GPP or cPassword Attack

Introduction

Group Policy Preferences (GPP) allowed admins to create policies using embedded credentials. These credentials were encrypted and placed in a “cPassword” xml file. Microsoft accidentally released the key that allowed threat actors to easily decrypt the credentials stored in the cPassword. Microsoft then released a patch for this vulnerability MS14-025, but it doesn't prevent previous uses.

This type of attack is still relevant on pentests as there are still servers that are possibly not yet patched for this vulnerability or the GPP files are still stored in the SYSVOL.

Mitigation

Patch the system: KB2962486
Delete the old GPP xml files stored in the SYSVOL.

GPP Attack

Use the built-in program in Kali Linux called gpp-decrypt to decrypt the cpassword.

You can also use Metasploit to perform this attack. All you need is a valid domain account.

use uxiliary/scanner/smb/smb_enum_gpp

PreviousLNK File Attack NextMimikatz

Last updated 6 months ago