the "Account" field. You can also use right click on the records to copy the password.

Extract encrypted rar archive without showing password

i got an idea to make something like keychain with keys, which will contain possible passwords to extract my password protected archives. So passwords will stay hidden, but user will still able to extract archive without knowing password.
Problem is if i send password via parameter it is shown in command line parameters.
set mypass=12345
unrar.exe x test.rar -p%mypass%
i tried also send pass via echo but it doesnt seems to work
#echo off
#echo 12345 | unrar.exe x test.rar -p
How to solve this?
The unrar executable does not provide a mechanism to securely accept the archive password. It is accepted in plain text form. There's no getting away from that and you should stop trying to do so.
Use the rar DLL interface instead which gives a slightly increased level of obfuscation. Of course, a moderately determined hacker could inspect the parameters that are being passed. Or inspect the file that is being extracted.
Using of #echo off is the correct approach.
Do note that when you call
#echo something
that "something" is always shown even when you disabled the echo using #echo off.
Also I agree with Uli Gerhardt about the use of unrar.dll instead as this will give you even better control over the extracting process.
EDIT: If you put this code into batch file (*.bat) you will see that the commands won't be shown.
#echo off
set mypass=12345
notepad %mypass%
Same should apply when sending commands from your application.
EDIT2: Do you know that you can even find already made Delphi component which alows you to make use of unrar.dll?
Check at bottom of this page: http://www.rarlab.com/rar_add.htm

Can I effectively choose gnupg recipients by email address?

We have a perl program that generates gpg encrypted files for multiple folks.
Today, we added dan#example.com.
When I run the encryption script, it happily encrypts the file for dan#example.com using jordan#example.com. This is presumably because jordan#example.com was in my keyring first.
I've tested from the command line, and if I use gpg -r dan#example.com --encrypt foo.txt, the friendly client chooses to use the public key for jordan#example.com, instead of the more explicit dan#example.com.
Of course, if I use key ids it works, but that's not really what we've got here. Is there a way to tell gnupg to use the more explicit email address without resorting to key ids?
This is documented in the manual page that comes with gpg. Section "HOW TO SPECIFY A USER ID" you find the option "By exact match on an email address.". So the answer to your question is to use angle braces such as <dan#example.com>.

Is there a quick and easy way to dump the contents of a MacOS X keychain?

I'm looking for a way to dump (export) the contents of an OS X keychain into a file that I can easily process elsewhere, such as tab-delimited plaintext or something of the sort.
The Keychain Access app does not offer any such functionality, and getting a key's data involves opening each in turn, and having to type in the keychain's password to see the password stored with the key, every time.
After a bit of digging, I found somebody's solution by using AppleScript and the Keychain Scripting app to access keychains (can't link to individual post; scroll down about two thirds to the end of the page):
http://discussions.apple.com/thread.jspa?threadID=1398759
Using Keychain scripting, you can access all data fields of all the keys – including the plaintext password! – and it's fairly easy to dump this data into a text file etc. I've tested it and it works well.
However, this solution still involves having to confirm access to each key by clicking OK on a dialog. This is much better than having to type in the keychain's password every time, but it's still irritating. Furthermore, you have to confirm access twice for each key; once for Script Editor (or the script itself if it's running as an app) and once for Keychain Scripting. So, if you're processing a keychain with 100 keys, you have to manually click OK on 200 dialogs.
I'm now looking for a solution to get around this. I realize that as it's the purpose of keychains to safeguard the sensitive data and prevent precisely the kind of thing I'm trying to do, any such solution would probably involve some kind of hack.
I'd be very interested in your ideas!
Allright, I'm stupid. There's a command-line tool called security that does just this (and lots of other actions on keychains).
An example usage:
security dump-keychain -d login.keychain
This will dump all the data in the login.keychain (the default keychain for a user) as plaintext, including the passwords. You still have to confirm access , but only once for each key, and it's much faster than (and doesn't throw weird errors when trying to access certain fields) using AppleScript. And it's no hack.
Without the -d option, it will dump all the fields except for the password.
The dumped data for a key looks like this (for an internet key; program keys and certificates have other fields, but the format is the same):
keychain: "/Users/<username>/Library/Keychains/login.keychain"
class: "inet"
attributes:
0x00000007 <blob>="tech.slashdot.org (<username for this web login>)"
0x00000008 <blob>=<NULL>
"acct"<blob>="<username for this web login>"
"atyp"<blob>="form"
"cdat"<timedate>=0x32303038303432333038323730355A00 "20080423082705Z\000"
"crtr"<uint32>=<NULL>
"cusi"<sint32>=<NULL>
"desc"<blob>="Kennwort des Web-Formulars"
"icmt"<blob>="default"
"invi"<sint32>=<NULL>
"mdat"<timedate>=0x32303038303432333038323730355A00 "20080423082705Z\000"
"nega"<sint32>=<NULL>
"path"<blob>=<NULL>
"port"<uint32>=0x00000000
"prot"<blob>=<NULL>
"ptcl"<uint32>="http"
"scrp"<sint32>=<NULL>
"sdmn"<blob>=<NULL>
"srvr"<blob>="tech.slashdot.org"
"type"<uint32>=<NULL>
data:
"<the plaintext password for this key>"
Please read this: https://gist.github.com/rmondello/b933231b1fcc83a7db0b
Ignore:-----
I found a sollution to the "Always Allow" dialog in each key!
Just run the previous command with sudo.
sudo security dump-keychain -d login.keychain
This way you'll only need to enter your password two times. One on the Terminal to sudo and another to unlock the keychain! ;)
Have a nice day!
Update, there is now a tool that does this nicely:
Keychaindump is a proof-of-concept tool for reading OS X keychain passwords as root. It hunts for unlocked keychain master keys located in the memory space of the securityd process, and uses them to decrypt keychain files.
Source: https://github.com/juuso/keychaindump
Actually I was just looking for the same:
Modified applescript from github somebody posted. To be run in ScriptEditor and must be allowed in Preferences & Security.
set keychainPassword to "yourpasswordgoeshere"
tell application "System Events"
repeat while exists (processes where name is "SecurityAgent")
tell process "SecurityAgent"
delay 0.1
try
set value of text field 1 of window 1 to keychainPassword
click button "Allow" of window 1
end try
end tell
end repeat
end tell
You must click each window separetly in order to activate them. For that I used tool "murgaa auto clicker" I had known from runescape many years ago (http://www.murgaa.com/auto-clicker-mac/ seems still active). You just set shortcut for autoclicking (eg. Command+R) and set timer to 10ms and it works like charm.
Keysafe
Keysafe reads and decrypts Apple Keychain files. Use Keysafe to securely access your passwords and credentials without a Mac.
I wrote a tool called Keysafe to extract the contents of Keychain files. The tool is available on Mac, Windows, and Linux.
Keysafe is not free; a licence is required to fully decrypt a Keychain. Without a licence the contents are still extracted but the decrypted values are partially redacted and secure notes are not post-processed into RTFD files.
If you have a Keychain that does not "just work" with Keysafe, please get in touch. The Keychain format is expansive and finding edge cases is always interesting.
I found solution for not clicking "Allow" multiple times
sudo su
security dump-keychain -d /Users/YourUsername/Library/Keychains/login.keychain

Resources