Decrypting Windows 2008 GPP user passwords using Gpprefdecrypt.py

This tool decrypts the cpassword attribute value embedded in the Groups.xml file stored in the domain controller's Sysvol share.

Very briefly, we will be discussing how Group Policy Preferences can be used to create local users on machines and just how quickly we can crack the embedded cpass hash.

As far as i'm aware, by design the Groups.xml will store the local administrator account user and password hash. However, after further research and experiences of my colleagues there are other similar .xml files which hold other user account names and hashes for different purposes.

For example there are .xml files used for specific 'Services', that will hold the account needed to run said service. Other .xml files include credentials and configuration settings for 'Printers' and 'Drives'. Further research suggests there are possible .xml files for 'ScheduledTasks' and 'DataSources' although i have yet to see these on any pentests I have performed.

Groups.xml

Above is a Groups.xml file taken from a test lab i created some time ago. The important items within this file are:

  • Group name
  • Username
  • Cpassword
The above information will show you the user and group used for the specific policy and of course the Cpassword (often referred to as Cpass).

To find the Groups.xml file your going to have to search the Sysvol folder of a domain controller mainly. You will very likely need domain credentials to be able to access this share. Simply browse to the server share and you should see the folder for Sysvol if it exists or is accessible using the credentials you have supplied. If using windows you can simply 'search' for groups.xml. However, you might find searching *.xml will yield more results. 

Now as common as this method is to roll out user credentials for specific services Microsoft, for what ever reason!?, decided to release the key to decrypting this password. Now you may think
"Well why is this any different to cracking any other password hash?" 
Well, the time taken to crack any cpass is roughly 0.5 seconds, no matter the complexity. 

time ./gpprefdecrypt.py j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw
Local*P4ssword!

real 0m0.021s
user 0m0.012s
sys 0m0.004s

As you can see, it took 0.021seconds to return the plaintext password from the hash. 

Usage for gpprefdecrypt.py is easy. simply call the script and give it the hash.




References

Gprefdecrypt.py can be found on my pastebin as mirrors to the script are often down. 


So what can you do to protect yourself from this exploit?

Simple, do not specify user credentials within Group Preference Policies. 

I would like to send out a thank you to the below people for making this post possible

  1. My collegues for their input into the groups.xml exploit
  2. Loic Jaquemet for his work with gpprefdecrypt.py
  3. Microsoft for providing yet another quick and easy method of getting system on a pentest




Comments

Popular posts from this blog

Null Session Domain Controller Enumeration

MS15-034: Vulnerability in HTTP.sys Could Allow Remote Code Execution

NetBIOS / NBNS Spoofing