Skip to main content

Group Policy Preferences (GPP)


GPP allows admins to create policies with embedded credentials. The credentials are encrypted and stored in a cPassword. The key was accidentally released.

What's the Flaw?

The MS14-025 patch does not apply to GPP passwords embedded prior to the patch.

Finding GPPs

Any user can read the groups.xml file in SYSVOL. If the cPassword is extracted from the the attacker can use gpp-decrypt, a default tool on Kali, to decrypt the password hash.

Using Metasploit

meterpreter > background
msf > use auxiliary/smb_enum_gpp

Set the backgrounded session and run it