解密存储在.rdg文件中的RDP密码


12

如果您知道创建它的用户名和密码,是否可以解密存储在.rdg(远程桌面连接管理器)文件中的密码?

我知道密码是根据创建密码的用户进行加密的。该用户是域用户,我正在尝试在家使用.rdg文件(域不可用)。因为我知道用户名和密码,我可以“模拟”为域用户吗?请记住,对域的网络访问不可用。也无法对原始计算机进行物理访问。

我已经尝试过这种方法,但是(毫不奇怪)我得到了

“使用2个参数调用DecryptString的异常:使用XXXX凭据解密失败”

(XXX是我当前的家庭登录名。)

Answers:


15

这是一个可以完成这项工作的Powershell脚本...

使用记事本打开RDG文件以获取加密的密码。我发现RDG包含我保存的“配置文件”以及每台服务器保存的密码。

现在,使用创建RDG文件的同一台计算机和Windows帐户运行以下powershell命令来查看密码。您必须使用相同的帐户进行解密。

> $PwdString = 'EnCryptEdStringFRoMRDGfile=='
> Copy-Item 'C:\Program Files (x86)\Microsoft\Remote Desktop Connection Manager\RDCMan.exe' 'C:\temp\RDCMan.dll'
> Import-Module 'C:\temp\RDCMan.dll'
> $EncryptionSettings = New-Object -TypeName RdcMan.EncryptionSettings
> [RdcMan.Encryption]::DecryptString($PwdString, $EncryptionSettings)

来源: THOMAS PRUD'HOMME的https://blog.prudhomme.wtf/use-powershell-to-decrypt-password-stored-in-a-rdg-file/


3
外部链接可能中断或不可用,在这种情况下,您的答案将无用。请在您的答案中包含基本信息,并使用链接进行归因和进一步阅读。谢谢。
fixer1234

1
我喜欢您发布与我在原始问题中发布的链接相同的链接,并说它不起作用(因为对该域没有网络访问权限)
pkExec

@pkExec此方法对我有用。我猜还有另一种解决域问题的方法。(您可能需要访问对用户密码进行加密的域用户帐户,这可能意味着您需要重新连接到域。)
jpaugh

2

使用以下Powershell脚本一次性解密RDG文件中的所有密码。 https://github.com/nettitude/PoshC2/blob/master/resources/modules/Decrypt-RDCMan.ps1

如果链接失败,请参考以下内容:

function Decrypt-RDCMan ($FilePath) {
<#
.SYNOPSIS

This script should be able to decrpt all passwords stored in the RDCMan config file

Function: Decrypt-RDCMan
Author:Ben Turner @benpturner, Rich Hicks @scriptmonkey_

.EXAMPLE

Decrypt-RDCMan -FilePath
#>
    if (!$FilePath) {
        [xml]$config = Get-Content "$env:LOCALAPPDATA\microsoft\remote desktop connection manager\rdcman.settings"
        $Xml = Select-Xml -Xml $config -XPath "//FilesToOpen/*"
        $Xml | select-object -ExpandProperty "Node"| % {Write-Output "Decrypting file: " $_.InnerText; Decrypt-RDCMan $_.InnerText}
    } else {
    [xml]$Types = Get-Content $FilePath

    $Xml = Select-Xml -Xml $Types -XPath "//logonCredentials"

    # depending on the RDCMan version we may need to change the XML search 
    $Xml | select-object -ExpandProperty "Node" | % { $pass = Decrypt-DPAPI $_.Password; $_.Domain + "\" + $_.Username + " - " + $Pass + " - " + "Hash:" + $_.Password + "`n" } 

    # depending on the RDCMan version, we may have to use search through the #text field in the XML structure 
    $Xml | select-object -ExpandProperty "Node" | % { $pass = Decrypt-DPAPI $_.Password."#text"; $_.Domain + "\" + $_.Username + "`n" + $Pass + " - Hash: " + $_.Password."#text" + "`n"}
    }
}

function Decrypt-DPAPI ($EncryptedString) {
    # load the Security Assembly into the PS runspace
    Add-Type -assembly System.Security
    $encoding= [System.Text.Encoding]::ASCII
    $uencoding = [System.Text.Encoding]::UNICODE

    # try and decrypt the password with the CurrentUser Scope
    try {
        $encryptedBytes = [System.Convert]::FromBase64String($encryptedstring)
        $bytes1 = [System.Security.Cryptography.ProtectedData]::Unprotect($encryptedBytes, $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser)
        [System.Text.Encoding]::Convert([System.Text.Encoding]::UNICODE, $encoding, $bytes1) | % { $myStr1 += [char]$_}
        echo $myStr1
    } 
    catch {
        # try and decrypt the password with the LocalMachine Scope only if the CurrentUser fails
        try {
            $encryptedBytes = [System.Convert]::FromBase64String($encryptedstring)
            $bytes1 = [System.Security.Cryptography.ProtectedData]::Unprotect($encryptedBytes, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)
            [System.Text.Encoding]::Convert([System.Text.Encoding]::UNICODE, $encoding, $bytes1) | % { $myStr1 += [char]$_}
            echo $myStr1
        }
        catch {
            echo "Could not decrypt password"
        }
    }
}

在Powershell ISE中执行脚本,该脚本应注册功能。然后简单运行:

Decrypt-RDCMan -FilePath MyRDGfile.rdg


上面的链接已断开。有什么似乎是一个类似的计划在这里
G-Man说“恢复莫妮卡”

By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.