使用powershell找回丢失的RDCManager密码

内网的一台服务器上的装机默认用户密码忘记了,但是好在别的电脑上使用RDCMan(Remote Desktop Connection Manager)连接过这台服务器,并且保存了密码。于是经过一番折腾,最后把密码找回来了:

 

 

最后成功的powershell脚本来自于这个地址:

https://www.undocumented-features.com/2019/10/03/decrypting-credentials-stored-in-remote-desktop-manager-rdcman-rdg/

但是能找到这个地址是因为园子里这篇文章给出的三个方案,就有powershell,

https://www.cnblogs.com/Thorndike/p/15325079.html

因为不好使,就根据脚本里面的关键字去搜索,才找到的。(百度和bing都没有有效的结果,这次实际上发挥作用的是google)

 

最终有效的脚本是这个:

 1 # Decrypt passwords in RDG files
 2 param($RDGFile,
 3     $PasswordString,
 4     $RDCManSource
 5     )
 6 If (!$RDCManSource)
 7 {
 8     $RDCManSource = (Get-ChildItem -Path @('C:\Program Files\Microsoft', 'C:\Program Files (x86)\Microsoft') -File "RDCMan.exe" -Recurse -ErrorAction SilentlyContinue)[0]
 9 }
10 If (!$RDCManSource)
11 {
12     Write-Error "Remote Desktop Manager must be installed.  If it is installed, use the -RDCManSource parameter to specify the executable's location."
13     Exit
14 }
15 else
16 {
17     Write-Host "goto RDCManSource."
18 
19     Write-Host $RDCManSource.FullName
20     try
21     {
22         $Assembly = [Reflection.Assembly]::LoadFile($RDCManSource)
23     }
24     catch
25     {
26         $_.Exception.Message.ToString();
27         Write-Host "Catch"; Exit
28     }
29     try { Import-Module $Assembly }
30     catch
31     {
32         $_.Exception.Message.ToString();
33         Write-Host "Import Exception"; exit }
34 }
35 If ($RDGFile)
36 {
37     Write-Host "goto RDGFile."
38     Write-Host
39     [xml]$Data = Get-Content $RDGFile
40     $CredentialValues = $Data.SelectNodes("*//logonCredentials")
41     $global:Output = @()
42     foreach ($obj in $CredentialValues)
43     {
44         try
45         {
46             $EncryptionSettings = New-Object -TypeName RdcMan.EncryptionSettings
47             $Password = [RdcMan.Encryption]::DecryptString($obj.password, $EncryptionSettings)
48         }
49         catch
50         {
51             $_.Exception.Message.ToString(); continue
52         }
53         If ($Password -and ($Password -notcontains 'Failed to decrypt'))
54         {
55             $CredObject = New-Object PSObject
56             $CredObject | Add-Member -Type NoteProperty -Name "ProfileName" -Value $obj.ProfileName -ea SilentlyContinue -Force
57             $CredObject | Add-Member -Type NoteProperty -Name "UserName" -Value $obj.username -ea SilentlyContinue -Force
58             $CredObject | Add-Member -Type NoteProperty -Name "Password" -Value $Password
59             $CredObject | Add-Member -Type NoteProperty -Name "Domain" -Value $obj.domain
60             $global:Output += $CredObject
61         }
62     }
63     If ($Output)
64     {
65         $Output
66     }
67     Else
68     {
69         Write-Host "Nothing to show."
70     }
71 }
72 else
73 {
74     If ($PasswordString)
75     {
76         $EncryptionSettings = New-Object -TypeName RdcMan.EncryptionSettings
77         $Password = [RdcMan.Encryption]::DecryptString($PasswordString, $EncryptionSettings)
78         Write-Host "Cleartext password: $($Password)"
79     }
80 }

需要注意的是,我电脑上使用的是绿色版,所以是传参进来的

 .\dops2 -RDGFile '.\本地电脑.rdg'  -RDCManSource 'D:\Green\RDCMan\RDCMan.exe'

 

其它另外一个尝试过的脚本:

 1 function Decrypt-RDCMan ($FilePath) {
 2 <#
 3 .SYNOPSIS
 4 
 5 This script should be able to decrpt all passwords stored in the RDCMan config file
 6 
 7 Function: Decrypt-RDCMan
 8 Author:Ben Turner @benpturner, Rich Hicks @scriptmonkey_
 9     
10 .EXAMPLE
11 
12 Decrypt-RDCMan -FilePath
13 #>
14     if (!$FilePath) {
15         [xml]$config = Get-Content "$env:LOCALAPPDATA\microsoft\remote desktop connection manager\rdcman.settings"
16         $Xml = Select-Xml -Xml $config -XPath "//FilesToOpen/*"
17         $Xml | select-object -ExpandProperty "Node"| % {Write-Output "Decrypting file: " $_.InnerText; Decrypt-RDCMan $_.InnerText}
18     } else {
19     Write-Host "Get-Content FilePath"
20     $file = Get-Content $FilePath
21     Write-Host $file
22     [xml]$Types = Get-Content $FilePath
23 
24     $Xml = Select-Xml -Xml $Types -XPath "//logonCredentials"
25 
26     # depending on the RDCMan version we may need to change the XML search 
27     $Xml | select-object -ExpandProperty "Node" | % { $pass = Decrypt-DPAPI $_.Password; $_.Domain + "\" + $_.Username + " - " + $Pass + " - " + "Hash:" + $_.Password + "`n" } 
28 
29     # depending on the RDCMan version, we may have to use search through the #text field in the XML structure 
30     $Xml | select-object -ExpandProperty "Node" | % { $pass = Decrypt-DPAPI $_.Password."#text"; $_.Domain + "\" + $_.Username + "`n" + $Pass + " - Hash: " + $_.Password."#text" + "`n"}
31     }
32 }
33 
34 function Decrypt-DPAPI ($EncryptedString) {
35     # load the Security Assembly into the PS runspace
36     Add-Type -assembly System.Security
37     $encoding= [System.Text.Encoding]::ASCII
38     $uencoding = [System.Text.Encoding]::UNICODE
39 
40     # try and decrypt the password with the CurrentUser Scope
41     try {
42         $encryptedBytes = [System.Convert]::FromBase64String($encryptedstring)
43         $bytes1 = [System.Security.Cryptography.ProtectedData]::Unprotect($encryptedBytes, $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser)
44         [System.Text.Encoding]::Convert([System.Text.Encoding]::UNICODE, $encoding, $bytes1) | % { $myStr1 += [char]$_}
45         echo $myStr1
46     } 
47     catch {
48         # try and decrypt the password with the LocalMachine Scope only if the CurrentUser fails
49         try {
50             $encryptedBytes = [System.Convert]::FromBase64String($encryptedstring)
51             $bytes1 = [System.Security.Cryptography.ProtectedData]::Unprotect($encryptedBytes, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)
52             [System.Text.Encoding]::Convert([System.Text.Encoding]::UNICODE, $encoding, $bytes1) | % { $myStr1 += [char]$_}
53             echo $myStr1
54         }
55         catch {
56             echo "Could not decrypt password"
57         }
58     }
59 }
View Code

 

园子里Thorndike提供的那个脚本,我文字识别再手工修正:

Copy-Item 'C:\Program Files (x86)\Microsoft\Remote Desktop Connection Manager\RDCMan.exe' 'C:\windows\temp\RDCMan.dll'
Import-Module 'C:\windows\temp\RDCMan.dll'
$EncryptionSettings=New-Object-TypeName RdcMan.EncryptionSettings 
$lines=Get-Content RDCManpass.txt
foreach ($line in $lines){
    $PwdString= $line
    [RdcMan.Encryption]::DecryptString($PwdString,$EncryptionSettings)
}

 

windows 10系统直接执行脚本会报错:

 

 

解决办法:

https://blog.csdn.net/qq_15585305/article/details/131436046

 

另外PowerShell脚本传参,参考了这篇:

https://blog.csdn.net/wan_ghuan/article/details/104346908

 

posted @ 2023-07-31 17:31  柳城之城  阅读(150)  评论(0编辑  收藏  举报