Group Policy Preferences (GPP)
Overview
GPP allows admins to create policies with embedded credentials. The credentials are encrypted and stored in a cPassword
. The key was accidentally released.
What's the Flaw?
The MS14-025
patch does not apply to GPP passwords embedded prior to the patch.
Finding GPPs
Any user can read the groups.xml
file in SYSVOL. If the cPassword
is extracted from the the attacker can use gpp-decrypt
, a default tool on Kali, to decrypt the password hash.
Using Metasploit
meterpreter > background
msf > use auxiliary/smb_enum_gpp
Set the backgrounded session and run it