Ready to learn?

RDP – MSTSC Plaintext Password

๐Ÿ”’ย Secure Bits ๐Ÿ’ก
๐—ง๐—ต๐—ถ๐—ป๐—ธ ๐—ฅ๐——๐—ฃ + ๐—–๐—ฟ๐—ฒ๐—ฑ๐—ฒ๐—ป๐˜๐—ถ๐—ฎ๐—น ๐—š๐˜‚๐—ฎ๐—ฟ๐—ฑ ๐—ธ๐—ฒ๐—ฒ๐—ฝ๐˜€ ๐˜†๐—ผ๐˜‚๐—ฟ ๐—ฑ๐—ผ๐—บ๐—ฎ๐—ถ๐—ป ๐—ฎ๐—ฑ๐—บ๐—ถ๐—ป ๐—ฐ๐—ฟ๐—ฒ๐—ฑ๐˜€ ๐˜€๐—ฎ๐—ณ๐—ฒ? ๐—ก๐—ผ๐˜ ๐—ฟ๐—ฒ๐—ฎ๐—น๐—น๐˜†.

Even in 2025,ย many ๐—ฎ๐—ฑ๐—บ๐—ถ๐—ป๐˜€ ๐˜€๐˜๐—ถ๐—น๐—น ๐—ฒ๐˜…๐—ฝ๐—ผ๐˜€๐—ฒ ๐˜๐—ต๐—ฒ๐—ถ๐—ฟ ๐——๐—ผ๐—บ๐—ฎ๐—ถ๐—ป ๐—”๐—ฑ๐—บ๐—ถ๐—ป ๐—ฐ๐—ฟ๐—ฒ๐—ฑ๐—ฒ๐—ป๐˜๐—ถ๐—ฎ๐—น๐˜€ย without realizing it โ€” just by using RDP to access Domain Controllers from their regular workstation.

๐Ÿง ย โ€œBut Iโ€™ve got ๐—–๐—ฟ๐—ฒ๐—ฑ๐—ฒ๐—ป๐˜๐—ถ๐—ฎ๐—น ๐—š๐˜‚๐—ฎ๐—ฟ๐—ฑ, Iโ€™m protected!โ€
Not always.

๐—›๐—ฒ๐—ฟ๐—ฒโ€™๐˜€ ๐˜„๐—ต๐—ฎ๐˜ ๐—ฎ๐—ฐ๐˜๐˜‚๐—ฎ๐—น๐—น๐˜† ๐—ต๐—ฎ๐—ฝ๐—ฝ๐—ฒ๐—ป๐˜€ย ๐—ถ๐—ป ๐—ฐ๐—ฎ๐˜€๐—ฒ ๐—ผ๐—ณ ๐—ฅ๐——๐—ฃ:
1๏ธโƒฃ You connect to a DC via RDP from your “basic ” machine
2๏ธโƒฃ As part of that RDP session,ย your password gets cached in MSTSC memory
3๏ธโƒฃ An attacker on your workstation could extract it โ€”ย even in plaintext

๐Ÿ’ฅ ๐—–๐—ฟ๐—ฒ๐—ฑ๐—ฒ๐—ป๐˜๐—ถ๐—ฎ๐—น ๐—š๐˜‚๐—ฎ๐—ฟ๐—ฑ ๐—ฑ๐—ผ๐—ฒ๐˜€๐—ปโ€™๐˜ ๐˜€๐—ฎ๐˜ƒ๐—ฒ ๐˜†๐—ผ๐˜‚ ๐—ต๐—ฒ๐—ฟ๐—ฒ.
Neither will SmartCards (care to guess what ends up in memory instead?)

๐ŸŽฏ The real fix? Implement ๐—ฝ๐—ฟ๐—ผ๐—ฝ๐—ฒ๐—ฟ ๐—ฃ๐—ฟ๐—ถ๐˜ƒ๐—ถ๐—น๐—ฒ๐—ด๐—ฒ๐—ฑ ๐—”๐—ฐ๐—ฐ๐—ฒ๐˜€๐˜€ ๐—ช๐—ผ๐—ฟ๐—ธ๐˜€๐˜๐—ฎ๐˜๐—ถ๐—ผ๐—ป๐˜€ (๐—ฃ๐—”๐—ช) ๐—ฎ๐—ป๐—ฑ ๐—ณ๐—ผ๐—น๐—น๐—ผ๐˜„ ๐˜๐—ต๐—ฒ ๐—ง๐—ถ๐—ฒ๐—ฟ๐—ถ๐—ป๐—ด ๐— ๐—ผ๐—ฑ๐—ฒ๐—น. You can also take advantage of Restricted Admin Mode in RDP, but it requires the knowledge of the above.

Your credentials are only as secure as the device you log in from.

๐Ÿ‘‡ Ever tested what MSTSC leaks in memory?

buy a course