search

GPP (Group Policy Preference) credential discovery

Group Policy Preferences (GPP) allowed administrators to create domain policies with embedded credentials. These policies allowed them to set local accounts, and embed credentials for various purposes that may otherwise require an embedded password in a script. So when a new Group Policy Preference (GPP) is generated, a xml file (generally Groups.xml) with the configuration data, including any passwords associated with the GPP, is created in the SYSVOL share which are folders on domain controllers accessible and readable to all authenticated domain users.

Group Policies for account management are stored on the Domain Controller in "Groups.xml" files buried in the SYSVOL folder.

While some of these files may only contain something as simple as a configuration to rename an existing account, what we are interested in as pen testers are files that contain the "cpassword" field. These policies will actually set the password for the contained account. Below is a screenshot of one such file from the Domain Controller:

hashtag
Attacks

hashtag
1. Use impacket module to get the password.

hashtag
2. After accessing to the target machine, and find a xml file

After you find the password, decrypt the password.

hashtag
3. CTF: You may find SYSVOL files via any open ports

Maybe, you may find the Policies information that can be downloaded to a Kali machine.

hashtag
Decrypt the cpassword

PreviousGPO modification attackNextLogon Script Abuse

Last updated