Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Command-line implementation of Symantec's "VIP Access" token application on OSX. This will read from the same secret key and produce the same time-based one-time-passwords as the GUI application, but with output that can be captured and used in scripts. This can be useful for things like automating two-factor AnyConnect VPN logins through openco…
#!/usr/bin/expect -f
#
# VIPAccess.exp
#
# Command-line emulation of Symantec's VIP Access software token.
# Usage:
# ./VIPAccess.exp [v]
# If the "v" argument (or any argument) is specified, verbose output
# will be produced on stderr. The OTP value will be output on stdout.
#
set timeout 10
log_user 0
set aes_key D0D0D0E0D0D0DFDFDF2C34323937D7AE
set keychain /Users/$env(USER)/Library/Keychains/VIPAccess.keychain
proc vlog { s } { if $::argc { puts stderr $s } }
vlog "Finding machine serial number (used by VIPAccess to secure the keychain.):"
spawn /bin/sh -c "ioreg -rac IOPlatformExpertDevice | xpath 'plist/array/dict/key\[.=\"IOPlatformSerialNumber\"\]/following-sibling::*\[position()=1\]/text()' 2>/dev/null"
expect eof
set serial $expect_out(buffer)
vlog " $serial"
vlog "Reading encrypted Credential ID and OTP secret key from $keychain:"
spawn security unlock-keychain $keychain
expect "password to unlock $keychain: "
send "${serial}SymantecVIPAccess$env(USER)\n"
expect eof
spawn security find-generic-password -gl CredentialStore $keychain
expect -re \"acct\"<blob>=\"\(\[a-zA-Z0-9/+\]+=\)\"
set id_crypt $expect_out(1,string)
vlog " $id_crypt"
expect -re password:\ \"\(\[a-zA-Z0-9/+\]+=\)\"
set key_crypt $expect_out(1,string)
vlog " $key_crypt"
vlog "Decrypting Credential ID and OTP key:"
spawn /bin/sh -c "openssl enc -aes-128-cbc -d -K $aes_key -iv 0 -a <<< '$id_crypt'"
expect -re \(.*\)Symantec
set id_plain $expect_out(1,string)
vlog " $id_plain"
spawn /bin/sh -c "openssl enc -aes-128-cbc -d -K $aes_key -iv 0 -a <<< '$key_crypt' | xxd -p"
expect -re \[0-9a-f\]+
set key_plain $expect_out(0,string)
vlog " $key_plain"
vlog "Generating current OTP using secret key."
spawn oathtool --totp $key_plain
expect -re \\d+
set otp $expect_out(0,string)
puts $otp
@aselvan
Copy link

aselvan commented Mar 16, 2021

@p120ph37,
Update: Please ignore my response earlier on password not working. I missed reading your note about the second time prompt. I got past that step and retrieved the secret key which is really what I am after. I have written a script that I use which is a wrapper on top of oathtool for all my other 2F needs so all I needed was the SymantecVIP secret key to generate TOTP. I am good now, thanks again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment