# GPP / cPassword

## TL;DR

* **Group Policy Preferences (GPP)** allowed admins to create policies using embedded credentials
* These credentials were encrypted and placed in a **"cpassword"**
* The key was accidentally released
* Patched in **MS14-025**, but doesn't prevent previous uses
* Use Kali built-in tool `gpp-decrypt` to decrypt the encrypted GPP password.

## Group Policy Preference (GPP)

One of the most useful features of Group Policy Preferences (GPP) is the ability to store and use credentials in several scenarios. These include:

* Map drives (Drives.xml)
* Create Local Users
* Data Sources (DataSources.xml)
* Printer configuration (Printers.xml)
* Create/Update Services (Services.xml)
* **Scheduled Tasks (ScheduledTasks.xml)**
* **Change local Administrator passwords**

## **Credential Storage in GPP**

When a new GPP is created, there’s an associated XML file created in SYSVOL with the relevant configuration data and if there is a password provided, it is **AES-256 encrypted**.

However, [Microsoft published the AES private key on MSDN](https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx) which can be used to decrypt the password. Since authenticated users (any domain user or users in a trusted domain) have read access to SYSVOL, anyone in the domain can search the SYSVOL share for XML files containing **"cpassword"** which is the value that contains the AES encrypted password:

![cpassword](https://3988450783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWVjG_njKgBtvmnKaJh%2Fuploads%2FwNbXKFksmKkkbmcWmN4G%2Fimage.png?alt=media\&token=3ffcd252-a1c1-47ea-9129-746b415d62b9)

## gpp-decrypt

Use Kali built-in tool `gpp-decrypt` to decrypt the AES-encrypted password found in the "cpassword" field:

```bash
gpp-decrypt <gpp_password>
```

## Metasploit: smb\_enum\_gpp

This module enumerates files from target domain controllers and connects to them via SMB. It then looks for Group Policy Preference (GPP) XML files containing local/domain user accounts and passwords and decrypts them using Microsoft's public AES key:

```bash
msf > use auxiliary/scanner/smb/smb_enum_gpp
msf auxiliary(smb_enum_gpp) > show actions
    ...actions...
msf auxiliary(smb_enum_gpp) > set ACTION < action-name >
msf auxiliary(smb_enum_gpp) > show options
    ...show and set options...
msf auxiliary(smb_enum_gpp) > run
```

## Lab: Hack The Box - Active

{% embed url="<https://www.ctfwriteup.com/hack-the-box/ad/active>" %}
Hack The Box - Active
{% endembed %}

## Defense

* Install KB2962486 on every computer used to manage GPOs which prevents new credentials from being placed in Group Policy Preferences.
* Delete existing GPP xml files in SYSVOL containing passwords.

## Reference

{% embed url="<https://adsecurity.org/?p=2288>" %}
Finding Passwords in SYSVOL & Exploiting Group Policy Preferences - Active Directory Security
{% endembed %}

{% embed url="<https://www.rapid7.com/db/modules/auxiliary/scanner/smb/smb_enum_gpp/>" %}
SMB Group Policy Preference Saved Passwords Enumeration
{% endembed %}