Splunk Search

Python SDK - getting username and password (without hard coding)

BernardEAI
Communicator

Hi

I'm trying to get the username and password of the user calling a python script from the search bar in the Splunk UI. I need this to log into smtp to send an email (smtp.login(username, password)).

I need to make use of SCPv2, so the

 results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults() 

route is not an option. I can get the authenticated session connection via the self object (self.service). I though I should be able to get the username and password using "storage_passwords", however when I use that and output the username and password to the logger, I see the following:

Username:Windows_Usage``splunk_cred_sep``2 Password:``splunk_cred_sep``S``splunk_cred_sep``P``splunk_cred_sep``L``splunk_cred_sep``U``splunk_cred_sep``N``splunk_cred_sep``K``splunk_cred_sep``

It looks like the username and password is encrypted in some way? If I try to use those credentials, I get a "[HTTP 401] Client is not authenticated" error. Looking at the capabilities o the user, I see that "list_storage_passwords" is included.

Any ideas on how I can get the username and password? If I hardcode the username and password everything works, but I do not like to have passwords in script files.

Labels (1)
0 Karma
1 Solution

BernardEAI
Communicator

@Patrick_Peeters  I have determined that those passwords are encrypted, and for some reason they are not decrypted correctly.

I have now added my own username and password to a passwords.conf file in my app/local folder. I can now see that username and password if I run 

 

storage_passwords=self.service.storage_passwords
  for credential in storage_passwords:
            usercreds = {'username':credential.content.get('username'),'password':credential.content.get('clear_password')}

 

Initially the passwords I added were not encrypted, which is not very secure. I managed to generate an encrypted passwords by using an API call:

curl -k -u admin:<admin_password> https://<splunk_host>:8089/servicesNS/nobody/<app_name>/storage/passwords -d name=<username> -d password=<password>

View solution in original post

BernardEAI
Communicator

Hi @Patrick_Peeters 

Thanks for the feedback. Correct, I used something very close to your code:

storage_passwords=self.service.storage_passwords
for storage_password in service.storage_passwords:
    if storage_password.username == username and storage_password.realm == 'your_app':
        clear_pw = storage_password.content.clear_password

Incidentally, how do you get the session key? I do not need the key since the search command already gives me an authenticated session connection via the self object. However I can't seem to get the value of sessionKey from the self object. If I could get the session key there would be another route to get the password.

0 Karma

Patrick_Peeters
Splunk Employee
Splunk Employee

I got it by importing the Script class and using the following line:

from splunklib.modularinput import Script, Scheme, Argument, Event
session_key = self._input_definition.metadata["session_key"]
0 Karma

BernardEAI
Communicator

@Patrick_Peeters  I have determined that those passwords are encrypted, and for some reason they are not decrypted correctly.

I have now added my own username and password to a passwords.conf file in my app/local folder. I can now see that username and password if I run 

 

storage_passwords=self.service.storage_passwords
  for credential in storage_passwords:
            usercreds = {'username':credential.content.get('username'),'password':credential.content.get('clear_password')}

 

Initially the passwords I added were not encrypted, which is not very secure. I managed to generate an encrypted passwords by using an API call:

curl -k -u admin:<admin_password> https://<splunk_host>:8089/servicesNS/nobody/<app_name>/storage/passwords -d name=<username> -d password=<password>

Patrick_Peeters
Splunk Employee
Splunk Employee

I assume you tried something like this to get the output?

args = {'token': 'your_session_key'}
service = client.connect(**args)

for storage_password in service.storage_passwords:
    if storage_password.username == username and storage_password.realm == 'your_app':
        clear_pw = storage_password.content.clear_password

 That works in my case. I've seen something like your output when analysing passwords/secrets that I used when coding using the Splunk Add-on Builder but it's been a long time so not sure if it's related.

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...