Decrypt Remote Desktop Mobile password

Print This Post Print This Post

I found the article about decrypting saved RDP passwords at http://www.jaysonragasa.net/post/EncryptDecrypt-RDP-Password.aspx and http://www.remkoweijnen.nl/blog/2008/03/02/how-rdp-passwords-are-encrypted-2/.

Fortunately, decrypting a saved Windows Mobile password is not as complicated as on Desktop PCs. There is no entropy (???) etc.

As soon as you start RemoteDesktopMobile (RDM) and click connect and RDM gets a connection, it saves a \Windows\deafult.rdp file. If [] Save Password was checked, the RDP file will have the encrypted password inside:

SavePassword:i:1
UserName:s:rdesktop
ServerName:s:192.168.0.2
Password:b:0200000000000000000000000000000000000000000000000800000072006400700000000E66000010000000100000004CFEE422373E146637825EE7851B71FC00000000048000001000000010000000B2FA8F5915DFCAEB13259CE40170B7CB20000000586A82315B38AA75F0A05282F96C377EE2BBEA10303F444610DA12778ECEB5BD14000000D00E0D0662873F436D21EF7D1C50F2FADF0CB7C8

You will find also all other optional settings from the connect and options dialog in the file.

In contrast to DesktopPC the encryption always uses only the number of bytes need for the password and is NOT filled up to 512 bytes. Secondly, there is no real user management on Windows Mobile and so you only need one flag (CRYPTPROTECT_UI_FORBIDDEN) during encrypt and decrypt. The description string for CryptProtectData is always “rdp”.

DATA_BLOB blobIn, blobOut;
blobIn.cbData = pSizeIn;
blobIn.pbData = (PBYTE )pByteTemp;// szPass;
blobOut.cbData = 0;
blobOut.pbData = NULL;
if (!CryptProtectData(&blobIn, L"rdp", NULL, NULL, NULL, CRYPTPROTECT_UI_FORBIDDEN, &blobOut))
{
...
   DATA_BLOB blobIn, blobOut;
   blobIn.cbData = nBytes;
   blobIn.pbData = pPassBytes;
   blobOut.cbData = 0;
   blobOut.pbData = NULL;
   if (!CryptUnprotectData(&blobIn, NULL, NULL, NULL, NULL, CRYPTPROTECT_UI_FORBIDDEN, &blobOut))
   {
...

The only hard problem (for me) was the converting of hex strings back to byte array and reading the rdp file into a string.

The attached sample apps (MINOR ERROR CHECKING!) show how to decrypt and encrypt RDP passwords. When you click [Start], the sample app will open an existing default.rdp file and show you the unencrypted password.

For encrypt the unicode (!) string is used including the terminating \0! When you decrypt the byte array getting back from CryptUnprotectData(), the terminating \0 of the unicode string is included.

As with rdp files on desktop PC you cannot use the default.rdp created on one device on another device. The decryption will only work correctly on the same device!

BTW: if you try to port this to C#: CryptProtectData and CryptUnprotectData are available in CoreDll.DLL, there is no separate crypt32.dll on Windows Mobile 5/6.

[Download not found]

2 Comments

  1. KH says:

    Hi, i am looking for ways to save the RDP password but it is on Win CE 5 / 6. Anything you can help ?

  2. admin says:

    I assume you are asking because many OEMs do not set the flag to enable the SavePassword checkbox for the cetsc client app in Windows CE Platform builder before they build the firmware image for a device.

    You have to ask the OEM to get a cetsc with enabled checkbox.

Leave a Reply