πŸ–₯️
Pentest Playbook
  • Pentest Playbook
  • Methodology
    • 🐘Pentest Methodology
  • Reconnaissance
    • πŸ¦…Scanning and Enumeration
      • Host Discovery
      • Port Scan
  • Active Directory
    • 🐻Initial Attack Vectors
      • LLMNR Poisoning
      • SMB Relay
      • Gaining Shell Access
      • IPv6 Attack
    • πŸ»β€β„οΈPost-Compromise Enumeration
      • LDAPDomainDump
      • BloodHound
      • PlumHound
      • PingCastle
    • 🐼Post-Compromise Attacks
      • CrackMapExec
      • SecretsDump
      • Kerberoasting
      • Token Impersonation
      • LNK File Attack
      • GPP or cPassword Attack
      • Mimikatz
  • Password Attacks
    • 🐱Hashcat
      • Hashcat for Windows
    • 🐠Hydra
    • 🐢John The Ripper
Powered by GitBook
On this page
  • Introduction
  • Mitigation
  • GPP Attack
  1. Active Directory
  2. Post-Compromise Attacks

GPP or cPassword Attack

Introduction

Group Policy Preferences (GPP) allowed admins to create policies using embedded credentials. These credentials were encrypted and placed in a β€œcPassword” xml file. Microsoft accidentally released the key that allowed threat actors to easily decrypt the credentials stored in the cPassword. Microsoft then released a patch for this vulnerability MS14-025, but it doesn't prevent previous uses.

This type of attack is still relevant on pentests as there are still servers that are possibly not yet patched for this vulnerability or the GPP files are still stored in the SYSVOL.

Mitigation

  • Patch the system: KB2962486

  • Delete the old GPP xml files stored in the SYSVOL.

GPP Attack

Use the built-in program in Kali Linux called gpp-decrypt to decrypt the cpassword.

You can also use Metasploit to perform this attack. All you need is a valid domain account.

use uxiliary/scanner/smb/smb_enum_gpp

PreviousLNK File AttackNextMimikatz

Last updated 12 months ago

🐼