Retrieve password from .RDP file

I notice that a Remote Desktop Session file (e.g. server.rdp) with password saved doesn't work on another computer, this happens because password is encrypted using the CryptProtectData() standard API and it use logged user credentials for encryption.
This feature prevents someone from stealing a saved RDP file from your machine and gaining accessto terminal servers with your account.

Following there's the source code for decryption:
//
// This code is based on a sample from MSDN
//

#include
#include
#include
#pragma comment(lib, "CRYPT32.LIB")

void HandleError(char *s);

void main()
{
DATA_BLOB DataOut;
DATA_BLOB DataVerify;
LPWSTR pDescrOut = NULL;
BYTE *pbDataOutput;
DWORD cbDataOutput;
int data;
unsigned int i;

// Put encrypted password string here
char szEncodedPwd[] = "01000000D08C9DDF0115D1118C7A00C04FC29

7EB010000009CBEC1A082D49644803822A2CB454DD700000000080000007
00073007700000003660000A80000001000000024FE7A9AAB77A1AC303A8
1F78DBE6C9F0000000004800000A000000010000000DE2B78F2C04DDCDAC
B675C446870D1F408020000CCE68B2DC5120BEEFB638D26CFCD0C65D3481
CE35BD5E0AED771219AAAFD9F86169807B397B410DE431B6D01478DB0740
BC191DD76BC278BADDEBB06674A714E4F50262F90F7EB93720104F46A298
7C3E1067DA904CC4E5C65D78CD4749E1C17639C02A25217A93A2EBA6FE5D
8FB7E32DC9E5C3F3BFE80006DDECC9A3C6538B1DE0377DB56CC46BA6F2CD
1DC17D99DAB57CF26F414300FCCB2D4098CA56C459342A91DA2A7F9A5A15
6461A628100118DC34FA605FD0CCE5DBF91C7E67CFED78B62A1D3A9F015D
EC569F4DE1806A73E9F79DCA1EE0FFF9DD4ED22774287E7C99FB3F82C062
620D0CF95A203A0D2FEF13745C4AA48F3EB5D5DE3D2020AACA584FBAA10D
7DF54D79A8AE4BD2C52BAAEDAB47B26B87AA5D1FB8BEC213249C68098F18
8347EAC0405E96344E0E6EC7FECB29DAFDD3B630A5BCEBE036D38B4794B0
7253F012AF56FE1EE024AA744AFC59E8FBF3B2E5E23A0CB4AEA657A79D44
232E7CB47D67BB6F60D9E7DFAA17CEEA4ABFD1C031B6BD2057E437120842
2F42F4DE8B7B24FE6FE7457B670CCF17C3CEB78B4C27A79AA717F24E599B
81C80275138245FE629248D558BA7C0B7E3AE0B19EC2653ADC38FC1701B8
1AF2B0D7B282EBFCA5789FD3B4CD907907827B4E2E95F38EE0950A8A491C
D907A12E07C55A1ACFCC0DF711C71714E06A6DF050F8BD39A2EEA76E269D
DCDFF809280CB2BDD1E0D2EA65687A05F491A30169814000000A665D5D1D
115F48CA6B9F90747119830064E9A630";

// String conversion
cbDataOutput = ( (strlen(szEncodedPwd)) / 2 );
pbDataOutput = (BYTE *)malloc( cbDataOutput + 1 );
if (pbDataOutput == NULL) HandleError("Not enough memory.");

for (i=0; i<(cbDataOutput); i++) {

sscanf(&(szEncodedPwd[i+i]), "%02x", &amp;amp;amp;data);
pbDataOutput[i] = data;
}
DataOut.pbData = pbDataOutput;
DataOut.cbData = cbDataOutput;
// Decryption
if (CryptUnprotectData(
&DataOut, // [in] Input data
&pDescrOut, // (Optional) [out] Description string
NULL, // (Optional) [in] Entropy (not used by MS)
NULL, // Reserved
NULL, // (Optional) PromptStruct
0, // Flags
&DataVerify)) // [out] Output data
{
wprintf(L"The decrypted data is: %s\n", (WCHAR *)DataVerify.pbData);
printf("The description of the data was: %S\n", pDescrOut);
}
else
{
HandleError("Decryption error!");
}

LocalFree(pDescrOut);
free(DataOut.pbData);
LocalFree(DataVerify.pbData);
}

void HandleError(char *s)
{
fprintf(stderr, "An error occurred in running the program. \n");
fprintf(stderr, "%s\n",s);
fprintf(stderr, "Error number %x.\n", GetLastError());
fprintf(stderr, "Program terminating. \n");
exit(1);
}

Tags:

About author

Vittorio Pavesi