Group Policy Preferences (GPP)
GPP allows admins to create policies with embedded credentials. The credentials are encrypted and stored in a
cPassword. The key was accidentally released.
What's the Flaw?
MS14-025 patch does not apply to GPP passwords embedded prior to the patch.
Any user can read the
groups.xml file in SYSVOL. If the
cPassword is extracted from the the attacker can use
gpp-decrypt, a default tool on Kali, to decrypt the password hash.
meterpreter > background
msf > use auxiliary/smb_enum_gpp
Set the backgrounded session and run it