Thursday, May 24, 2012

GPP Password Retrieval with PowerShell

Last week, I read a great post entitled "Exploiting Windows 2008 Group Policy Preferences" that I wish I saw sooner.  The article included a nice Python script to accomplish the task of decrypting passwords that were set using the GPP feature in Windows 2008 domains.  However, it looked like something that would be handy to have in a PowerShell script.  Before I continue, I would like to point out the updated disclaimer, it certainly applies to this post.

You should read the original article, but the quick summary is that its possible for any authenticated user (this includes machine accounts) on the domain to decrypt passwords that are enforced with Windows 2008 Group Policy Preferences.  From my experience, this practice is common for larger domains which need to set different local administrator ("500" account) passwords for different OUs.

Python is an excellent scripting language, but PowerShell has two notable advantages in this specific use-case.  First, PowerShell does not require any additional libraries since it has access to the entire .NET framework.  Second, PowerShell is installed by default on all modern Windows systems to include Windows Server 2008 so it can be used right from the machine you are on.

The following Get-GPPPassword PowerShell script can be used by penetration testers to elevate to local administrator privileges (on your way to Domain Admin) by downloading the "groups.xml" file from the domain controller and passing it to the script.  The files are typically found in:

\\domain\SYSVOL\domain\Policies\{*}\Machine\Preferences\Groups\Groups.xml

Get-GPPPassword (Use Updated Version)


To run the function, just copy and paste the text into powershell and type 'Get-GPPPassword'. This will in effect bypass the ExecutionPolicy.

Writing this script ended up not being as easy as I originally thought mostly due to never dealing with .NET and crypto before.  I would like to thank Matt Graeber for solving the null IV issue, Mike Santiago for general code improvements and of course Emilien Giraul (and the Sogeti ESEC Pentest team for their detailed writeup).



Try it out and let me know what you think.

***Update 26 May 2012***
You can also download the maintained version of the script from the PowerSploit repository on GitHub.  It already has some great scripts for Windows post-exploitation on it!

***Update 16 June 2012***
Updated the script block with the improvements from Matt Graeber.  Matt wrapped it into a function and apparently saved a puppy by creating a new object (avoiding the use of write-host).

***Update 3 July 2013***
I have reorganized and rewritten the script. You can find the updated version and read about it here.
-Chris

Wednesday, May 9, 2012

PowerShell Password Fun

Yesterday, there was a bit of hype about five pastebin posts that appeared to be 55K twitter usernames and passwords.  The passwords turned out to be old, repetitive and mostly available in other dumps. However, as explained in a previous post, all passwords are important.

Here are the links in case you would like to look at them:


In order to analyze these passwords, I downloaded the five lists into a single file named twitter_passwords.txt.  Next, I used the following PowerShell one-liner to output the more complex passwords in the list:

((gc .\twitter_passwords.txt | %{$_.split(':')[1]} | sort -unique) -cmatch "^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\x21-\x2F\x3A-\x40\x5B-\x60\x7B-\x7F]).{10,50}$")


First, we use the get-content cmdlet (gc is an alias) to pipe the contents of twitter_passwords.txt to foreach ("%" is an alias) which is splitting based on ":".  The results are then sorted with only unique strings (this should be moved to the end for larger lists to avoid the issues described here).  The next bit uses regular expressions to trim the list to those strings that are at least 10 characters (less than 50) with at least one upper, one lower, one number and a special character. Thanks Matt for suggesting the use of hex to save a lot of time and headache.

The disappointing output:
88455036.Ass
Bolinha@2008
Bruno&58236280
Cristal!89
F@tern2010
FLLAvyio@123
Frida2009$
Luis_carlos9
Mayr@2829
UNC**lab2007

Looking at these passwords, the only useable pattern that jumps out is the use of years.  I added them to my dictionary, but hopefully the one-liner is useful in the future.  Of note, some applications like OpManager don't allow special characters in passwords so this list might be useful.

-Chris