Skip to content

Encrypted Strings

Jump to bottom
Joshua Roskos edited this page Apr 12, 2018 · 5 revisions

Video Demo

Check out this quick video demo of how to generate EncryptedStrings in Python...

What we'll need

Python - GenerateEncryptedStrings Function

# Use GenerateEncryptedString() locally - DO NOT include in the script!
# The 'Encrypted String' will become a parameter for the script in the JSS
# The unique 'Salt' and 'Passphrase' values will be present in your script
import subprocess 
def GenerateEncryptedString(inputString):
    '''Usage >>> GenerateEncryptedString("String")'''
    salt = subprocess.check_output(['/usr/bin/openssl', 'rand', '-hex', '8']).rstrip()
    passphrase = subprocess.check_output(['/usr/bin/openssl', 'rand', '-hex', '12']).rstrip()
    p = subprocess.Popen(['/usr/bin/openssl', 'enc', '-aes256', '-a', '-A', '-S', salt, '-k', passphrase], stdin = subprocess.PIPE, stdout = subprocess.PIPE)
    encrypted = p.communicate(inputString)[0]
    print("Encrypted String: %s" % encrypted)
    print("Salt: %s | Passphrase: %s" % (salt, passphrase))

Python - DecryptEncryptedStrings Function (for testing)

# Include DecryptString() with your script to decrypt the password sent by the JSS
# The 'Salt' and 'Passphrase' values would be present in the script
import subprocess 
def DecryptString(inputString, salt, passphrase):
    '''Usage: >>> DecryptString("Encrypted String", "Salt", "Passphrase")'''
    p = subprocess.Popen(['/usr/bin/openssl', 'enc', '-aes256', '-d', '-a', '-A', '-S', salt, '-k', passphrase], stdin = subprocess.PIPE, stdout = subprocess.PIPE)
    return p.communicate(inputString)[0]

Generate Encrypted Strings

  1. Launch Terminal
  2. Run python
  3. Copy the Python - GenerateEncryptedStrings Function code block above and paste into the Python repel and press Return twice
  4. Run GenerateEncryptedString('yourPasswordHere')
  5. This will return an output similar to:
>>> GenerateEncryptedString('j@mf1234')
Encrypted String: U2FsdGVkX1+T4I++G9edk/JPfsvaf7X94fi1+I44bZQ=
Salt: 93e08fbe1bd79d93 | Passphrase: 789e6b9f2a1901cb49765b03
  1. Copy the Encrypted String value to your MakeMeAdmin - Remove Admin Rights policy and paste the value in Parameter 4 of your scripts payload
  2. Copy the Salt value and use to replace the contents of the salt variable in the removeTempAdmin.py script
  3. Copy the Passphrase value and use to replace the contents of the passphrase variable in the removeTempAdmin.py script

Testing your Generated Encrypted Strings

  1. Launch Terminal
  2. Run python
  3. Copy the Python - DecryptEncryptedStrings Function (for testing) code block above and paste into the Python repel and press Return twice
  4. Run DecryptString('yourEncryptedString', 'yourSalt', 'yourPassphrase')
  5. This will return an output similar to:
>>> DecryptString('U2FsdGVkX1+T4I++G9edk/JPfsvaf7X94fi1+I44bZQ=', '93e08fbe1bd79d93', '789e6b9f2a1901cb49765b03')
'j@mf1234'
  1. The output should match your expected password and yes the single-quotes around it are normal and will not effect the script.

Enjoy!

  1. Home
    1. Components
    2. Requirements
  2. Quick Start Guide
  3. Encrypted Strings
  4. FAQ's
Clone this wiki locally