Password Obfuscation in VBS Admin Scripts

Written by James McDonald

October 18, 2010

Sometimes you may want to authenticate to a remote share and do some admin task like create a zipped backup file on your local computer.

The problem with the following script fragment is that the raw VBS file contains a plain text password. So how do you hide the password so it’s not viewable to the general public? Read on.

Example of a VBS script with visible plain text password

set oNet = WScript.createobject("WScript.Network")
set oWsh = Wscript.createobject("Wscript.Shell")

'object.MapNetworkDrive(strLocalName, strRemoteName, _
' [bUpdateProfile], [strUser], [strPassword])

' authenticate using remote credentials to the 
' remote share without creating a drive
oNet.MapNetworkDrive "", "\\MYWINPC\D$", _
false, MYWINPC\administrator, "&theSecretPW**"

zip = "c:\Program Files (x86)\7-Zip\7z.exe"

cmd = """" & zip & """" & _
	" a -r -tzip C:\BACKUPS\mybackup.zip" &_
	"""" & "\\MYWINPC\D$\ImportantFolder\*" & """"

'object.Run(strCommand, [intWindowStyle], [bWaitOnReturn]) 

oWsh.run cmd,1, true

oWsh.run

As a way of making the script a little bit mysterious (it’s crackable but a normal user won’t be able to read the password) is to change the VBS above to include some explanatory text and a ‘**Start Encode** line

Example of how to get VBS script ready for encoding

' so at the top of your script make sure people know what it
' does _before_ the "Start Encode" line i.e.

' This script authenticates to MYWINPC and 
' zips up "\\MYWINPC\D$\ImportantFolder\*" 
' to the local computer 

' put any changeable variables that you might 
' want to be able to view and edit BEFORE 
' the  "Start Encode" e.g.

RTARGET="\\MYWINPC\D$\ImportantFolder\*" 
LTARGET="C:\BACKUPS\mybackup.zip"

'**Start Encode**
set oNet = WScript.createobject("WScript.Network")
set oWsh = Wscript.createobject("Wscript.Shell")

'object.MapNetworkDrive(strLocalName, strRemoteName, [bUpdateProfile], [strUser], [strPassword])

' authenticate using remote credentials to the remote share without creating a drive
oNet.MapNetworkDrive "", "\\MYWINPC\D$", false, MYWINPC\administrator, "&theSecretPW**"
zip = "c:\Program Files (x86)\7-Zip\7z.exe"
cmd = """" & zip & """" & _
	" a -r -tzip " & LTARGET &_
	"""" & RTARGET & """"

'object.Run(strCommand, [intWindowStyle], [bWaitOnReturn]) 

oWsh.run cmd,1, true

oWsh.run

Then use the screnc.exe utility from microsoft to encode your vbs to a vbe file. (Google “Microsoft Script Encoder Download”)

C:\Program Files\Windows Script Encoder\screnc.exe" encodethis.vbs encodethis.vbe

A VBS Script after being converted using screnc.exe

' so at the top of your script make sure people know what it
' does _before_ the "Start Encode" line i.e.

' This script authenticates to MYWINPC and 
' zips up "\\MYWINPC\D$\ImportantFolder\*" 
' to the local computer 

' put any changeable variables that you might 
' want to be able to view and edit BEFORE 
' the  "Start Encode" e.g.

RTARGET="\\MYWINPC\D$\ImportantFolder\*" 
LTARGET="C:\BACKUPS\mybackup.zip"
' I have wrapped this text to fit the window

'**Start Encode**#@~^hAIAAA==@#@&/nDPK1+DP{~Um.kaY ^M+lDnW(L+
1OcJq?1DrwO g+OhK.3r#@#@&k+Y~Gq/4P{~q/^MkaYR1DCYW8LmOcr/1.kaY
RU4nV^J*@#@&@#@&vK4%+1ORtl2HYhG.0f.k7nv/OMSKml^1mh+BPdYMInhKY
+gC:~P]8iw9lD+KDGWbVnTB~$kY.ik+DDS,$dYMKm/dSWMNT*@#@&@#@&EPCE
DtnUDkmmO+,E/bULPM+sWO+~^M+[+	OkmVd~DWPO4P.+sGD+~ktmD+,hbOt
KEOP1DnCDkxT~l,NDb-n@#@&Wg+OR\Ca1nYSGD0f.r7+PEEBPE-'\I(gn;-ff
JB~0mVd+BP\eqq1h/-mN:bUr/DDmYGDS~r[Otj+1DnOheME@#@&"ka~{PE1)'
nDKoMC:,srV/~cX%v*wG }kaw{yc+X+E@#@&^sN~',EJrJ~',yk2~LPEJrE,[
~|@#@&dJ,l,RD,OOybw~E,[PdPb"M2:~'{@#@&iJEJE~LP]Kz]MAK~',JJEE@
#@&@#@&EG(Ln1YcIE	`kOD;Wh:mx[S,$k	ObxNKAjYHVTSP,8qlrY}U
IY;.	T#~@#@&@#@&Wqd4R.!x,m:9~8SPDD;+@#@&@#@&K/4 D!x@#@&LsI
AAA==^#~@

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

You May Also Like…