Government Security
Network Security Resources

Jump to content

Create Batch File To Open Cmd.exe With Password

  • Please log in to reply
10 replies to this topic

#1 Guest_ntxploits_*

Guest_ntxploits_*
  • Guests

Posted 14 December 2006 - 12:11 AM

hi guys...any idea how to develop simple script using batch file to open cmd with password protected..
maybe i can supply the password inside the batch file itself

#2 t3ctrix

t3ctrix

    Private First Class

  • Members
  • 80 posts

Posted 14 December 2006 - 02:50 AM

what would be the purpose of creating a password protected batch file if somebody can just open up the file and look at the password?
"Nothing is what it seems remember?"

#3 Jeffrey

Jeffrey

    Specialist

  • Sergeant Major
  • 1,109 posts

Posted 14 December 2006 - 05:59 AM

You can disable the command shell through account policies...but requiring a password? They have packers that will do that. You pack the cmd.exe, and set it to require a password to run.

#4 studlee2

studlee2

    Private

  • Members
  • 11 posts

Posted 14 December 2006 - 01:43 PM

Ntexploits, what's the objective you are trying to achieve?

#5 maru

maru

    Private

  • Members
  • 13 posts

Posted 19 December 2006 - 03:19 AM

uhm, sth like this?

@echo off
set passwd=hansi
goto check
:yes
echo msgbox("YA HAXXORED ME, LEET BOY!")>run.vbs
start /wait run.vbs
del run.vbs
goto ende
:check
set /p name=Password:
if  "%passwd%" == "%name%"  goto yes
:ende


#6 Jeffrey

Jeffrey

    Specialist

  • Sergeant Major
  • 1,109 posts

Posted 19 December 2006 - 05:39 AM

Ntexploits, what's the objective you are trying to achieve?


studlee2,

Its a legitimate question. Many packers have this feature because many desire it.
Its also a very intriguing topic....packers, crypters...

;)

#7 LittleHacker

LittleHacker

    Staff Sergeant

  • Members
  • 453 posts

Posted 24 December 2006 - 04:56 PM

I may get rong but why not using runas in your batchfile? then it ask for password and it's not in plain text ...

#8 Jeffrey

Jeffrey

    Specialist

  • Sergeant Major
  • 1,109 posts

Posted 27 December 2006 - 06:24 AM

LittleHacker,

The RunAs utility is used to run a program in another context than the locally logged on user. For instance, I would use it if I was under a limited account and had the administrator password, I could force a program to run under Administrator.....

Batch files are useless when it comes to this....the only way is to use a packer...whats the point of a password if it is in plaintext in the batch file?

#9 LittleHacker

LittleHacker

    Staff Sergeant

  • Members
  • 453 posts

Posted 27 December 2006 - 03:10 PM

The RunAs utility is used to run a program in another context than the locally logged on user. For instance, I would use it if I was under a limited account and had the administrator password, I could force a program to run under Administrator....

I believe you can use it for context of locally logged on user ...
any way even if not it's still possible to make another user with the same rights and use runas with no profile options ...

#10 SlippyG

SlippyG

    Specialist

  • Members
  • 121 posts

Posted 28 December 2006 - 05:19 AM

A batch file is a sequence of commands to be run in the command interpreter. When you run a batch file it opens an interactive command console window.

If you have a batch file which opens CMD after prompting for a password you have three main issues:

1. The command interpreter must already be available at the users security context, or the batch file simply won't run.
2. If the command interpreter must be available (see 1) then the user could choose to run it instead of the batch file.
3. Even if the user cannot run the command interpreter explicitly (see 2) he can place the commands he wants to execute in a batch file of his own.

As you see, using a batch file for this is useless. Even with 'runas' (where the password is not held in the batch file


You can use a packer, as suggested previously, to protect your command console executable from being executed. Care should be taken when doing this... it can cause problems with some software installations which rely on the command shell at key points in their script... Some run the cmd.exe in hidden mode (which CMD kindly jumps out of) however, with your own stub code in front of cmd.exe, you may find your packed app just hangs there invisibly waiting for input it will never get. Another thing to ensure is that the packer passes parameters correctly to the packed app, but most should do this.

On windows XP is the cmd.exe one of the files regenerated if it becomes missing or corrupt ? MY guess is it isn't, but it is something else that should be checked before packing or removing.


In my opinion the best method would be to use the existing NTFS security to restrict command console access to members of the administrators group, but then, I don't know exactly what you're trying to achieve. If you did this then other non-administrative users would have to use runas to access the command prompt.

If you are VERY paranoid you could even make a special non-interractive system account explicitly for running the command shell and give only this account access to the command prompt binary... this way, all attempts to run cmd.exe would fail and even administrators would have to use runas and supply the 'command prompt credentials' in order to open a shell - this is very secure, but will play merry hell with some new software installations.



But we're missing the point here. An interactive command shell is NOT a threat if your system is set up securely. If your system is NOT set up securely then the command shell may be used to compromise your system... but removing 'cmd.exe' does not solve the problem. So, you might want to rethink: What is it about the command prompt that worries me, and how can I tackle it directly?


SG

#11 Jeffrey

Jeffrey

    Specialist

  • Sergeant Major
  • 1,109 posts

Posted 28 December 2006 - 06:50 AM

The RunAs utility is used to run a program in another context than the locally logged on user. For instance, I would use it if I was under a limited account and had the administrator password, I could force a program to run under Administrator....

I believe you can use it for context of locally logged on user ...
any way even if not it's still possible to make another user with the same rights and use runas with no profile options ...



Whats the point of using it for the local user when by default, a process runs under the local user's context? Its effectively the same thing as going to Start->Run. I haven't taken a look at the imports that the RunAs utility uses, but I know it uses CreateProcessAsUser or similar function or algorithm.