search

GPP / cPassword

gpp-decrypt

hashtag
TL;DR

  • Group Policy Preferences (GPP) allowed admins to create policies using embedded credentials

  • These credentials were encrypted and placed in a "cpassword"

  • The key was accidentally released

  • Patched in MS14-025, but doesn't prevent previous uses

  • Use Kali built-in tool gpp-decrypt to decrypt the encrypted GPP password.

hashtag
Group Policy Preference (GPP)

One of the most useful features of Group Policy Preferences (GPP) is the ability to store and use credentials in several scenarios. These include:

  • Map drives (Drives.xml)

  • Create Local Users

  • Data Sources (DataSources.xml)

  • Printer configuration (Printers.xml)

  • Create/Update Services (Services.xml)

  • Scheduled Tasks (ScheduledTasks.xml)

  • Change local Administrator passwords

hashtag
Credential Storage in GPP

When a new GPP is created, there’s an associated XML file created in SYSVOL with the relevant configuration data and if there is a password provided, it is AES-256 encrypted.

However, Microsoft published the AES private key on MSDNarrow-up-right which can be used to decrypt the password. Since authenticated users (any domain user or users in a trusted domain) have read access to SYSVOL, anyone in the domain can search the SYSVOL share for XML files containing "cpassword" which is the value that contains the AES encrypted password:

cpassword

hashtag
gpp-decrypt

Use Kali built-in tool gpp-decrypt to decrypt the AES-encrypted password found in the "cpassword" field:

hashtag
Metasploit: smb_enum_gpp

This module enumerates files from target domain controllers and connects to them via SMB. It then looks for Group Policy Preference (GPP) XML files containing local/domain user accounts and passwords and decrypts them using Microsoft's public AES key:

hashtag
Lab: Hack The Box - Active

https://www.ctfwriteup.com/hack-the-box/ad/activewww.ctfwriteup.comchevron-right
Hack The Box - Active

hashtag
Defense

  • Install KB2962486 on every computer used to manage GPOs which prevents new credentials from being placed in Group Policy Preferences.

  • Delete existing GPP xml files in SYSVOL containing passwords.

hashtag
Reference

Finding Passwords in SYSVOL & Exploiting Group Policy PreferencesActive Directory & Azure AD/Entra ID Securitychevron-right
Finding Passwords in SYSVOL & Exploiting Group Policy Preferences - Active Directory Security
LogoRapid7Rapid7chevron-right
SMB Group Policy Preference Saved Passwords Enumeration
PreviousSMB RelayNextDomain Enumeration

Last updated