How safe are credentials in script packages?

We get that question all the time. Before we start, please note that we do not advise to ever put credentials as plain text into any kind of code. Use encrypted strings, store encrypted credentials in files or, if all else fails, prompt. Now, having said that we all know that sometimes schedules and pressure from “above” forces you to do things you normally wouldn’t do. So for the sake of argument we have created a variety of executables which use SUPERADMINUSER and SUPERSTRONGPASSWORD to run a WMI query on SUPERSECRETSERVER.

We used

  1. VBScript

    image

  2. PowerShell

    image

  3. C#

    image

  4. C++

    image

Obviously all of these won’t run in your environment unless you create a server with that name and add those credentials.
If you want to examine the resulting executable files yourself, go to www.sapien.com/download and look for WMIQueryExecutables.zip in the “Blog Samples” folder.

Now we take all these files and open them in PrimalScript as binary files and look for the user id and password, starting with the C++ version.

And here is your password, easily visible in the binary data:

image

The spacing with NULL characters comes from the string being stored as unicode, so lets search for that in the C# version:

image

As you can see, we didn’t have to look far. To make matters worse, if you take a disassembly tool to a .NET exe you don’t even have to read binary data:

SNAGHTML9cb1335

 

Now let’s try the script packages created by PrimalScript:

image

and

image

So you see, if you have to, absolutely have to put credentials somewhere, a packaged script is the way to go.
Go ahead, get the binaries and see for yourself. Here is where they are once again: Go to www.sapien.com/download and look for WMIQueryExecutables.zip in the “Blog Samples” folder.