答案1
这是一个可以完成这项工作的 Powershell 脚本...
用记事本打开RDG文件,得到加密的密码,发现RDG里面有我保存的‘profiles’,还有每个服务器保存的密码。
现在使用创建 RDG 文件的同一台计算机和 Windows 帐户运行以下 powershell 命令来查看密码。您必须使用相同的帐户才能解密。
> $PwdString = 'EnCryptEdStringFRoMRDGfile==' > Copy-Item 'C:\Program Files (x86)\Microsoft\Remote Desktop Connection Manager\RDCMan.exe' 'C:\temp\RDCMan.dll' > Import-Module 'C:\temp\RDCMan.dll' > $EncryptionSettings = New-Object -TypeName RdcMan.EncryptionSettings > [RdcMan.Encryption]::DecryptString($PwdString, $EncryptionSettings)
来源: https://blog.prudhomme.wtf/use-powershell-to-decrypt-password-stored-in-a-rdg-file/作者:THOMAS PRUD'HOMME
答案2
使用以下 Powershell 脚本一次性解密 RDG 文件中的所有密码。 https://github.com/nettitude/PoshC2/blob/master/resources/modules/Decrypt-RDCMan.ps1
如果链接失效,可以参考以下内容:
function Decrypt-RDCMan ($FilePath) {
<#
.SYNOPSIS
This script should be able to decrpt all passwords stored in the RDCMan config file
Function: Decrypt-RDCMan
Author:Ben Turner @benpturner, Rich Hicks @scriptmonkey_
.EXAMPLE
Decrypt-RDCMan -FilePath
#>
if (!$FilePath) {
[xml]$config = Get-Content "$env:LOCALAPPDATA\microsoft\remote desktop connection manager\rdcman.settings"
$Xml = Select-Xml -Xml $config -XPath "//FilesToOpen/*"
$Xml | select-object -ExpandProperty "Node"| % {Write-Output "Decrypting file: " $_.InnerText; Decrypt-RDCMan $_.InnerText}
} else {
[xml]$Types = Get-Content $FilePath
$Xml = Select-Xml -Xml $Types -XPath "//logonCredentials"
# depending on the RDCMan version we may need to change the XML search
$Xml | select-object -ExpandProperty "Node" | % { $pass = Decrypt-DPAPI $_.Password; $_.Domain + "\" + $_.Username + " - " + $Pass + " - " + "Hash:" + $_.Password + "`n" }
# depending on the RDCMan version, we may have to use search through the #text field in the XML structure
$Xml | select-object -ExpandProperty "Node" | % { $pass = Decrypt-DPAPI $_.Password."#text"; $_.Domain + "\" + $_.Username + "`n" + $Pass + " - Hash: " + $_.Password."#text" + "`n"}
}
}
function Decrypt-DPAPI ($EncryptedString) {
# load the Security Assembly into the PS runspace
Add-Type -assembly System.Security
$encoding= [System.Text.Encoding]::ASCII
$uencoding = [System.Text.Encoding]::UNICODE
# try and decrypt the password with the CurrentUser Scope
try {
$encryptedBytes = [System.Convert]::FromBase64String($encryptedstring)
$bytes1 = [System.Security.Cryptography.ProtectedData]::Unprotect($encryptedBytes, $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser)
[System.Text.Encoding]::Convert([System.Text.Encoding]::UNICODE, $encoding, $bytes1) | % { $myStr1 += [char]$_}
echo $myStr1
}
catch {
# try and decrypt the password with the LocalMachine Scope only if the CurrentUser fails
try {
$encryptedBytes = [System.Convert]::FromBase64String($encryptedstring)
$bytes1 = [System.Security.Cryptography.ProtectedData]::Unprotect($encryptedBytes, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)
[System.Text.Encoding]::Convert([System.Text.Encoding]::UNICODE, $encoding, $bytes1) | % { $myStr1 += [char]$_}
echo $myStr1
}
catch {
echo "Could not decrypt password"
}
}
}
在 Powershell ISE 中执行脚本,该脚本应该注册这些函数。然后简单运行:
解密-RDCMan -FilePath MyRDGfile.rdg
答案3
Nirsoft 远程桌面 PassView对于旧版本或Nirsoft 网络密码恢复对于较新版本的 RDG 文件应该有帮助。
在 64 位版本的 Windows 上使用 x64 版本。