Volatile Environment Variable?

[Nyber]

Hello,

New user here. Is it possible to script volatile environment variables via vbs script using SecureCRT?

I ask because I would like to store semi-sensitive keyboard data in a non-persistent state. I was wondering if this has been done before I attempt to reinvent the wheel.

Thanks for any help,

Will

[jdev]

Setting/Getting environment variables in VBScript works inside SecureCRT the same way that it works outside SecureCRT because:

1. the script engine is the same and
2. you're using the WScript.Shell object to do the setting/getting of environment variables.

I've provided some example code below.

Try running the example code:

• Outside of SecureCRT (using WScript.exe, double-click on the .vbs file w/in the file Explorer or Win+R 'run': Wscript.exe "path_to_this_script_file")
• Outside of SecureCRT again
• Inside of SecureCRT (Script > Run)
• Inside of the same SecureCRT process again.
• Inside of SecureCRT, after closing SecureCRT and starting a fresh instance.

So, "PROCESS" environment vars are the most secure because they're only accessible within the same process.

"VOLATILE" env variables last only until you log out of Windows.

"USER" env variables are there to stay for your user until you remove/reset them.

"SYSTEM" = "USER", but are available to all users and all processes.


--Jake

Code:

' EnvVarExample_PROCESS_USER_VOLATILE_SYSTEM.vbs

Dim g_shell
Set g_shell = CreateObject("WScript.Shell")

' There are 4 different "Environments":
'   System, User, Volatile, or Process.  For inter-process
'   communication (parent process to child and vice versa),
'   the "Process" environment is used.
Set g_env_prc = g_shell.Environment("PROCESS")
Set g_env_sys = g_shell.Environment("SYSTEM")
Set g_env_usr = g_shell.Environment("USER")
Set g_env_vol = g_shell.Environment("VOLATILE")

strVarName = "VARNAME"
strVarValu = "VARVALUE"

strError = ""

MsgBox _
    "Current values for env variable: " & strVarName & vbcrlf & _
    " Process: " & vbtab & g_env_prc(strVarName) & vbcrlf & _
    "Volatile: " & vbtab & g_env_vol(strVarName) & vbcrlf & _
    "    User: " & vbtab & g_env_usr(strVarName) & vbcrlf & _
    "  System: " & vbtab & g_env_sys(strVarName) & vbcrlf & _
    strError

' Reset the var for all environments:
On Error Resume Next
g_env_prc(strVarName) = ""
g_env_sys(strVarName) = ""
g_env_usr(strVarName) = ""
g_env_vol(strVarName) = ""
On Error Goto 0

MsgBox _
    "All values reset for this variable: " & strVarName & vbcrlf & _
    " Process: " & vbtab & g_env_prc(strVarName) & vbcrlf & _
    "Volatile: " & vbtab & g_env_vol(strVarName) & vbcrlf & _
    "    User: " & vbtab & g_env_usr(strVarName) & vbcrlf & _
    "  System: " & vbtab & g_env_sys(strVarName) & vbcrlf & _
    strError

MsgBox "Setting 'PROCESS' " & strVarName & "=" & strVarValu & "..."
On Error Resume Next
g_env_prc(strVarName) = strVarValu
nError = Err.Number
strErr = Err.Description
On Error Goto 0

If nError <> 0 Then
    strError = vbcrlf & vbcrlf & "Error: " & nError & ": " & strErr
Else
    strError = ""
End If

MsgBox _
    "Values for env variable: " & strVarName & vbcrlf & _
    " Process: " & vbtab & g_env_prc(strVarName) & vbcrlf & _
    "Volatile: " & vbtab & g_env_vol(strVarName) & vbcrlf & _
    "    User: " & vbtab & g_env_usr(strVarName) & vbcrlf & _
    "  System: " & vbtab & g_env_sys(strVarName) & vbcrlf & _
    strError

MsgBox "Setting 'VOLATILE' VARNAME=VARVALU..."
On Error Resume Next
g_env_vol(strVarName) = strVarValu
nError = Err.Number
strErr = Err.Description
On Error Goto 0

If nError <> 0 Then
    strError = vbcrlf & vbcrlf & "Error: " & nError & ": " & strErr
Else
    strError = ""
End If

MsgBox _
    "Values for env variable: " & strVarName & vbcrlf & _
    " Process: " & vbtab & g_env_prc(strVarName) & vbcrlf & _
    "Volatile: " & vbtab & g_env_vol(strVarName) & vbcrlf & _
    "    User: " & vbtab & g_env_usr(strVarName) & vbcrlf & _
    "  System: " & vbtab & g_env_sys(strVarName) & vbcrlf & _
    strError

MsgBox "Setting 'USER' VARNAME=VARVALU..."
On Error Resume Next
g_env_usr(strVarName) = strVarValu
nError = Err.Number
strErr = Err.Description
On Error Goto 0

If nError <> 0 Then
    strError = vbcrlf & vbcrlf & "Error: " & nError & ": " & strErr
Else
    strError = ""
End If

MsgBox _
    "Values for env variable: " & strVarName & vbcrlf & _
    " Process: " & vbtab & g_env_prc(strVarName) & vbcrlf & _
    "Volatile: " & vbtab & g_env_vol(strVarName) & vbcrlf & _
    "    User: " & vbtab & g_env_usr(strVarName) & vbcrlf & _
    "  System: " & vbtab & g_env_sys(strVarName) & vbcrlf & _
    strError

MsgBox "Setting 'SYSTEM' VARNAME=VARVALU..."
On Error Resume Next
g_env_sys(strVarName) = strVarValu
nError = Err.Number
strErr = Err.Description
On Error Goto 0

If nError <> 0 Then
    strError = vbcrlf & vbcrlf & "Error: " & nError & ": " & strErr
Else
    strError = ""
End If

MsgBox _
    "Values for env variable: " & strVarName & vbcrlf & _
    " Process: " & vbtab & g_env_prc(strVarName) & vbcrlf & _
    "Volatile: " & vbtab & g_env_vol(strVarName) & vbcrlf & _
    "    User: " & vbtab & g_env_usr(strVarName) & vbcrlf & _
    "  System: " & vbtab & g_env_sys(strVarName) & vbcrlf & _
    strError

[Nyber]

Jake,

SecureCRT appears to clear on every session. Example.

Test.vbs

Code:

Option Explicit
Dim wshShell,wshSystemEnv,strPassword,nResult
Set wshShell = CreateObject("WScript.Shell")
Set wshSystemEnv = wshShell.Environment("VOLATILE")

If wshShell.ExpandEnvironmentStrings("%PASSVAR%") = "%PASSVAR%" Then
  'If volatile variable is empty then set
  strPassword = InputBox("Enter password", "Password needed")
  wshSystemEnv("PASSVAR") = strPassword
Else
  WScript.Echo wshSystemEnv("PASSVAR")
End If

When running this in Windows you will only set the password once. However, Script > Run in SecureCRT will always prompt.

[jdev]

Quote:

Originally Posted by Nyber

SecureCRT appears to clear on every session.

SecureCRT does not "clear on every session"; that's just an illusion -- a magic trick made possible by the magician leveraging a misunderstanding about how the ExpandEnvironmentStrings() is documented to operate. The VOLATILE variables are there, and they're available for SecureCRT to access, but ExpandEnvironmentStrings() cannot see them because it operates on PROCESS variables.

A process's environment variables are inherited from the process's parent (including any that may be VOLATILE). I'm guessing you might have launched SecureCRT *before* launching the .vbs within the Explorer.exe (or CMD.exe) process environment, therefore SecureCRT does not have access to any updated copies of the Explorer.exe-parented (or CMD.exe-parented) PROCESS variables -- unlike when you ran the script outside of SecureCRT. If you had run the .vbs directly w/in Explorer.exe/cmd.exe first, and then launched SecureCRT (from either explorer.exe or cmd.exe, you'd see the desired behavior.

Suggestion: Don't use ExpandEnvironmentStrings() to resolve VOLATILE environment variables. Use a different mechanism to determine whether or not your variable is set/initialized. For example:

Code:

Option Explicit
Dim wshShell,wshSystemEnv,strPassword,nResult
Set wshShell = CreateObject("WScript.Shell")
Set wshSystemEnv = wshShell.Environment("VOLATILE")

' If wshShell.ExpandEnvironmentStrings("%PASSVAR%") = "%PASSVAR%" Then
'   No can do on the above... ExpandEnvironmentStrings() only expands
'   PROCESS variables; not VOLATILE (unless such are inherited from a
'   pareent process in which the VOLATILE variable was already set.
'   To check existence/value of VOLATILE variable, for processes which
'   do not share the same copy of the parent process, use this method:
If wshSystemEnv("PASSVAR") = "" Then
  'If volatile variable is empty then set
  strPassword = InputBox("Enter password", "Password needed")
  wshSystemEnv("PASSVAR") = strPassword
Else
  MsgBox wshSystemEnv("PASSVAR")
End If

--Jake

[Nyber]

You rock, Jake!

I just need some basic obfuscation encryption and an encoded .vbe and I'll be happy. I really appreciate your through explanation, it will save me hours of jumpserver redundancy.

[jdev]

Quote:

Originally Posted by Nyber

I just need some basic obfuscation encryption and an encoded .vbe and I'll be happy. I really appreciate your through explanation, it will save me hours of jumpserver redundancy.

SecureCRT's Logon Actions functionality didn't meet your needs?

Its not a security best practice to store credentials, but for those who value convenience in an environment where security isn't critical, Logon Actions can be of assistance. Logon Actions are expect/send sequences that are encrypted in Session Options such that they are available to only SecureCRT (and if you use a Configuration Passphrase they are only available to you -- and others who know your configuration passphrase).

--Jake

[Nyber]

That was my original method of attack but it did not behave as I expected. This is my script (that works) but I'd rather obscure things a little bit and refine some outside cases. Really appreciate your guidance, I'm now your pest for the next 3 years (V000123735).

[jdev]

Quote:

Originally Posted by Nyber

That was my original method of attack but it did not behave as I expected. This is my script (that works)

Ah, yes. If you need logic to branch off of multiple things that could be "expected", Logon Actions won't be sufficient to meet that need.

I've added a feature request on your behalf for a way to encrypt a script natively w/in SecureCRT or be able to have an encrypted substitution database with a scripting interface so that you could "send" the value retrieved by a name/key or something along those lines. It's not clear if/when such features would be implemented, but if you desire email notification of their availability should they ever become a reality, send email to support@vandyke.com with a subject of "Me Too! Forum thread #13105 - Encrypt script or substitution database"

--Jake

[Nyber]

Hi Jake,

Question. I've written all my logic in VBScript and included some encryption obfuscation and encoded to file.vbe.

Should I have written it in Python and encoded it as file.pyc instead? Is Python encoding better? Albeit still a flawed version of "encryption".

Code:

Function Encrypt(sStr)
  Dim i,n,e
  e = ""
  n = 1
  For i = 1 To Len(sStr)
    e = e & Chr(Asc(Mid(sStr,i,1)) + Asc(Mid(Key,n,1)))
    n = n + 1
    If n > Len(Key) Then
      n = 1
    End If
  Next
  Encrypt = e
End Function

[jdev]

Quote:

Originally Posted by Nyber

Should I have written it in Python and encoded it as file.pyc instead? Is Python encoding better?

SecureCRT doesn't currently support running a script compiled as a .pyc file, so your decision to go with a .vbe is at least something that will work.

I've added another feature request on your behalf for SecureCRT to support running .pyc script files.

--Jake