This tool exploits a flaw in the Remote Desktop Plus application, which temporarily drops .rdp files in %localappdata%/Temp and fails to clean up these files efficiently. This allows to decrypt and extract credentials from these temporary files before they are passed to mstsc.exe (Microsoft Terminal Services Client). This program can only decrypt .rdp files of the current user, as the files utilize the Data Protection API (DPAPI) for encryption, which is tied to the user's session.
Upon execution, this tool first searches for any .tmp files that might still exist as artifacts in the %localappdata%/Temp directory due to Remote Desktop Plus's failure to clean up. It attempts to decrypt and display any credentials found within these existing files. After processing the existing files, the tool then monitors the directory for any newly created .tmp files, decrypting and displaying credentials in real-time.
╔═╗┬ ┬┌─┐┬─┐┌─┐╦═╗╔╦╗╔═╗┬ ┬ ┬┌─┐╔═╗┌┐┌┌─┐┌┬┐┌─┐┬ ┬┌─┐┬─┐
╚═╗├─┤├─┤├┬┘├─┘╠╦╝ ║║╠═╝│ │ │└─┐╚═╗│││├─┤ │ │ ├─┤├┤ ├┬┘
╚═╝┴ ┴┴ ┴┴└─┴ ╩╚══╩╝╩ ┴─┘└─┘└─┘╚═╝┘└┘┴ ┴ ┴ └─┘┴ ┴└─┘┴└─
[+] Checking for artifact .tmp files in application data.
[Credentials Found]: C:\Users\yeeb\AppData\Local\Temp\Remote Desktop Plus.006F4.tmp
┌───────────────────────────────────────┐
│ Username: yeeb │
│ Password: JediMaster1234! │
└───────────────────────────────────────┘
[Credentials Found]: C:\Users\yeeb\AppData\Local\Temp\Remote Desktop Plus.04BF4.tmp
┌───────────────────────────────────────┐
│ Username: admin │
│ Password: SithLordGalacticEmpire! │
└───────────────────────────────────────┘
[+] Monitoring for new Remote Desktop Plus Connections. Press Enter to quit.
[File Copied for Processing]: C:\Users\yeeb\AppData\Local\Temp\e037061e-3fdc-47af-a5ef-4881d99774bd.tmp
[Credentials Found]: C:\Users\yeeb\AppData\Local\Temp\e037061e-3fdc-47af-a5ef-4881d99774bd.tmp
┌───────────────────────────────────────┐
│ Username: yeeb │
│ Password: RebelAlliance1977! │
└───────────────────────────────────────┘
Before compiling, add the System.Security.Cryptography.ProtectedData package to the solution. This package is necessary for interacting with the Data Protection API (DPAPI) to decrypt the credentials found within the .tmp files.
You can add this package via the .NET CLI with the following command:
dotnet add package System.Security.Cryptography.ProtectedDataAlternatively, if you're using Visual Studio, you can manage NuGet packages for your project and add System.Security.Cryptography.ProtectedData from there.
Special thanks to the rdp-file-password-encryptor repository for providing guidelines on how to decrypt the contents of .rdp files.
The script is for informational and educational purposes only. The author and contributors of this script are not responsible for any misuse or damage caused by this tool.