SharpRDPlusSnatcher
Exploits a flaw in Remote Desktop Plus by monitoring and decrypting temporary .rdp files in %localappdata%/Temp, revealing credentials used in remote desktop sessions.
Install / Use
/learn @Yeeb1/SharpRDPlusSnatcherREADME
SharpRDPlusSnatcher
<p align="center"> <img src="https://github.com/user-attachments/assets/19f02fc9-dbe4-42e6-a87c-9f2ea1401909" width="400"> </p>This tool exploits a flaw in the Remote Desktop Plus application, which temporarily drops .rdp files in %localappdata%/Temp and fails to clean up these files efficiently. This allows to decrypt and extract credentials from these temporary files before they are passed to mstsc.exe (Microsoft Terminal Services Client). This program can only decrypt .rdp files of the current user, as the files utilize the Data Protection API (DPAPI) for encryption, which is tied to the user's session.
Usage
Upon execution, this tool first searches for any .tmp files that might still exist as artifacts in the %localappdata%/Temp directory due to Remote Desktop Plus's failure to clean up. It attempts to decrypt and display any credentials found within these existing files. After processing the existing files, the tool then monitors the directory for any newly created .tmp files, decrypting and displaying credentials in real-time.
╔═╗┬ ┬┌─┐┬─┐┌─┐╦═╗╔╦╗╔═╗┬ ┬ ┬┌─┐╔═╗┌┐┌┌─┐┌┬┐┌─┐┬ ┬┌─┐┬─┐
╚═╗├─┤├─┤├┬┘├─┘╠╦╝ ║║╠═╝│ │ │└─┐╚═╗│││├─┤ │ │ ├─┤├┤ ├┬┘
╚═╝┴ ┴┴ ┴┴└─┴ ╩╚══╩╝╩ ┴─┘└─┘└─┘╚═╝┘└┘┴ ┴ ┴ └─┘┴ ┴└─┘┴└─
[+] Checking for artifact .tmp files in application data.
[Credentials Found]: C:\Users\yeeb\AppData\Local\Temp\Remote Desktop Plus.006F4.tmp
┌───────────────────────────────────────┐
│ Username: yeeb │
│ Password: JediMaster1234! │
└───────────────────────────────────────┘
[Credentials Found]: C:\Users\yeeb\AppData\Local\Temp\Remote Desktop Plus.04BF4.tmp
┌───────────────────────────────────────┐
│ Username: admin │
│ Password: SithLordGalacticEmpire! │
└───────────────────────────────────────┘
[+] Monitoring for new Remote Desktop Plus Connections. Press Enter to quit.
[File Copied for Processing]: C:\Users\yeeb\AppData\Local\Temp\e037061e-3fdc-47af-a5ef-4881d99774bd.tmp
[Credentials Found]: C:\Users\yeeb\AppData\Local\Temp\e037061e-3fdc-47af-a5ef-4881d99774bd.tmp
┌───────────────────────────────────────┐
│ Username: yeeb │
│ Password: RebelAlliance1977! │
└───────────────────────────────────────┘
Compilation
Before compiling, add the System.Security.Cryptography.ProtectedData package to the solution. This package is necessary for interacting with the Data Protection API (DPAPI) to decrypt the credentials found within the .tmp files.
You can add this package via the .NET CLI with the following command:
dotnet add package System.Security.Cryptography.ProtectedData
Alternatively, if you're using Visual Studio, you can manage NuGet packages for your project and add System.Security.Cryptography.ProtectedData from there.
Acknowledgments
Special thanks to the rdp-file-password-encryptor repository for providing guidelines on how to decrypt the contents of .rdp files.
The script is for informational and educational purposes only. The author and contributors of this script are not responsible for any misuse or damage caused by this tool. <!-- meme -->
Related Skills
tmux
347.2kRemote-control tmux sessions for interactive CLIs by sending keystrokes and scraping pane output.
diffs
347.2kUse the diffs tool to produce real, shareable diffs (viewer URL, file artifact, or both) instead of manual edit summaries.
terraform-provider-genesyscloud
Terraform Provider Genesyscloud
blogwatcher
347.2kMonitor blogs and RSS/Atom feeds for updates using the blogwatcher CLI.
