Pular para o conteúdo principal
Version: 3.24

Executors plugins syntax

This chapter will cover every plugin syntax and particularities. A small example will be used to make easy to understand its functionality. Remember that senhasegura is installed with more than 250 out-of-the-box templates. And you can also access the senhasegura PAM Solution to have access to the partner community templates.

cURL

Executor for requests to simple web pages. Pages without JavaScript environment or HTML events. You can use this executor for legacy systems based on pure HTML4 architecture.

If you need to perform an automation using web interfaces elements simulating a real user actions, take a look at the HTTP executor.

By default this plugin does not validate the SSL connection and its default timeout is setted to 10 seconds.

Syntax

This plugin accept commentary. For comments use the sharp character '#' at the beginning of the line.

CommandDescription
set-disable-authDo not consider user and password in request to supply HTTP Authset-disable-auth
set-request-header ”param” ”value”Sets a header parameter for HTTP request to be performed.set-request-header ”mytoken”``”FF32C5E9AC1800A2”
set-request-param ”param” ”value”Configures any cURL1 parameter for the request to be madeset-request-param``”CURLOPT_ENCODING” ”ISO-8859-1”
set-request-content ”content”Determines the data content of the request. From this value is calculated the header Content-lengthset-request-content``”name=Peter&surname=McAlister”
set-content-type ”type”Determines the content definition header of the requisition. This value will be assigned to the header Content-type: text/TYPE;charset=”utf-8” e Accept: text/TYPE.set-content-type ”text”
set-request-method ”method”Determines the type of requisition that will be performed. Can be post, put and delete methods. Check RFC 7231 for more details.set-request-method ”GET”
request ”URL”Realizes the request at the given URLrequest ”https://www.google.com/”
expect ”string”Search for a text within the answer to the request. Fails if not found. Continue if found.expect ”password changed!”
no-expect ”string”Search for a text within the answer to the request. Continue if not found. Fails if found.no-expect ”password change failed!”

Example of a simple HTTP password change with token header

set-request-header "X-INTRANET-TOKEN" "FF32C5E9AC1800A2"
set-request-param "username" "[#AUTH_USER#]"
set-request-param "password" "[#AUTH_PASSWORD#]"
set-request-param "tgt_user" "[#USERNAME#]"
set-request-param "tgt_npassword" "[#NEW_PASSWORD#]"

set-request-method "POST"

## If 7 bytes string 1200-OK returns, the password change was accepted
expect "1200-OK"

## If 7 bytes string 9999-NOK returns, the password change has failure
no-expect "9999-NOK"

HTTP

Executor for requests to complex web pages where more interactivity using JavaScript elements and event triggers are required;

Syntax

CommandDescription
start-at urlIndicates the initial url of the desired page. This command should be at the template begin.start-at https://www.senhasegura.com/
timeout millisecondsMilliseconds total duration of the process as a whole. This command should be at the template begin.timeout 3000
useragent stringSpecifies which useragent will be used during password change. By default it will use Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36. This command should be at the template begin.useragent senhasegura-executor
new-actionIndicates that a new group of actions will begin.A group of actions is composed of all actions performed for a page submit.new-action
set-location urlRedirects the executor to the indicated URL.set-location https://mysystem.local/admin/login.php
test-location stringValidate the current URL against the provided string. The given string can be just a piece of the entire URL. Stops the process if false.test-location /admin/login.php
log stringRegister a log message. Use for identifying the steps into the execution log.log Starting authentication steps
test-selector selectorPerform a test on a selector similar to jQuery selectors. If it does not find the element, it interrupts the process as failed.test-selector input#username
fill selectordataFills the element returned by the selector with the indicated value.fill input#username #USERNAME#
click selectorFire the event by clicking on the DOM element returned by the selector.click inputtype=button#login
jclick selectorFire the event click on the element returned by the selector.jclick inputtype=button#login
offset xyCreates a positioning offset to adjust the really-click and really-fill commands.
really-click selectorFire one external click on the page. Just like a user does. Use the offset command to adjust the element coordinate.really-click inputtype=button#login
really-fill selectordataFills the element returned by the selector with the indicated value through user input simulation. The element will be clicked using really-click command before being filled. Use the offset command to adjust the element coordinate.really-fill input#username #USERNAME#
prop selectorpropertyvalueChange an element property. Normally used when some CSS class or DOM element made a really-fill or really-click action hard to be performed.prop input#agreement enabled true
test-visible selectorTest if element is visible for the user. Interrupt the operation if it is not visible.test-visible div#alert.success
test-not-visible selectorTest if element is invisible. Interrupt the operation if it is visible.test-not-visible div#alert.failure
sleep millisecondsWait for the milliseconds specified between one action and another.sleep 1000
jscript jscodeJavaScript script code to execute into the current rendered page. Use with caution.jscript $(’inputtype=checkbox’).prop(’checked’, true);
caution

The sleep command inserts a wait action so the current action is resumed and a new action is generated with the next command (after the wait period).

Example for Amazon AWS Console

start-at https://console.aws.amazon.com/console/home
timeout 30000
user-agent "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"

new-action
sleep 4000
test-location /signin?redirect_uri
fill #resolving_input [#USERNAME#]
jclick #next_button
sleep 2000

new-action
fill #ap_password [#CURRENT_PASSWORD#]
click #signInSubmit-input

new-action
test-location /console/home
set-location https://signin.aws.amazon.com/updateaccount?redirect_uri=https%3A%2F%2Fconsole.aws.amazon.com%2Fbilling%2Fhome%23%2Faccount
sleep 2000

new-action
test-location /ap/cnep
jclick #cnep_1A_change_password_button-input

new-action
fill #ap_password [#CURRENT_PASSWORD#]
fill #ap_password_new [#NEW_PASSWORD#]
fill #ap_password_new_check [#NEW_PASSWORD#]
click #cnep_1D_submit_button-input

new-action
test-selector #message_success

LDAP

This plugin can be used to interact even to Microsoft®Active Directory or OpenLDAP servers.

Syntax

CommandDescription
connect null ”target”It connects to the requested destination. If not informed, connects to the device linked to the credential.connect
find ”dn” ”filter”Locates the single entry to be manipulatedfind ”o=MyCompany,c=BR” ”(username=user01)”
mod-add ”param” ”value”Add an attribute to the entry. Depends on whether the command find has already been successfully executed.mod-add ”memberuid” ”username”
mod-del ”param” ”value”Remove an attribute from the entry. Depends on whether the command find has already been successfully executed.mod-del ”memberuid” ”username”
mod-replace ”param” ”value”Replaces an attribute with the entry. Depends on whether the command find has already been successfully executed.mod-replace ”memberuid” ”username”
bind ”dn”Performs server authenticationbind ”uname”
set-option ”param” ”value”Determines the value of a property in the LDAP connection. See PHP LDAP1 to the pick list.set-option ”LDAP_OPT_PROTOCOL_VERSION” ”3”

Example for domain user password change at Microsoft Active Directory

## LDAP protocol version
set-option LDAP_OPT_PROTOCOL_VERSION 3

## DistinguishedName of the user who will connect to the server
bind "cn=[#AUTH_USER#],CN=Users,DC=senhasegura,DC=local"

## Search the user in which the procedure will be done.

## The system will search in general scope for a user object that has
the name of the user
find "DC=senhasegura,DC=local" "(&(objectClass=user)
(sAMAccountName=[#USERNAME#]))"

## Update user password
mod-replace unicodePwd "u([#NEW_PASSWORD#])"

Example for user account activation

## LDAP protocol version
set-option LDAP_OPT_PROTOCOL_VERSION 3
set-option LDAP_OPT_REFERRALS 3

## DistinguishedName of the user who will connect to the server
bind "CN=[#AUTH_USER#],CN=Users,DC=senhasegura,DC=local"

## Search the user in which the procedure will be done.
find "DC=senhasegura,DC=local" "(&(objectClass=user) (sAMAccountName=[#USERNAME#]))"

## Update account status
mod-replace userAccountControl 512
info

To find the DistinguishedName of your server access the area of Advanced Features and follow the steps:

  1. Click on View and then on Advanced Features.

  2. With the complete view of user attributes, click on User Properties.

  3. Go to the attribute editor tab and find the DistinguishedName among the information.

SSH

Syntax

This plugin accept commentary. For comments use the sharp character '#' at the beginning of the line.

CommandDescription
set-ssh-version [1]Determines the version of SSH to be used. By default it will use the 2.set-ssh-version 2
set-new-line-mode [unixwindowsmac]Send command character. By default it will use unix.set-new-line-mode unix
set-read-timeout [seconds]Time in seconds for command reading read timeout. By default will use 5 seconds.set-read-timeout 5
set-connect-timeout [seconds]Time in seconds for connectivity timeout. By default it will use 5 seconds.set-connect-timeout 5
exec ”string”Executes the command on the remote deviceexec ”passwd myuser”
write ”string”Write the string to the remote device. The end of line character will not be sent.
read ”string”Locates the text provided in the connection output. Does not accept regular expressions.read ”New password:”
expect ”string”Locates the text provided in the connection output, allowing the use of the wildcard character ’*’ for expansive searches.
expect-regexLocates the text through a regular expression.read ”[nN]ew password:”
sleep ”seconds”Waits for the script to run within the given secondssleep 10
no-expectSearch for an expression to irrigate within the response to the request. Continue if you can’t find it. Fails if found.no-expect ”password change failed!”
endCloses the connection to the target serverend

Example for a Linux user password change

## Put the language in English
expect "*#"
exec "export LC_ALL=C"

## Execute the password change for the user
expect "*#"
exec "passwd [#USERNAME#]"

## Fill in the new password
expect "*password:"
exec "[#NEW_PASSWORD#]"

## Confirm the new password
expect "*password:"
exec "[#NEW_PASSWORD#]"

## Validates if successfully changed
expect "*updated successfully"

Example for Apache htpasswd password change

expect "*#"
exec "htpasswd -bm /etc/htpasswd/.htpasswd [#USERNAME#] [#NEW_PASSWORD#]"

expect "*Updating"
expect "*#"
exec "exit"

end

Example for Apache Tomcat password change

## Changing tomcat-users.xml user entry
expect "*#"
exec "sed -i 's/<user username="[#USERNAME#]" password="[#CURRENT_PASSWORD#]"/<user username="[#USERNAME#]" password="[#NEW_PASSWORD#]"/' /etc/tomcat/tomcat-users.xml"

## Validating changing step
expect "*#"
exec "cat /etc/tomcat/tomcat-users.xml | grep 'username="[#USERNAME#]" password'"
expect "*[#NEW_PASSWORD#]*"

## Restarting tomcat
expect "*#"
exec "service tomcat restart"

## Finish the procedure
expect "*#"
exec "exit"
end

Example for Red Hat JBoss Application Vault

expect "*#"
exec "/opt/wildfly/bin/vault.sh --enc-dir /opt/vault --keystore /opt/vault.keystore --keystore-password VaultK --salt $(shuf -i 10000000-99999999 -n 1) --iteration $(shuf -i 10-99 -n 1) --alias vault --vault-block [#ADD_INFO#] --attribute [#USERNAME#] --sec-attr [#NEW_PASSWORD#]"

expect "Please make note of the following:"
expect "*#"
exec "exit"

end

SSH Legacy

Syntax

This plugin accept commentary. For comments use the sharp character '#' at the beginning of the line.

CommandDescription
write "command"Forwards the command execution to the target serverwrite ”passwd myuser”
exec ”command”Same as the write
read ”string”Search for a text within the answer to the request. Fails if not found. Continue if found.read ”password updated successfully”
expect ”string”Same as the read
expect-regexSame as the read
not-expect ”string”Search for a text within the answer to the request. Continue if not found. Fails if found.password unchanged

Example for a legacy Linux password change

## Request password change
expect "*$"
exec "sudo passwd [#USERNAME#]"

## Fill in the sudo password
expect "*:"
exec "[#AUTH_PASSWORD#]"

## Fill in the new password
expect "*password:"
exec "[#NEW_PASSWORD#]"

## Confirm the new password
expect "*password:"
exec "[#NEW_PASSWORD#]"

## Validates if successfully changed
expect "*successfully"

Telnet

Syntax

CommandDescription
set-username-prompt ”string”Determines which user prompt pattern to locate. The search value is a simple text. It is not a regular expression.set-username-prompt ”Username:”
set-password-prompt ”string”Determines which password prompt pattern to locate. The search value is a simple text. It is not a regular expression.set-password-prompt ”Password:”
set-new-line-mode [unixwindowsmac]Determines which breakline system must use.set-new-line-mode ”unix”
set-no-authenticateConfigures the executor to skip authentication stepset-no-authenticate
send ”command”Sends the command to the target server without inserting the line break character automatically at the end.send ”passwd”
exec ”command”Sends the command to the target server by entering the line break character at the end.
expect ”pattern”Wait for the desired text to appear.expect ”changed!”
endCloses the connection to the target server.end

Example for an 3com Switch 5500 Family

## Waiting username
expect "*:"
exec "[#USERNAME#]"

## Waiting password
expect "*:"
exec "[#CURRENT_PASSWORD#]"

## Enter system-view
expect "*>"
exec "system-view"

## Enter local user view
expect "*]"
exec "local-user [#USERNAME#]"

expect "*]"
exec "password cipher [#NEW_PASSWORD#]"

## Exit to user.
expect "*]"
exec "quit"

## Exit to system view.
expect "*]"
exec "quit"

expect "*>"
exec "quit"

Windows RM

The target device needs Microsoft®Windows®Remote Management connectivity enabled and authorized.

Syntax

CommandDescription
!unsecureDetermines the use of unsafe prototype for change.!unsecure
!reload-passwordForces the replacement of the current password with the new password value.!reload-password
!sleep secondsWait for the determined number of seconds to execute the next command.!sleep 30
!change-passwordRequests the execution of password change of the target user of this automation.!change-password
powershell cmdExecutes the powersheel command on the remote server.powershell Set-ADAccountPassword -Identity``[#username#] -Reset -NewPassword (ConvertTo-SecureString``-AsPlainText ”[#NEW_PASSWORD#]” -Force)

Example for devices that have Windows RM over HTTPS

## change user password
!change-password

Example for devices that have Windows RM over HTTP

!unsecure

## change user password
!change-password

Example for password change in configuration file via PowerShell

powershell (Get-Content .Desktop\Web.config) | Foreach-Object {$_
-replace 'password=([^;"]+)','password=[#NEW_PASSWORD#]'} |
Set-Content .Desktop\Web.config

Example for COM+ Application password change using PowerShell

## Change user password
!change-password

## Replicate the new password into COM+ application
powershell $comAdmin = New-Object -com ("COMAdmin.COMAdminCatalog.1")[nl]$applications = $comAdmin.GetCollection("Applications")[nl]$applications.Populate()[nl]foreach ($application in $applications)[nl]{[nl]$appName = $application.Value("Name")[nl]$appIdentity = $application.Value("Identity")[nl]if ($appIdentity -eq "[#ADD_INFO#]\[#USERNAME#]") {[nl]$application.Value("Password") = "[#NEW_PASSWORD#]"[nl]$comAdmin.ShutdownApplication($appName)[nl]$applications.SaveChanges()[nl]$comAdmin.StartApplication($appName)[nl]}[nl]}

Example for Windows Autologon password change using PowerShell

## Change user password
!change-password

## Replicate the new password into Windows registry
powershell $RegPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"[nl]
Set-ItemProperty $RegPath "AutoAdminLogon" -Value "1" -type String[nl]
Set-ItemProperty $RegPath "DefaultDomain" -Value "[#DOMAIN#]" -type String[nl]
Set-ItemProperty $RegPath "DefaultUsername" -Value "[#USERNAME#]" -type String[nl]
Set-ItemProperty $RegPath "DefaultPassword" -Value "[#PASSWORD#]" -type String

Example for IIS Website Application Pool

## Change user password
!change-password

## Replicate the new password into IIS application pool
C:\Windows\System32\inetsrv\appcmd.exe set config /section:applicationPools /"[name='[#ADD_INFO#]']".processModel.identityType:SpecificUser /"[name='[#ADD_INFO#]']".processModel.userName:[#USERNAME#] /"[name='[#ADD_INFO#]']".processModel.password:[#NEW_PASSWORD#]

Windows RPC

The target device needs Microsoft®Windows®RPC connectivity enabled and authorized.

Syntax

This executor accept any Microsoft®Windows®RPC command, plus some senhasegura Microsoft®Windows®RPC Executor commands starting with exclamation.

CommandDescription
!netsmb-passwordRequests the execution of password change of the target user of this automation.!netsmb-password
!reload-passwordForces the replacement of the current password with the new password value.!reload-password
!sleep secondsWait for the determined number of seconds to execute the next command.!sleep 30

Changing a domain user password

## Changing account using executor command alias
!netsmb-password

## You can also execute a native RPC command
## net user [#USERNAME#] [#NEW_PASSWORD#] /domain

Changing a local user password and update a local user Windows Task account password

## Change password
net user [#USERNAME#] [#NEW_PASSWORD#]

## Waiting three seconds
!sleep 3

## Update password for "Defrag"
schtasks /Change /RU [#USERNAME#] /RP [#NEW_PASSWORD#] /TN Defrag

Changing a local user password and update a Windows Service account password

## Change password
net user [#USERNAME#] [#NEW_PASSWORD#]

## Waiting three seconds
!sleep 3

sc config [#ADD_INFO#] obj= [#USERNAME#] password= [#NEW_PASSWORD#]

MySQL

Syntax

You can execute any MySQL administration query, or even queries targeting databases.

You can also call MySQL functions or specific databases functions. The only limitation is to call or create stored procedures.

User password change example

ALTER USER '[#USERNAME#]'@'[#ADD_INFO#]' IDENTIFIED BY '[#NEW_PASSWORD#]';
FLUSH PRIVILEGES;

Oracle

Syntax

You can execute any Oracle administration query, or even queries targeting databases.

You can also call Oracle functions or specific databases functions. The only limitation is to call or create stored procedures.

User password change example

CONN [#USERNAME#]@[#ADD_INFO#]
ALTER USER [#USERNAME#] IDENTIFIED BY [#NEW_PASSWORD#]

PostgreSQL

Syntax

You can execute any PostgreSQL administration query, or even queries targeting databases.

You can also call PostgreSQL functions or specific databases functions. The only limitation is to call or create stored procedures.

User password change example

ALTER USER [#USERNAME#] WITH PASSWORD '[#NEW_PASSWORD#]';

SQL Server

Syntax

You can execute any SQL Server administration query, or even queries targeting databases.

You can also call SQL Server functions or specific databases functions. The only limitation is to call or create stored procedures.

User password change example

ALTER LOGIN [#USERNAME#] WITH PASSWORD = '[#NEW_PASSWORD#]' OLD_PASSWORD = '[#CURRENT_PASSWORD#]' UNLOCK;

Tk Expect

This plugin use the TK Expect binary to interact using a powerful stdout interpreter.

Syntax

You can use the native TK Expect manual to create your script.

IBM AS400 password change example

use telnet script
expect {
"User . ." {
send "[#USERNAME#]\t"
exp_continue
} "Password . ." {
send "[#CURRENT_PASSWORD#]\r\n"
exp_continue
} "Selection or command" {
send "chgpwd\r\n"
exp_continue
} "Current password . ." {
send "[#CURRENT_PASSWORD#]\r\n"
exp_continue
} "New password . ." {
send "[#NEW_PASSWORD#]\r"
exp_continue
} "New password (to verify)" {
send "[#NEW_PASSWORD#]\r"
exp_continue
} "Password changed successfully." {
send "\r"
exit 0
} incorrect {
send_user "FAILURE INCORRECT"
exit 1
} timeout {
send_user "FAILURE TIMEOUT"
exit 1
} eof {
send_user "FAILURE EOF"
exit 1
}
}

SQLPlus

You can use SQLPlus commands to integrate your script.

VMWare ESXi

This plugin will interact over the VMWare ESXi administrative console binary esxcli.

Syntax

The original esxcli command syntax should be used.

Setting a user password using esxcli "system account set" command example

system account set -i '[#USERNAME#]' -p '[#NEW_PASSWORD#]' -c '[#NEW_PASSWORD#]'

x3270 IBM Terminal Emulator

Executor for mainframes IBM 3270. You can interact over mainframe application interfaces interpreting its design.

Syntax

Some of the linux x3270 commands was replaced by executor aliases to make the senhasegura integration secure and easy.

CommandDescription
timeout [seconds]Some mainframes connections, or some actions, can get stuck. To avoid this situation you can configure the timeout seconds. This timeout is the maximum elapsed time the entire operation can take. By default its configured to 5 seconds.This command should be used before connect command. timeout 300
sleep [seconds]Sleep by the given seconds. Use this command if you need to wait the mainframe perform some action. This sleep will not be sent to the mainframe.sleep 3
echo [string]Echo a string into the executor operation logs. This echoed message will not be sent to the mainframe.echo Starting authentication step
connectWill perform the mainframe connection to start the interaction step, resulting into a Connect action.connect
search [data][x,y,r,c]Will lookup the rendered mainframe application for the given coordinate and compare with the give data string. If will stop the execution with failure status if it’s not equal.The coordinate should be composed by 4 position variables.The command will be translated to Ascii action.* x: Starting row number starting by 0;
  • y: Starting char column starting by 0;
  • r: Number of rows to be returned starting by 1;
  • c: Number of columns to be returned starting by 1;search SUCCESSFUL 10,17,1,10 | | search_not [data][x,y,r,c] | Similar to search. But will failure if the give string have been found.search_not FAILURE 10,17,1,7 | | send [data] | Input some data to target application. This command can accept string escapes sequences.The command will be translated to String() action.send T01281\t2918\r | | screenshot | Will log into the executor operation log the entire rendered ASCII screen (24x80 terminal only).screenshot | | disconnect | Will perform a mainframe connection shutdown.The command will be translated to Disconnect() action.disconnect |

Changing user password into mainframe application example

timeout 350

## AUTHENTICATION STEP ##################

echo Starting connection

connect

sleep 3

echo Performing login
search USER: 20,2,1,5

send [#USERNAME#]\t[#CURRENT_PASSWORD#]\r

echo Result screen
screenshot

## PASSWORD CHANGE STEP ##################

search USER: [C] CHANGE PASSWORD 10,5,1,19

send C\r[#NEW_PASSWORD#]\t[#NEW_PASSWORD#]\r

search_not FAILURE 12,70,1,7
search SUCCESS 12,70,1,7

echo Result screen
screenshot

disconnect