Splunk Search

Python SDK - getting username and password (without hard coding)

BernardEAI
Communicator

Hi

I'm trying to get the username and password of the user calling a python script from the search bar in the Splunk UI. I need this to log into smtp to send an email (smtp.login(username, password)).

I need to make use of SCPv2, so the

 results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults() 

route is not an option. I can get the authenticated session connection via the self object (self.service). I though I should be able to get the username and password using "storage_passwords", however when I use that and output the username and password to the logger, I see the following:

Username:Windows_Usage``splunk_cred_sep``2 Password:``splunk_cred_sep``S``splunk_cred_sep``P``splunk_cred_sep``L``splunk_cred_sep``U``splunk_cred_sep``N``splunk_cred_sep``K``splunk_cred_sep``

It looks like the username and password is encrypted in some way? If I try to use those credentials, I get a "[HTTP 401] Client is not authenticated" error. Looking at the capabilities o the user, I see that "list_storage_passwords" is included.

Any ideas on how I can get the username and password? If I hardcode the username and password everything works, but I do not like to have passwords in script files.

Labels (1)
0 Karma
1 Solution

BernardEAI
Communicator

@Patrick_Peeters  I have determined that those passwords are encrypted, and for some reason they are not decrypted correctly.

I have now added my own username and password to a passwords.conf file in my app/local folder. I can now see that username and password if I run 

 

storage_passwords=self.service.storage_passwords
  for credential in storage_passwords:
            usercreds = {'username':credential.content.get('username'),'password':credential.content.get('clear_password')}

 

Initially the passwords I added were not encrypted, which is not very secure. I managed to generate an encrypted passwords by using an API call:

curl -k -u admin:<admin_password> https://<splunk_host>:8089/servicesNS/nobody/<app_name>/storage/passwords -d name=<username> -d password=<password>

View solution in original post

BernardEAI
Communicator

Hi @Patrick_Peeters 

Thanks for the feedback. Correct, I used something very close to your code:

storage_passwords=self.service.storage_passwords
for storage_password in service.storage_passwords:
    if storage_password.username == username and storage_password.realm == 'your_app':
        clear_pw = storage_password.content.clear_password

Incidentally, how do you get the session key? I do not need the key since the search command already gives me an authenticated session connection via the self object. However I can't seem to get the value of sessionKey from the self object. If I could get the session key there would be another route to get the password.

0 Karma

Patrick_Peeters
Splunk Employee
Splunk Employee

I got it by importing the Script class and using the following line:

from splunklib.modularinput import Script, Scheme, Argument, Event
session_key = self._input_definition.metadata["session_key"]
0 Karma

BernardEAI
Communicator

@Patrick_Peeters  I have determined that those passwords are encrypted, and for some reason they are not decrypted correctly.

I have now added my own username and password to a passwords.conf file in my app/local folder. I can now see that username and password if I run 

 

storage_passwords=self.service.storage_passwords
  for credential in storage_passwords:
            usercreds = {'username':credential.content.get('username'),'password':credential.content.get('clear_password')}

 

Initially the passwords I added were not encrypted, which is not very secure. I managed to generate an encrypted passwords by using an API call:

curl -k -u admin:<admin_password> https://<splunk_host>:8089/servicesNS/nobody/<app_name>/storage/passwords -d name=<username> -d password=<password>

Patrick_Peeters
Splunk Employee
Splunk Employee

I assume you tried something like this to get the output?

args = {'token': 'your_session_key'}
service = client.connect(**args)

for storage_password in service.storage_passwords:
    if storage_password.username == username and storage_password.realm == 'your_app':
        clear_pw = storage_password.content.clear_password

 That works in my case. I've seen something like your output when analysing passwords/secrets that I used when coding using the Splunk Add-on Builder but it's been a long time so not sure if it's related.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...