Group Policy Preferences Password Finder (GP3Finder) v4.0

Group Policy Preferences Password Finder (GP3Finder) v4.0

Group Policy Preferences Password Finder (GP3Finder) searches for and decrypts passwords stored in Group Policy Preference items on sysvol of the domain controller, local host, or any specified share of a remote host. Also allows decryption of manually retrieved cpassword.

Preference items have been seen to commonly configure administrative account details, therefore this tool can often allow quick privilege escalation from user to domain administrator.
Note MS14-025 prevents new preference items being created with credentials, but does not delete existing items.

Group Policy preferences were introduced by Microsoft in Windows 2008 allowing administrators to configure unmanaged settings (settings which the user can change) from a centrally managed location – Group Policy Objects (GPO).

GP3Finder has been released open source under the GPL2 license.

 

This tool requires the following:

  • Python2.7
  • PyWin32 (if running on Windows)
  • PyCrypto

 

Typical Usage:

Decrypt a given cpassword:
gp3finder.py -D CPASSWORD

The following commands output decrypted cpasswords (from Groups.xml etc) and list of xml files that contain the word ‘password’ (for manual review) to file (‘gp3finder.out’ by default, this can be changed with -o FILE).

Find and decrypt cpasswords on domain controller automatically:
gp3finder.py -A -t DOMAIN_CONTROLLER -u DOMAINUSER Password: PASSWORD

Maps DOMAIN_CONTROLLER’s sysvol share with given credentials.

Find and decrypt cpasswords on the local machine automatically:
gp3finder.py -A -l

Searches through “C:ProgramDataMicrosoftGroup PolicyHistory” (by default) this can be changed with -lr PATH

Find and decrypt cpasswords on a remote host:
gp3finder.py -A -t HOST -u DOMAINUSER -s C$ -rr "ProgramDataMicrosoftGroup PolicyHistory"
Find and decrypt cpasswords on hosts specified in a file (one per line):
gp3finder.py -A -f HOST_FILE -u DOMAINUSER -s C$ -rr "ProgramDataMicrosoftGroup PolicyHistory"

Note: the user this script is run as must have permission to map/mount shares if running against a remote host.

Additional Options: –help

More Information: here

[button size=large style=round color=red align=none url=https://bitbucket.org/grimhacker/gpppfinder] Download GP3Finder v4.0[/button]

Thanks to Oliver Morton, for sharing this tool with us. 😉

MaxiSoler

www.artssec.com @maxisoler
Top 10 Most Used MITRE ATT&CK Tactics & Techniques In 2020

Top 10 Most Used MITRE ATT&CK Tactics & Techniques In 2020

Top 10 Most Exploited Vulnerabilities in 2020

Top 10 Most Exploited Vulnerabilities in 2020

vFeed, Inc. Introduces Vulnerability Common Patch Format Feature

vFeed, Inc. Introduces Vulnerability Common Patch Format Feature

Efficiency of the Vulnerability Response With vFeed Intelligence

Efficiency of the Vulnerability Response With vFeed Intelligence

CVE In The Hook – Monthly Vulnerability Review (February 2020 Issue)

CVE In The Hook – Monthly Vulnerability Review (February 2020 Issue)

Fox Kitten -Iranian Espionage – leveraged 4 CVEs Pulse Secure, Fortinet, Palo Alto Networks, and Citrix VPNs

Fox Kitten -Iranian Espionage – leveraged 4 CVEs Pulse Secure, Fortinet, Palo Alto Networks, and Citrix VPNs