Hello Friends!! You might be aware of Group Policy Preferences in windows Server 2008 that allows system administrators to set up specific configurations. It can be used to create username and encrypted password on machines. But do you know, that a normal user can elevate privilege to local administrator and probably compromise the security of the entire domain because passwords in preference items are not secured.
Table of Content What is Group Policy Preferences? Why using GPP to create a user account is a bad Idea? Lab Set-Up Requirement Create an Account in Domain Controller with GPP Exploiting Group Policy Preferences via Metasploit -I Exploiting Group Policy Preferences via Metasploit -II Gpp-Decrypt GP3finder What is Group Policy Preferences?Group Policy preferences shortly term as GPP permit administrators to configure and install Windows and application settings that were previously unavailable using Group Policy. One of the most useful features of Group Policy Preferences (GPP) is the ability to store and moreover these policies can make all kinds of configuration changes to machines, like as:
Map drives Create Local Users Data Sources Printer configuration Registry Settings Create/Update Services Scheduled Tasks Change local Administrator passwordsWhy using GPP to create a user account is a bad Idea?
If you use Microsoft GPP to create a local administrator account, consider the safety consequences carefully. Since the password is stored in SYSVOL in a preferred item. SYSVOL is the domain-extensive share folder in the Active Directory accessed by all authenticated users.
All domain Group Policies are stored here: \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\
When a new GPP is created for the user or group account, it’ll interrelated with a Group.XML file created in SYSVOL with the relevant configuration information and the password is AES-256 bit encrypted. Therefore the password is not secure as all authenticated users have access to SYSVOL.
“In this article, we will be doing active directory penetration testing through Group Policy Preferences and try to steal store password from inside SYSVOL in multiple ways”.
Let’s Start!!
Lab Set-Up Requirement
Microsoft Windows Sever 2008 r2 Microsoft Windows 7/10 Kali linux Create an Account in Domain Controller with GPPOn your Windows Server 2008, you need to create a new group policy object (GPO) under “ Domain Controller” using Group Policy Management.
Now create a new user account by navigating to: Computer Configuration > Control Panel Settings > Local Users and Groups.
Then Right click in the “Local Users and Groups” option and select New > Local User .
Then you get an interface for new local user property where you can create a new user account.
As you can observe from the given below image, we had created an account for user “raaz”.
Don’t forget to update group policy configuration.
So as I had already discussed above, that, whenever a new gpp is created for the user or group account, it will associated with a Group.XML which is stored inside /SYSVOl.
From the image below, you can see the entire path that leads to the file Group.xml . As you can see, this xml file holds cpassword for user raaz within the property tags in plain text.
Exploiting Group Policy Preferences via Metasploit -I As we know an authorized user can access SYSVOL and suppose I know the client machine credential, let say raj:[emailprotected] then with help of this I can exploit Group Policy Preference to get XML file. Metasploit auxiliary module lets you enumerates files from target domain controllers by connecting to SMB as rouge user.
This module enumerates files from target domain controllers and connects to them via SMB. It then looks for Group Policy Preference XML files containing local/domain user accounts and passwords and decrypts them using Microsofts public AES key. This module has been tested successfully on a Win2k8 R2 Domain Controller.
use auxiliary/scanner/smb/smb_enum_gpp msf auxiliary(smb_enum_gpp) > set rhosts 192.168.1.103 msf auxiliary(smb_enum_gpp) > set smbuser raj msf auxiliary(smb_enum_gpp) > set smbpass Ignite@123 msf auxiliary(smb_enum_gpp) > exploit Hence you can observe, that it has dump the password:[emailprotected] from inside Group.xml file for user raaz.Exploiting Group Policy Preferences via Metasploit -II
Metasploit also provide a post exploit for enumerating cpassword, but for this you need to compromised target’s machine at least once and then you will be able to run below post exploit.
This module enumerates the victim machine’s domain controller and connects to it via SMB. It then looks for Group Policy Preference XML files containing local user accounts and passwords and decrypts them using Microsofts public AES key. Cached Group Policy files may be found on end-user devices if the group policy object is deleted rather than unlinked.
use post/windows/gather/credentials/gpp msf post(windows/gather/credentials/gpp) > set session 1 msf post(windows/gather/credentials/gpp) > exploitFrom the given below image you can observe, it has been found cpassword twice from two different locations:
C:\ProgramData\Microsoft\Group Policy\History\{ EE416E94-7362-4587-9CEC-651656DB7538}\Machine\Preferences\Groups\Groups.xml C:\Windows\SYSVOL\sysvol\Pentest.Local\Policies\{ EE416E94-7362-4587-9CEC-651656DB7538}\Machine\Preferences\Groups\Groups.xmlGpp-Decrypt
Another method is to connect with target’s machine via SMB and try to access /SYSVOL with the help smbclient. Therefore execute its command to access shared directory via authorized account and then move to following path to get Group.xml file: SYSVOL\sysvol\Pentes.Local\Policies\{ EE416E94-7362-4587-9CEC-651656DB7538}\Machine\Preferences\Groups\Groups.xml
smbclient //192.168.1.103/SYSVOL -U rajAs you can observe that, we have successfully transfer Group.xml in our local machine. As this file holds cpassword, so now we need to decrypt it.
For decryption we use ” gpp- decrypt” which is embedded in a simple ruby script in K