PrivEsc: Group Policy Preference Passwords
Author: HollyGraceful Published: 11 December 2015 Last Updated: 05 July 2023
Group Policy Preferences (GPP) was an addition to Group Policy to extend its capabilities to, among other things, allow an administrator to configure: local administrator accounts (including their name and password), services or schedule tasks (including credentials to run as), and mount network drives when a user logs in (including connecting with alternative credentials).
GPP are distributed just like normal group policy, meaning that an XML file is stored in the SYSVOL share of the domain controllers and when a user logs in their system queries the share and pulls down the policy.
This essentially means that a share exists on the domain controller which any domain user can access which contains other user account credentials, possible including a local administrator password which is reused across the network. This can mean that privilege escalation from a domain user to domain administrator becomes incredibly easy, as I’ve described before.
The passwords are protected in storage, they are encrypted with AES…however Microsoft released the key here.
This lead to several tools being released that could decrypt these passwords, meaning that as an attacker if you can find a password within SYSVOL you could manually extract it and decrypt the password. The problem didn’t end there, eventually Microsoft fixed this issue with the MS14-025 security update however the patch simply prevents new credentials form being written to SYSVOL and if they already exist it doesn’t remove them, meaning a threat actor could still extract them even after the patch has been applied.
GrimHacker released a tool that can not only decrypt/encrypt with this key but it can also automate the act of searching through the SYSVOL share. It’s open source and even available as a prebuilt Windows binary!
Usage is incredibly simple, there’s two ways you’ll maybe want to us it – the first is the same as other tools where you can supply it an encrypted password and have it decrypt it. That’s done like this:
python gp3finder.py -D CPASSWORD
Alternatively if you want gp3finder to do the searching for you, you can call it like this instead:
gp3finder.py -A -t DOMAIN_CONTROLLER -u DOMAINUSER
The tool will prompt you in the console for a password and then if possible it’ll retrieve the passwords and decrypt them for you! Once you’ve grabbed them remember to check out my post of escalating from local admin to domain admin!