Edit

Group Policy Preferences

MITRE ATT&CK™ Sub-technique T1552.006

Theory

Windows systems come with a built-in Administrator (with an RID of 500) that most organizations want to change the password of. This can be achieved in multiple ways but there is one that is to be avoided: setting the built-in Administrator's password through Group Policies.

  • Issue 1: the password is set to be the same for every (set of) machine(s) the Group Policy applies to. If the attacker finds the admin's hash or password, he can gain administrative access to all (or set of) machines.

  • Issue 2: by default, knowing the built-in Administrator's hash (RID 500) allows for powerful Pass-the-Hash attacks (read more).

  • Issue 3: all Group Policies are stored in the Domain Controllers' SYSVOL share. All domain users have read access to it. This means all domain users can read the encrypted password set in Group Policy Preferences, and since Microsoft published the encryption key around 2012, the password can be decrypted🤷‍♂️.

Practical

From UNIX-like systems, the Get-GPPPassword.py (Python) script in the impacket examples can be used to remotely parse .xml files and loot for passwords.

# with a NULL session
Get-GPPPassword.py -no-pass 'DOMAIN_CONTROLLER'

# with cleartext credentials
Get-GPPPassword.py 'DOMAIN'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER'

# pass-the-hash
Get-GPPPassword.py -hashes 'LMhash':'NThash' 'DOMAIN'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER'

SYSVOL

Decrypt the Password (Manual)

If you have downloaded the Policies.xml file from the remote system's SYSVOL share then you can decrypt the cpassword value using the below tools

Decrypt CPassword (Tool)

gpp-decrypt.rb

Note: You need to manual put the cpassword in the source code.

gpp-decrypt.py

Get Remote Shell Access

Evil-WinRM

Note: The username above should match the value found in the Policy.xml file. In my case the username was found in the format

newName="svc_dbbackup"

REFERENCES

PreviousCrendentialsNextLLMNR Poisoning

Last updated

Was this helpful?