# GPP Passwords (Group Policy Preferences) * **SYSVOL** is a shared folder on all Domain Controllers that stores logon scripts and Group Policy data. * GPP (introduced in Windows Server 2008) allowed storing **credentials** (usernames + encrypted passwords) in XML files for things like scheduled tasks. * These XML files are stored in: **\\SYSVOL\\Policies** * The encryption key used is **the same for all AD environments** and was made public by Microsoft. * Because **Authenticated Users** (including normal users and computers) can read SYSVOL, **anyone can access and decrypt** the stored passwords.
This is now the encrypted pass looks like:\ !\[\[enc pass.png]] *** ## Attack To abuse `GPP Passwords`, we will use the [Get-GPPPassword](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1) function from `PowerSploit`, which automatically parses all XML files in the Policies folder in `SYSVOL`, picking up those with the `cpassword` property and decrypting them once detected ### Import GPPPassword ```powershell-session PS C:\Users\bob\Downloads> Import-Module .\Get-GPPPassword.ps1 ``` ### Execute GPPPasword ```powershell-session PS C:\Users\bob\Downloads> Get-GPPPassword ``` *** ## Prevention * In 2014, Microsoft released **patch KB2962486** to stop storing passwords in GPP. * **Patched systems won't store new passwords**, but **old ones may still exist**. * Many AD environments, even after 2015, still have credentials in SYSVOL. * **Important:** The patch **does not remove existing passwords**, only blocks new ones. * Regularly check and clean SYSVOL to ensure no credentials are exposed. *** ## Detection * There is no need for anyone to open the XML file that contains the creds, so if someone does, an event will be created. * EventID **4663** * Or we can set logon types (`4624` (`successful logon`), `4625` (`failed logon`), or `4768` (`TGT requested`)) based if the password is up to date or not *** ## Honeypot * We can use the SYSVOL share for a trap set-up. * A semi-privileged use with a **wrong password** * Service account passwords are often **old** and rarely changed. * If the **GPP file is newer** than the last password change, the password is likely still valid. * If the password changed **after** the file was modified, it probably won’t work. * Run a **dummy task** with the account to generate recent login activity. 4771: failed pre-authentiaction\ 4776: bad password *** ## Tasks ### Task 1 **Connect to the target and run the Powersploit Get-GPPPassword function. What is the password of the svc-iis user?** When we run the import module command we will get and error, this is a security feature of windows that restricts script executions. We bypass it with the command below
Now we import and execute the script
**Answer: abcd\@123** *** ### Task 2 After running the previous attack, connect to DC1 (172.16.18.3) as 'htb-student:HTB\_@cademy\_stdnt!' and look at the logs in Event Viewer. What is the Access Mask of the generated events? From windows RDP connect and go to EventView\ Enter in the Security logs in filter the event ID 4663 and search the Details for access mask **Answer: 0X80** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://digitalgarden.batamladen.com/notes/certificates/cdsa/module-6-active-directory/gpp-passwords-group-policy-preferences.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.