Is it possible to access RSA Secure Id programmati

2020-05-23 17:46发布

问题:

I have a requirement where I need to enter secure Id from RSA token during login authentication and then start running automation test.

Is it possible to access the RSA token value programmatically through any api or any other way , so that test flow can be automated completely?

回答1:

We automated our login to a vpn that uses rsa secure id and Cisco AnyConnect, by doing the following:

1) Open rsa secure id programatically the way you want

2) Run the following .ps1

#Source http://www.lazywinadmin.com/2010/06/powershell-get-clipboard-set-clipboard.html
function Get-ClipBoard {
Add-Type -AssemblyName System.Windows.Forms
$tb = New-Object System.Windows.Forms.TextBox
$tb.Multiline = $true
$tb.Paste()
$tb.Text
}
# end Source http://www.lazywinadmin.com/2010/06/powershell-get-clipboard-set-clipboard.html

$wshell = New-Object -ComObject wscript.shell;
$wshell.AppActivate('the name')#Here you need to write the name that appears on the left top corner of the rsa secure id window
Sleep 1
$wshell.SendKeys('{TAB}')
$wshell.SendKeys('~')
$a = Get-ClipBoard


#Source http://www.cze.cz
#This script is tested with "Cisco AnyConnect Secure Mobility Client version 3.0.5080″
#Please change following variables

[string]$CiscoVPNHost = 'the vpn you are trying to connect'
[string]$Login = 'your user'
[string]$Password = $a

#Please check if file exists on following paths
[string]$vpncliAbsolutePath = 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpncli.exe'
[string]$vpnuiAbsolutePath = 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe'

#****************************************************************************
#**** Please do not modify code below unless you know what you are doing ****
#****************************************************************************

Add-Type -AssemblyName System.Windows.Forms -ErrorAction Stop

#Set foreground window function
#This function is called in VPNConnect
Add-Type @'
using System;
using System.Runtime.InteropServices;
public class Win {
[DllImport("user32.dll")]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool SetForegroundWindow(IntPtr hWnd);
}
'@ -ErrorAction Stop

#quickly start VPN
#This function is called later in the code
Function VPNConnect()
{
Start-Process -FilePath $vpncliAbsolutePath -ArgumentList "connect $CiscoVPNHost"
$counter = 0; $h = 0;
while($counter++ -lt 1000 -and $h -eq 0)
{
sleep -m 10
$h = (Get-Process vpncli).MainWindowHandle
}
#if it takes more than 10 seconds then display message
if($h -eq 0){echo "Could not start VPNUI it takes too long."}
else{[void] [Win]::SetForegroundWindow($h)}
}

#Terminate all vpnui processes.
Get-Process | ForEach-Object {if($_.ProcessName.ToLower() -eq "vpnui")
{$Id = $_.Id; Stop-Process $Id; echo "Process vpnui with id: $Id was stopped"}}
#Terminate all vpncli processes.
Get-Process | ForEach-Object {if($_.ProcessName.ToLower() -eq "vpncli")
{$Id = $_.Id; Stop-Process $Id; echo "Process vpncli with id: $Id was stopped"}}

#Disconnect from VPN
echo "Trying to terminate remaining vpn connections"
start-Process -FilePath $vpncliAbsolutePath -ArgumentList 'disconnect' -wait
#Connect to VPN
echo "Connecting to VPN address '$CiscoVPNHost' as user '$Login'."
VPNConnect

#Write login and password
[System.Windows.Forms.SendKeys]::SendWait("$Login{Enter}")
[System.Windows.Forms.SendKeys]::SendWait("$Password{Enter}")

#Start vpnui
start-Process -FilePath $vpnuiAbsolutePath
#Wait for keydown
#echo "Press any key to continue …"
#try{$x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")}catch{}
#Exit

All you need to do now is to set your vpn, and user on the script above.



回答2:

You need to specify what kind of token you use.

There are number of choices here I heard of:

  • hardware token
  • software token application (Mac OS, Windows, iOS, Android, Windows Mobile, and few others)
  • web browser token

Please check this link for more details: http://www.emc.com/security/rsa-securid/rsa-securid-software-authenticators.htm#!offerings_for_web_browsers

With hardware token you will need to use some kind of camera and read pixels of the image taken (I will not be able to help you there)

Software token is simpler.

I have recently created small command line tool that is able to execute, enter PIN, and read Passcode generated in the token application. I cannot send you the tool (property of my company), but I can give you some tips what you need to do to create your own application that will do the same stuff.

But first you need to tell me whether you use software token or not.


OK. Since you have software token I'll describe what my app do to automatically connect to VPN.

1) you need to have your software token configured prior doing this.
On top of that VPN client will need to be also configured, and connection must be listed on available connection list.
When it is configured you can do your auto VPN Connection.
We have software token similar to this one:
https://ssl.seagate.com/ssl/docs/soft_token_install_instructions.html
Our VPN Client looks looks something like this one:
http://wireless-setup.wsu.edu/msIPSEC.html

2) Once all tools are configured you can start your VPN connection.

You need to be prepared to do deep investigation.
Guys from RSA worked really hard to make it impossible this what we are doing here.
They don't use ordinary controls. They have created their own controls I do not have spec for.

I have done it using C++ and WIN32 API functions. This is my recipe.

a) read parameters passed to the program

b) validate the parameters I have number of params like PIN, connection number to establish, Command to run when connection is established etc. They can be hardcoded of course but to be flexible I can pass them from command line.

c) check for token application [EnumWindows]
Token app can have 2 top level windows [The one you enter PIN, and the one with passcode]
If I detect both windows opened I close the app and restart it.
You can try sending Message WM_CLOSE to close the app. I simulate users action to press "X" close button

//restore it <if minimized>
SendMessage(hwndTokenApplicationPinWindow,WM_SYSCOMMAND,SC_RESTORE,NULL);
//close the app
SendMessage(hwndTokenApplicationPinWindow,WM_LBUTTONDOWN,MK_LBUTTON,MAKELPARAM(223,14));
SendMessage(hwndTokenApplicationPinWindow, WM_LBUTTONUP,0,MAKELPARAM(223,14));

To start it I use CreateProcess function.
When you restart the app or you had only one window opened, you can now enter PIN.

d) Enter PIN

I simulate users left click on pin window WM_LBUTTONDOWN, WM_LBUTTONUP.
I enter the pin using WM_CHAR.
Once entered, click OK button using WM_LBUTTONDOWN, WM_LBUTTONUP.
Once completed you should have Passcode window displayed.

e) Read passcode
To get the passcode I use Copy button from the token. This button Copy data to clipboard.
We simulate pressing this button: WM_LBUTTONDOWN, WM_LBUTTONUP
And read data from clipboard:

BOOL InvalidData = FALSE;
OpenClipboard(NULL);
HANDLE clip0 = GetClipboardData(CF_UNICODETEXT);
wchar_t* p=(wchar_t*)GlobalLock(clip0);
if(wcslen(p) == MaxPasscodeSize-1)
    wcscpy_s(currentPasscode,MaxPasscodeSize,p);
else if(wcslen(p) != MaxPasscodeSize-1 && wcslen(p) != 0)
{
    wprintf(L"Error: Passcode in clipboard is invalid\n");
    InvalidData = TRUE;
}
GlobalUnlock(clip0);
CloseClipboard();

Now you have Passcode ready to be used in the CISCO VPN Client.
Please let me know if it make any sense to you.
If it does, and you your app works up to this point please let me know and I'll pass instruction to deal with VPN client.

If you need more detailed instruction for the steps above please let me know.



回答3:

One idea is to record a bunch of clock/token pairs and run the clock back for your program and replay the recording. Actually, if you have the option of cooking the clock, you really only need one pair.

(I did not say it was a GOOD idea.)

Good luck, /Bob Bryan