Decrypt RDP password stored in .rdg file
Here's a Powershell script that will do the job...
Open the RDG file with notepad to get the encrypted password. I found that RDG contained the 'profiles' I had saved, as well as the passwords saved per server.
Now use the same computer and windows account that created the RDG file to run the following powershell commands to see the password. You have to use the same account to decrypt.
> $PwdString = 'EnCryptEdStringFRoMRDGfile==' > Copy-Item 'C:\Program Files (x86)\Microsoft\Remote Desktop Connection Manager\RDCMan.exe' 'C:\temp\RDCMan.dll' > Import-Module 'C:\temp\RDCMan.dll' > $EncryptionSettings = New-Object -TypeName RdcMan.EncryptionSettings > [RdcMan.Encryption]::DecryptString($PwdString, $EncryptionSettings)
Source: https://blog.prudhomme.wtf/use-powershell-to-decrypt-password-stored-in-a-rdg-file/ by THOMAS PRUD'HOMME
Use the following Powershell script to decrypt all passwords in an RDG file in a single shot. https://github.com/nettitude/PoshC2/blob/master/resources/modules/Decrypt-RDCMan.ps1
In case the link fails here's the content for reference:
function Decrypt-RDCMan ($FilePath) {
<#
.SYNOPSIS
This script should be able to decrpt all passwords stored in the RDCMan config file
Function: Decrypt-RDCMan
Author:Ben Turner @benpturner, Rich Hicks @scriptmonkey_
.EXAMPLE
Decrypt-RDCMan -FilePath
#>
if (!$FilePath) {
[xml]$config = Get-Content "$env:LOCALAPPDATA\microsoft\remote desktop connection manager\rdcman.settings"
$Xml = Select-Xml -Xml $config -XPath "//FilesToOpen/*"
$Xml | select-object -ExpandProperty "Node"| % {Write-Output "Decrypting file: " $_.InnerText; Decrypt-RDCMan $_.InnerText}
} else {
[xml]$Types = Get-Content $FilePath
$Xml = Select-Xml -Xml $Types -XPath "//logonCredentials"
# depending on the RDCMan version we may need to change the XML search
$Xml | select-object -ExpandProperty "Node" | % { $pass = Decrypt-DPAPI $_.Password; $_.Domain + "\" + $_.Username + " - " + $Pass + " - " + "Hash:" + $_.Password + "`n" }
# depending on the RDCMan version, we may have to use search through the #text field in the XML structure
$Xml | select-object -ExpandProperty "Node" | % { $pass = Decrypt-DPAPI $_.Password."#text"; $_.Domain + "\" + $_.Username + "`n" + $Pass + " - Hash: " + $_.Password."#text" + "`n"}
}
}
function Decrypt-DPAPI ($EncryptedString) {
# load the Security Assembly into the PS runspace
Add-Type -assembly System.Security
$encoding= [System.Text.Encoding]::ASCII
$uencoding = [System.Text.Encoding]::UNICODE
# try and decrypt the password with the CurrentUser Scope
try {
$encryptedBytes = [System.Convert]::FromBase64String($encryptedstring)
$bytes1 = [System.Security.Cryptography.ProtectedData]::Unprotect($encryptedBytes, $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser)
[System.Text.Encoding]::Convert([System.Text.Encoding]::UNICODE, $encoding, $bytes1) | % { $myStr1 += [char]$_}
echo $myStr1
}
catch {
# try and decrypt the password with the LocalMachine Scope only if the CurrentUser fails
try {
$encryptedBytes = [System.Convert]::FromBase64String($encryptedstring)
$bytes1 = [System.Security.Cryptography.ProtectedData]::Unprotect($encryptedBytes, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)
[System.Text.Encoding]::Convert([System.Text.Encoding]::UNICODE, $encoding, $bytes1) | % { $myStr1 += [char]$_}
echo $myStr1
}
catch {
echo "Could not decrypt password"
}
}
}
Execute the script in Powershell ISE, that should register the functions. Then simple run:
Decrypt-RDCMan -FilePath MyRDGfile.rdg