Retriving password from RDP file (or from credential manager) on Windows 10
Posted by Kamil_z_Kaszub@reddit | sysadmin | View on Reddit | 25 comments
Hi everyone!
Does anybody know how to retrieve in this year password from RDP file or from credential manager?
I view an old 4 year old post here about the same topic but proposed tools are outdated and not work anymore :(
No one is knowing password to old pc running from 2019 (password on BIOS, turned on bitlocker so I haven't chance with my knowledge to change password on machine... or maybe someone from you know how to do this 😅)
joshghz@reddit
I guess the question is: why? What are you trying to do?
Is it a domain member? Any management (like Intune)? Any RMM?
Kamil_z_Kaszub@reddit (OP)
No, any of this. Local user with database on it. Nothing else
joshghz@reddit
I assume there's a zero chance of getting BitLocker password?
Kamil_z_Kaszub@reddit (OP)
Exactly
joshghz@reddit
So I assume the reason you're trying to do this is because you're trying to preserve the database before the computer dies?
Is the database actively running? Is there any chance of connecting to the database from another client?
ender-_@reddit
Can you log in to the machine with RDP?
Kamil_z_Kaszub@reddit (OP)
unfornatelly no, because someone was switch off connecting via RDP...
vivkkrishnan2005@reddit
Check nirsoft
Kamil_z_Kaszub@reddit (OP)
tools from nirsoft not working anymore :/
Training_Yak_4655@reddit
I once saw a departed colleague's tower PC being unlocked using a rainbow table decrypter running on a Linux USB stick. Ah, those were the good old days!
Anxious-Community-65@reddit
saved RDP passwords are encrypted tied to the user profile and DPAPI, so most of the old extraction tools stopped working by design. Legitimate path if it's your own machine then.. if you can still log into the Windows account that saved the credential, try
cmdkey/listto confirm it's stored, but actual plaintext retrieval is largely blocked now.If the bigger problem is getting into the machine itself.. BitLocker with BIOS password is tricky but if it was ever joined to a domain or Entra ID the recovery key may be stored there.. You could check once though!
disclosure5@reddit
https://github.com/GhostPack/SharpDPAPI will dump all encrypted DPAPI passwords, I've used it on many a pentest.
Kamil_z_Kaszub@reddit (OP)
sorry for my curiosity but why do you use this tool to pentest? In some enviroments it is prohibited for system to store password in credential manager?
GarageIntelligent@reddit
yes
IsThatAll@reddit
Being prohibited and someone doing the prohibited thing are specifically the things you pentest for. The file might be old and created before it was prohibited, policies may not have applied correctly, disabling the feature, someone actively bypassed the policy.
Even if you pentest and don't find anything, that's still a finding in the pentest report, just a positive one.
disclosure5@reddit
Once you access a person's account, the credential manager is a great place to find more passwords.
I've never heard of its use being prohibited, it's generally considered the better option to text files of passwords.
NaturalIdiocy@reddit
The only real place I could see it being prohibited is companines with enforced PAM or password manager usage.
Megatwan@reddit
To pen
Vodor1@reddit
If it's based on mimikatz, surely any reputable security endpoint would outright block it?
R2-Scotia@reddit
If it's a desktop you might be able to reset the BIOS but if the drive is encrypted with Bitlocker you will need the passphrase or recovery key
jcwrks@reddit
The "pc" is running Server 2019, or it has been powered on since 2019? If it's a domain joined pc you should have both local and domain users to log in with and not just a single account.
Physical-Mistake89@reddit
check nirsoft passwords tools, are free!
Academic-Proof3700@reddit
Rdpview, passview or something like that from nirsoft I think?
Living-Method-294@reddit
If BIOS locked when booting they you maybe SoL. Try Hiren's Boot to get in and update the User Account password.
Cormacolinde@reddit
Yes, you can use the following PowerShell module: https://www.powershellgallery.com/packages/TUN.CredentialManager/3.0.2