{"id":9151,"date":"2022-12-18T22:16:38","date_gmt":"2022-12-18T21:16:38","guid":{"rendered":"https:\/\/michlstechblog.info\/blog\/?p=9151"},"modified":"2024-07-23T23:03:35","modified_gmt":"2024-07-23T21:03:35","slug":"windows-decrypt-password-from-rdp-files","status":"publish","type":"post","link":"https:\/\/michlstechblog.info\/blog\/windows-decrypt-password-from-rdp-files\/","title":{"rendered":"Windows: Get and decrypt password from rdp files"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_9151 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_9151')){$('.twoclick_social_bookmarks_post_9151').socialSharePrivacy({\"services\":{\"flattr\":{\"uid\":\"Michl\",\"status\":\"on\",\"the_title\":\"Windows%3A%20Get%20and%20decrypt%20password%20from%20rdp%20files\",\"the_excerpt\":\"Hi%2C%0D%0A%0D%0Ardp%20files%20can%20store%20the%20password%20for%20a%20connection.%20The%20password%20is%20protected%20with%20the%20users%20key%20who%20saved%20the%20file.%0D%0A%20%28more%26hellip%3B%29\",\"txt_info\":\"2 clicks for more data protection:\\r\\n\\r\\nOnly when you click here, the button will be come active and you can send your recommendation to Flattr. When activating, data are transmitted to third parties. \",\"perma_option\":\"off\"}},\"txt_help\":\"When you activate these fields by clicking, information to Flattr may be transferred abroad, and probably may also stored there.\",\"settings_perma\":\"Enable permanently and accept data transmission. \",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/michlstechblog.info\\\/blog\\\/windows-decrypt-password-from-rdp-files\\\/\",\"post_id\":9151,\"post_title_referrer_track\":\"Windows%3A+Get+and+decrypt+password+from+rdp+files\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p>Hi,<\/p>\n<p>rdp files can store the password for a connection. The password is protected with the users key who saved the file.<br \/>\n<!--more--><\/p>\n<p>The password can be decrypted by the .NET System.Security.Cryptography.ProtectedData class.<\/p>\n<p>This script opens a rdp file and retrieve the user and the password.<\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\n&lt;#\r\n\t.SYNOPSIS\r\n\t\tA PowerShell script to decrypt passwords from rdp files\r\n\t.DESCRIPTION\r\n\t\tA PowerShell script to decrypt passwords from rdp files\r\n\t.PARAMETER rdpfile\r\n\t\trdp file\r\n#&gt;\r\n&#x5B;CmdletBinding()]\r\nParam(\r\n  &#x5B;Parameter(Mandatory=$true,Position=1)]&#x5B;alias(&quot;f&quot;)]&#x5B;string]$rdpfile=&quot;&quot;\r\n)  \r\n\r\nif(-not (Test-Path $rdpfile))\r\n{\r\n\twrite-warning (&quot;File {0} not found!&quot; -f $rdpfile)\r\n\texit 2\r\n}\r\n\r\n&#x5B;string]$sUserName=$null\r\n&#x5B;string]$sDomain=$null\r\n&#x5B;string]$sEncryptedPass=$null\r\n&#x5B;string]$sPass=$null\r\n\r\n# Read RDP File\r\n$sFileContent=Get-Content $rdpfile\r\nforeach($sLine in $sFileContent)\r\n{\r\n\tif($sLine.StartsWith(&quot;username:s:&quot;))\r\n\t{\r\n\t\t$sUserName=$sLine.Replace(&quot;username:s:&quot;,&quot;&quot;)\r\n\t}\r\n\telseif($sLine.StartsWith(&quot;domain:s:&quot;))\r\n\t{\r\n\t\t$sDomain=$sLine.Replace(&quot;domain:s:&quot;,&quot;&quot;)\r\n\t}\r\n\telseif($sLine.StartsWith(&quot;password 51:b:&quot;))\r\n\t{\r\n\t\t$sEncryptedPass=$sLine.Replace(&quot;password 51:b:&quot;,&quot;&quot;)\r\n\t}\r\n}\r\n# Check Input\r\nif(!$sUserName)\r\n{\r\n\twrite-warning &quot;No username found!&quot;\r\n\texit 2\r\n}\r\nif(!$sEncryptedPass)\r\n{\r\n\twrite-warning &quot;No encrypted password found!&quot;\r\n\texit 2\r\n}\r\nif($sUserName.IndexOf(&quot;\\&quot;) -lt 0 -and  $sDomain)\r\n{\r\n\t$sUserName=&quot;{0}\\{1}&quot; -f $sDomain,$sUserName\r\n}\r\n\r\n\r\n&#x5B;System.reflection.assembly]::LoadWithPartialName(&quot;System.Security&quot;) | out-null\r\n\r\n$iBytes=$sEncryptedPass.Length\/2\r\n&#x5B;byte&#x5B;]]$aEncryptedPasswordBytes = New-Object -TypeName byte&#x5B;] $iBytes\r\nfor ($i = 0; $i -lt $iBytes; $i++) {\r\n    $aEncryptedPasswordBytes&#x5B;$i] = &#x5B;System.Convert]::ToByte($sEncryptedPass.Substring($i*2,2), 16)\r\n}\r\n&#x5B;byte&#x5B;]]$passwordAsBytes = &#x5B;System.Security.Cryptography.ProtectedData]::Unprotect($aEncryptedPasswordBytes, $null, &#x5B;System.Security.Cryptography.DataProtectionScope]::CurrentUser)\r\n$sPass=&#x5B;System.Text.Encoding]::Unicode.GetString($passwordAsBytes)\r\n\r\nwrite-host (&quot;{0,-16} : {1}&quot; -f &quot;UserName&quot;,$sUserName)\r\nwrite-host (&quot;{0,-16} : {1}&quot; -f &quot;Password&quot;,$sPass)\r\n<\/pre>\n<p>The Convert[To|From]-SecureString string uses the same methods. So you can encrypt and decrypt the password these command-lets:<\/p>\n<p>Encrypt<\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\nPS D:\\&gt; $PasswordEncrypted=(&quot;MySecretPassword!&quot; | ConvertTo-SecureString -Force -AsPlainText ) | ConvertFrom-SecureString\r\n<\/pre>\n<p>Decrypt<\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\nPS D:\\&gt; $ssecPasswordEncrypted = ConvertTo-SecureString $PasswordEncrypted\r\nPS D:\\&gt; $pSecString = &#x5B;Runtime.InteropServices.Marshal]::SecureStringToBSTR($ssecPasswordEncrypted)\r\nPS D:\\&gt; $MyPlainPassword = &#x5B;Runtime.InteropServices.Marshal]::PtrToStringAuto($pSecString)\r\nPS D:\\&gt; write-host $MyPlainPassword\r\n<\/pre>\n<p>To add a password to the RDP file add the following line:<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\npassword 51:b:01000000d08c9d....\r\n<\/pre>\n<p>All after &#8220;b:&#8221; must be replace with the content of $PasswordEncrypted<\/p>\n<p>Note: Such a file does only work on the PC where the encrypted password is generated because it is bound to the users key of that machine by using the DPAPI. <\/p>\n<p>Michael<\/p>\n<p>Further links<\/p>\n<p><a href=\"https:\/\/book.hacktricks.xyz\/windows-hardening\/windows-local-privilege-escalation\/dpapi-extracting-passwords\" rel=\"noopener\" target=\"_blank\">Extracting DPAPI Passwords<\/a> <\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi, rdp files can store the password for a connection. The password is protected with the users key who saved the file.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[344,2,4],"tags":[1947,249,92,432,20],"class_list":["post-9151","post","type-post","status-publish","format-standard","hentry","category-powershell-scripting","category-windows","category-windowsscripts","tag-decrpyt","tag-file","tag-password","tag-rdp","tag-windows-2"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/9151","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/comments?post=9151"}],"version-history":[{"count":12,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/9151\/revisions"}],"predecessor-version":[{"id":9413,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/9151\/revisions\/9413"}],"wp:attachment":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/media?parent=9151"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/categories?post=9151"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/tags?post=9151"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}