GPP / cPassword
gpp-decrypt
TL;DR
Group Policy Preferences (GPP) allowed admins to create policies using embedded credentials
These credentials were encrypted and placed in a "cpassword"
The key was accidentally released
Patched in MS14-025, but doesn't prevent previous uses
Use Kali built-in tool
gpp-decryptto decrypt the encrypted GPP password.
Group Policy Preference (GPP)
One of the most useful features of Group Policy Preferences (GPP) is the ability to store and use credentials in several scenarios. These include:
Map drives (Drives.xml)
Create Local Users
Data Sources (DataSources.xml)
Printer configuration (Printers.xml)
Create/Update Services (Services.xml)
Scheduled Tasks (ScheduledTasks.xml)
Change local Administrator passwords
Credential Storage in GPP
When a new GPP is created, there’s an associated XML file created in SYSVOL with the relevant configuration data and if there is a password provided, it is AES-256 encrypted.
However, Microsoft published the AES private key on MSDN which can be used to decrypt the password. Since authenticated users (any domain user or users in a trusted domain) have read access to SYSVOL, anyone in the domain can search the SYSVOL share for XML files containing "cpassword" which is the value that contains the AES encrypted password:
gpp-decrypt
Use Kali built-in tool gpp-decrypt to decrypt the AES-encrypted password found in the "cpassword" field:
Metasploit: smb_enum_gpp
This module enumerates files from target domain controllers and connects to them via SMB. It then looks for Group Policy Preference (GPP) XML files containing local/domain user accounts and passwords and decrypts them using Microsoft's public AES key:
Lab: Hack The Box - Active
Defense
Install KB2962486 on every computer used to manage GPOs which prevents new credentials from being placed in Group Policy Preferences.
Delete existing GPP xml files in SYSVOL containing passwords.
Reference
Last updated
