Group Policy Preferences (GPP)

Overview

GPP allows admins to create policies with embedded credentials. The credentials are encrypted and stored in a cPassword. The key was accidentally released.

What's the Flaw?

The MS14-025 patch does not apply to GPP passwords embedded prior to the patch.

Finding GPPs

Any user can read the groups.xml file in SYSVOL. If the cPassword is extracted from the the attacker can use gpp-decrypt, a default tool on Kali, to decrypt the password hash.

Using Metasploit

meterpreter > background
msf > use auxiliary/smb_enum_gpp

Set the backgrounded session and run it

Enumerating Hosts and Identifying the Domain Controllers

LLMNR Poisoning (Internal)

SMB Relay (Internal/External)

IPv6 DNS Spoofing (Internal)

NULL Session Enumeration (Internal/External)

Using Faketime for Ad-Hoc Kerberos Authentication

Kerberos Pre-Auth Username Enumeration

AS-REP Roasting (Internal/External)

Passback Attacks (Internal/External)

PrintNightmare (Internal/External)

NTLM Credential Stuffing (Internal/External)

PowerShell AD Module on Any Domain Host as Any User

Dumping DNS Records with adidnsdump

CrackMapExec

PowerView

BloodHound

Remote Bloodhound

LdapDomainDump

LdapSearch

Enum4Linux

GetADUsers.py

GetUserSPNs.py

Manual Enumeration

Extracting Kerberos AS-REQ Pre-Auth Hashes from PCAPs

Mimikatz

Dumping Passwords from Windows Credential Manager

Dumping Hashes without Mimikatz

Impacket-Addcomputer

DCSync

Pass the Password

Pass the Hash

Pass the Ticket

Pass the Key

Password & Credential Brute Force

Token Impersonation

Spawn Processes as Other Users

Kerberoasting

Group Policy Preferences (GPP)

PrintNightmare

ZeroLogon

xfreerdp

Group Policy Preferences (GPP)

Overview

What's the Flaw?

Finding GPPs

Using Metasploit