使用powershell找回丢失的RDCManager密码
内网的一台服务器上的装机默认用户密码忘记了,但是好在别的电脑上使用RDCMan(Remote Desktop Connection Manager)连接过这台服务器,并且保存了密码。于是经过一番折腾,最后把密码找回来了:
最后成功的powershell脚本来自于这个地址:
https://www.undocumented-features.com/2019/10/03/decrypting-credentials-stored-in-remote-desktop-manager-rdcman-rdg/
但是能找到这个地址是因为园子里这篇文章给出的三个方案,就有powershell,
https://www.cnblogs.com/Thorndike/p/15325079.html
因为不好使,就根据脚本里面的关键字去搜索,才找到的。(百度和bing都没有有效的结果,这次实际上发挥作用的是google)
最终有效的脚本是这个:
1 # Decrypt passwords in RDG files 2 param($RDGFile, 3 $PasswordString, 4 $RDCManSource 5 ) 6 If (!$RDCManSource) 7 { 8 $RDCManSource = (Get-ChildItem -Path @('C:\Program Files\Microsoft', 'C:\Program Files (x86)\Microsoft') -File "RDCMan.exe" -Recurse -ErrorAction SilentlyContinue)[0] 9 } 10 If (!$RDCManSource) 11 { 12 Write-Error "Remote Desktop Manager must be installed. If it is installed, use the -RDCManSource parameter to specify the executable's location." 13 Exit 14 } 15 else 16 { 17 Write-Host "goto RDCManSource." 18 19 Write-Host $RDCManSource.FullName 20 try 21 { 22 $Assembly = [Reflection.Assembly]::LoadFile($RDCManSource) 23 } 24 catch 25 { 26 $_.Exception.Message.ToString(); 27 Write-Host "Catch"; Exit 28 } 29 try { Import-Module $Assembly } 30 catch 31 { 32 $_.Exception.Message.ToString(); 33 Write-Host "Import Exception"; exit } 34 } 35 If ($RDGFile) 36 { 37 Write-Host "goto RDGFile." 38 Write-Host 39 [xml]$Data = Get-Content $RDGFile 40 $CredentialValues = $Data.SelectNodes("*//logonCredentials") 41 $global:Output = @() 42 foreach ($obj in $CredentialValues) 43 { 44 try 45 { 46 $EncryptionSettings = New-Object -TypeName RdcMan.EncryptionSettings 47 $Password = [RdcMan.Encryption]::DecryptString($obj.password, $EncryptionSettings) 48 } 49 catch 50 { 51 $_.Exception.Message.ToString(); continue 52 } 53 If ($Password -and ($Password -notcontains 'Failed to decrypt')) 54 { 55 $CredObject = New-Object PSObject 56 $CredObject | Add-Member -Type NoteProperty -Name "ProfileName" -Value $obj.ProfileName -ea SilentlyContinue -Force 57 $CredObject | Add-Member -Type NoteProperty -Name "UserName" -Value $obj.username -ea SilentlyContinue -Force 58 $CredObject | Add-Member -Type NoteProperty -Name "Password" -Value $Password 59 $CredObject | Add-Member -Type NoteProperty -Name "Domain" -Value $obj.domain 60 $global:Output += $CredObject 61 } 62 } 63 If ($Output) 64 { 65 $Output 66 } 67 Else 68 { 69 Write-Host "Nothing to show." 70 } 71 } 72 else 73 { 74 If ($PasswordString) 75 { 76 $EncryptionSettings = New-Object -TypeName RdcMan.EncryptionSettings 77 $Password = [RdcMan.Encryption]::DecryptString($PasswordString, $EncryptionSettings) 78 Write-Host "Cleartext password: $($Password)" 79 } 80 }
需要注意的是,我电脑上使用的是绿色版,所以是传参进来的
.\dops2 -RDGFile '.\本地电脑.rdg' -RDCManSource 'D:\Green\RDCMan\RDCMan.exe'
其它另外一个尝试过的脚本:
1 function Decrypt-RDCMan ($FilePath) { 2 <# 3 .SYNOPSIS 4 5 This script should be able to decrpt all passwords stored in the RDCMan config file 6 7 Function: Decrypt-RDCMan 8 Author:Ben Turner @benpturner, Rich Hicks @scriptmonkey_ 9 10 .EXAMPLE 11 12 Decrypt-RDCMan -FilePath 13 #> 14 if (!$FilePath) { 15 [xml]$config = Get-Content "$env:LOCALAPPDATA\microsoft\remote desktop connection manager\rdcman.settings" 16 $Xml = Select-Xml -Xml $config -XPath "//FilesToOpen/*" 17 $Xml | select-object -ExpandProperty "Node"| % {Write-Output "Decrypting file: " $_.InnerText; Decrypt-RDCMan $_.InnerText} 18 } else { 19 Write-Host "Get-Content FilePath" 20 $file = Get-Content $FilePath 21 Write-Host $file 22 [xml]$Types = Get-Content $FilePath 23 24 $Xml = Select-Xml -Xml $Types -XPath "//logonCredentials" 25 26 # depending on the RDCMan version we may need to change the XML search 27 $Xml | select-object -ExpandProperty "Node" | % { $pass = Decrypt-DPAPI $_.Password; $_.Domain + "\" + $_.Username + " - " + $Pass + " - " + "Hash:" + $_.Password + "`n" } 28 29 # depending on the RDCMan version, we may have to use search through the #text field in the XML structure 30 $Xml | select-object -ExpandProperty "Node" | % { $pass = Decrypt-DPAPI $_.Password."#text"; $_.Domain + "\" + $_.Username + "`n" + $Pass + " - Hash: " + $_.Password."#text" + "`n"} 31 } 32 } 33 34 function Decrypt-DPAPI ($EncryptedString) { 35 # load the Security Assembly into the PS runspace 36 Add-Type -assembly System.Security 37 $encoding= [System.Text.Encoding]::ASCII 38 $uencoding = [System.Text.Encoding]::UNICODE 39 40 # try and decrypt the password with the CurrentUser Scope 41 try { 42 $encryptedBytes = [System.Convert]::FromBase64String($encryptedstring) 43 $bytes1 = [System.Security.Cryptography.ProtectedData]::Unprotect($encryptedBytes, $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser) 44 [System.Text.Encoding]::Convert([System.Text.Encoding]::UNICODE, $encoding, $bytes1) | % { $myStr1 += [char]$_} 45 echo $myStr1 46 } 47 catch { 48 # try and decrypt the password with the LocalMachine Scope only if the CurrentUser fails 49 try { 50 $encryptedBytes = [System.Convert]::FromBase64String($encryptedstring) 51 $bytes1 = [System.Security.Cryptography.ProtectedData]::Unprotect($encryptedBytes, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine) 52 [System.Text.Encoding]::Convert([System.Text.Encoding]::UNICODE, $encoding, $bytes1) | % { $myStr1 += [char]$_} 53 echo $myStr1 54 } 55 catch { 56 echo "Could not decrypt password" 57 } 58 } 59 }
园子里Thorndike提供的那个脚本,我文字识别再手工修正:
Copy-Item 'C:\Program Files (x86)\Microsoft\Remote Desktop Connection Manager\RDCMan.exe' 'C:\windows\temp\RDCMan.dll' Import-Module 'C:\windows\temp\RDCMan.dll' $EncryptionSettings=New-Object-TypeName RdcMan.EncryptionSettings $lines=Get-Content RDCManpass.txt foreach ($line in $lines){ $PwdString= $line [RdcMan.Encryption]::DecryptString($PwdString,$EncryptionSettings) }
windows 10系统直接执行脚本会报错:
解决办法:
https://blog.csdn.net/qq_15585305/article/details/131436046
另外PowerShell脚本传参,参考了这篇:
https://blog.csdn.net/wan_ghuan/article/details/104346908
流浪是注定的宿命;
漂泊是无尽的轮回。
漂泊是无尽的轮回。