Re: Password Security Using Hyena?

Yes, I believe it will be sent using clear text.

Re: Password Security Using Hyena?

You need to realize that when using a custom tool of something, the tool itself has to get the password in plain text. We can 'secure' or encrypt the password as that would not do any good, the password is to be passed to another tool/utility and has to be in plain text.

Re: Password Security Using Hyena?

Understood; I see why it's clear text now.

What would best practices be to ensure I/we do not send a password across the LAN/WAN in clear text?

Thanks for the replies!

Re: Password Security Using Hyena?

Its really hard, as it depends on the application/tool. You need to see what tool you are using and then google it to see how it works, etc. Tool commands in Hyena are run using the CreateProcess API call, which is essentially the same thing as typing the command at a command prompt or clicking Start->Run and typing the command.

Depending on the tool, you might not have any control, and if someone were to tap into your network (sniffer, etc.) they might be able to see the command, but again it depends on the tool.

Re: Password Security Using Hyena?

Maybe an example would help?

I have a custom tool that executes PSEXEC but that requires a login/pwd so I pass that via Hyena. Then it executes a reg import. In order to do a reg import on a user's workstation I must use an admin account; hence the use of PSEXEC.

cmd /c c:\My_Tools\pstools\psexec \\%E% -u %P1:LOGIN% -p %P2:Password/PWD% reg import "\\MYCOMPUTERNAME\c$\My_Tools\scripts\CAC_hack\CAC _hack.reg" & pause

If I'm following you guys here.... Hyena passes it to PSEXEC in clear text but I would have to look at PSEXEC more closely to see how they handle it from there?

Thx

[This message has been edited by morgan.mains (edited 11-19-2007).]

[This message has been edited by morgan.mains (edited 11-19-2007).]

Re: Password Security Using Hyena?

Yes, that is correct. Same as if you went to your tools directory where psexec is located and typed that same command. psexec is installed locally, so its a matter of determining what psexec does with the password. You can probably get this information from SysInternals.

Don't mention Hyena when you ask as a lot of vendors will not help you if you mention another tool. In this case, you are just running psexec with a password. Hyena is just passing the information along. The question is the same regardless of how you run it, so just pretend you are using it directly without Hyena.