Decrypt RDP password stored in .rdg file

Here's a Powershell script that will do the job...

Open the RDG file with notepad to get the encrypted password. I found that RDG contained the 'profiles' I had saved, as well as the passwords saved per server.

Now use the same computer and windows account that created the RDG file to run the following powershell commands to see the password. You have to use the same account to decrypt.

> $PwdString = 'EnCryptEdStringFRoMRDGfile=='
> Copy-Item 'C:\Program Files (x86)\Microsoft\Remote Desktop Connection Manager\RDCMan.exe' 'C:\temp\RDCMan.dll'
> Import-Module 'C:\temp\RDCMan.dll'
> $EncryptionSettings = New-Object -TypeName RdcMan.EncryptionSettings
> [RdcMan.Encryption]::DecryptString($PwdString, $EncryptionSettings)

Source: https://blog.prudhomme.wtf/use-powershell-to-decrypt-password-stored-in-a-rdg-file/ by THOMAS PRUD'HOMME


Use the following Powershell script to decrypt all passwords in an RDG file in a single shot. https://github.com/nettitude/PoshC2/blob/master/resources/modules/Decrypt-RDCMan.ps1

In case the link fails here's the content for reference:

function Decrypt-RDCMan ($FilePath) {
<#
.SYNOPSIS

This script should be able to decrpt all passwords stored in the RDCMan config file

Function: Decrypt-RDCMan
Author:Ben Turner @benpturner, Rich Hicks @scriptmonkey_

.EXAMPLE

Decrypt-RDCMan -FilePath
#>
    if (!$FilePath) {
        [xml]$config = Get-Content "$env:LOCALAPPDATA\microsoft\remote desktop connection manager\rdcman.settings"
        $Xml = Select-Xml -Xml $config -XPath "//FilesToOpen/*"
        $Xml | select-object -ExpandProperty "Node"| % {Write-Output "Decrypting file: " $_.InnerText; Decrypt-RDCMan $_.InnerText}
    } else {
    [xml]$Types = Get-Content $FilePath

    $Xml = Select-Xml -Xml $Types -XPath "//logonCredentials"

    # depending on the RDCMan version we may need to change the XML search 
    $Xml | select-object -ExpandProperty "Node" | % { $pass = Decrypt-DPAPI $_.Password; $_.Domain + "\" + $_.Username + " - " + $Pass + " - " + "Hash:" + $_.Password + "`n" } 

    # depending on the RDCMan version, we may have to use search through the #text field in the XML structure 
    $Xml | select-object -ExpandProperty "Node" | % { $pass = Decrypt-DPAPI $_.Password."#text"; $_.Domain + "\" + $_.Username + "`n" + $Pass + " - Hash: " + $_.Password."#text" + "`n"}
    }
}

function Decrypt-DPAPI ($EncryptedString) {
    # load the Security Assembly into the PS runspace
    Add-Type -assembly System.Security
    $encoding= [System.Text.Encoding]::ASCII
    $uencoding = [System.Text.Encoding]::UNICODE

    # try and decrypt the password with the CurrentUser Scope
    try {
        $encryptedBytes = [System.Convert]::FromBase64String($encryptedstring)
        $bytes1 = [System.Security.Cryptography.ProtectedData]::Unprotect($encryptedBytes, $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser)
        [System.Text.Encoding]::Convert([System.Text.Encoding]::UNICODE, $encoding, $bytes1) | % { $myStr1 += [char]$_}
        echo $myStr1
    } 
    catch {
        # try and decrypt the password with the LocalMachine Scope only if the CurrentUser fails
        try {
            $encryptedBytes = [System.Convert]::FromBase64String($encryptedstring)
            $bytes1 = [System.Security.Cryptography.ProtectedData]::Unprotect($encryptedBytes, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)
            [System.Text.Encoding]::Convert([System.Text.Encoding]::UNICODE, $encoding, $bytes1) | % { $myStr1 += [char]$_}
            echo $myStr1
        }
        catch {
            echo "Could not decrypt password"
        }
    }
}

Execute the script in Powershell ISE, that should register the functions. Then simple run:

Decrypt-RDCMan -FilePath MyRDGfile.rdg