Tool: Group Policy Passwords Exploit Tool – gp3finder

Group Policy preferences were introduced by Microsoft in Windows 2008 allowing administrators to configure unmanaged settings (settings which the user can change) from a centrally managed location – Group Policy Objects (GPO) [1].

Among the preference items configurable through Group Policy preferences are several that can contain credentials: Local Groups and User Accounts, Drive Mappings, Schedule Tasks, Services, and Data Sources.

These credentials are stored within the preference item in SYSVOL in the GPO containing that preference item. In order to obscure the password from casual users it is encrypted in the XML file of the preference item [2]. However anyone who gains access to SYSVOL can decrypt the passwords because Microsoft published the Advanced Encryption Standard (AES) encryption key [1]:

4e 99 06 e8  fc b6 6c c9  fa f4 93 10  62 0f fe e8
f4 96 e8 06  cc 05 79 90  20 9b 09 a4  33 b6 6c 1b

Microsoft addressed this issue in MS14-025 [4] however this update only prevented the creation of new Group Policy Preference items containing credentials; it did not remove any existing instances as this was considered too disruptive. Therefore network administrators must take action to find and remove these vulnerable items.

Several tools exist to exploit this vulnerability including:

Get-GPPPassword (PowerShell – http://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html)

gpp (Metasploit Post Module – http://www.rapid7.com/db/modules/post/windows/gather/credentials/gpp)

gpprefdecrypt.py (Python – http://esec-pentest.sogeti.com/public/files/gpprefdecrypt.py)

gpp-decrypt-string.rb (Ruby – http://carnal0wnage.attackresearch.com/2012/10/group-policy-preferences-and-getting.html)

However each of these existing tools have a significant weakness. Get-GPPPassword must be run from a Windows machine, the gpp Metasploit post module requires a meterpreter session, gpprefdecrypt.py and gpp-decrypt-string.rb require you to manually extract the cpassword for decryption, and finally the version of gpprefdecrypt.py available for download no longer works at the time of writing (due to an update to PyCrypto that removed the default Initialisation Vector (IV) of 16 bytes of zeros).

Sec-1 Penetration Tester Oliver Morton therefore wrote a new cross platform tool, dubbed GP3Finder (Group Policy Preference Password Finder), to automate the process of finding, extracting and decrypting passwords stored in Group Policy preference items. This tool is written in Python (2.7) and depends on PyCrypto and PyWin32 on Windows or subprocesses on *nix based operating systems.

GP3Finder has been released open source under the GPL2 license here and a compiled executable for Windows is also available here.

Update v4.0

On a recent test, Oliver had compromised a single Windows host and had remote desktop access as a low privilege user. Since he couldn’t map the C$ share remotely, and didn’t want to search through the dozens of Group Policy Preference items using built in Windows utilities, he quickly added the required functionality to gp3finder instead.

Note: Group Policy Preferences are cached locally under the (hidden) directory: “C:\ProgramData\Microsoft\Group Policy\History\” by default.

In this update the option to specify the start path when searching a remote share was added. This allows you to quickly search for Group Policy Preference passwords when you have access to the C$ share without searching the entire drive.

Another significant change is that you can now specify multiple hosts to search – ideal if you have access to C$ on a number of hosts and want to check all of them. Note, this functionality is not threaded (yet) so can take some time to complete.

Finally some of the command line options have been changed to ensure they are as intuitive as possible (see below or –help).

Example Usage

Decrypt a given cpassword:

gp3finder.py -D CPASSWORD

The following commands output decrypted cpasswords (from Groups.xml etc) and list of xml files that contain the word ‘password’ (for manual review) to a file (‘gp3finder.out’ by default, this can be changed with -o FILE).

Find and decrypt cpasswords on domain controller automatically:

gp3finder.py -A -t DOMAIN_CONTROLLER -u DOMAIN\USER
 Password: PASSWORD

Maps DOMAIN_CONTROLLER’s sysvol share with given credentials.

Find and decrypt cpasswords on the local machine automatically:

gp3finder.py -A -l

Searches through “C:\ProgramData\Microsoft\Group Policy\History” (by default) this can be changed with -lr PATH

Find and decrypt cpasswords on a remote host:

gp3finder.py -A -t HOST -u DOMAIN\USER -s C$ -rr "ProgramData\Microsoft\Group Policy\History"

Find and decrypt cpasswords on hosts specified in a file (one per line):

gp3finder.py -A -f HOST_FILE -u DOMAIN\USER -s C$ -rr "ProgramData\Microsoft\Group Policy\History"

Note: the user this script is run as must have permission to map/mount shares if running against a remote host.

Additional options are available:

gp3finder.py --help

References

[1] [Online]. Available: http://www.microsoft.com/en-us/download/details.aspx?id=24449.
[2] [Online]. Available: http://blogs.technet.com/b/grouppolicy/archive/2009/04/22/passwords-in-group-policy-preferences-updated.aspx.
[3] [Online]. Available: http://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx.
[4] [Online]. Available: http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspx.

Posted in Tools | Comments Off on Tool: Group Policy Passwords Exploit Tool – gp3finder

Critical Vulnerability in Magento Platform

Researchers have identified a serious vulnerability in Magento, the popular e-commerce platform owned by eBay. This critical flaw in the Magento eCommerce platform exposes online shops to serious risk by allowing malicious hackers to access credit card data or execute arbitrary PHP code on the web server. This vulnerability should be considered a high risk factor for businesses making use of the Magento platform, and should be addressed as a matter of priority.

Our SaaS scanning platform has already written a plugin to detect this vulnerability

eBay has made a patch available to remediate this issue, which is available here:

https://www.magentocommerce.com/products/downloads/magento/

Posted in Advisories, News | Comments Off on Critical Vulnerability in Magento Platform

Helping the Community

One of the things we like to do at Sec-1 is contribute back to the community wherever possible. As full time Penetration Testers, we often perform Research and Development to identify new vulnerabilities, adding checks to our scanning tools to help organisations highlight areas of concern.

As well as this, we often create tools to aid the rest of our teams and to contribute back to the pen testing and general security community.

Recently, one of Sec-1’s penetration testers, Matthew Hall, made a significant contribution to the Metasploit project.

Continue reading

Posted in News, Tools | Comments Off on Helping the Community

Goodbye 2014 & PCI DSS 2.0

pci_security_logoAs of the 1st Jan 2015 you cannot validate against PCI DSS Version 2 and must submit all validations against PCI DSS Version 3.0.

With this in mind we’ve produced an insightful new 8-page ‘Christmas-themed’ whitepaper, written by a Sec-1 Ltd Qualified Security Assessor (QSA): PCI DSS 3.0: A Christmas Carol.

Continue reading

Posted in News, White Papers | Comments Off on Goodbye 2014 & PCI DSS 2.0

Government Supply Chain to request Cyber Essentials from suppliers

cyber-essentials-logo-high-res‘Government Supply Chain to use Cyber Essentials to better manage the security risks presented by third parties.’

Cyber Essentials is the Governments standard to encourage UK companies to attain a minimum level of security. Importantly, as of the 1st October 2014 any organisation bidding on projects published after this date will have to demonstrate that they comply with the standard.

Continue reading

Posted in Uncategorized | Comments Off on Government Supply Chain to request Cyber Essentials from suppliers

50,000 Websites Hacked Through Critical WordPress Vulnerability.

Over 50,000 websites have been compromised within the first three weeks following the disclosure of a critical vulnerability in the MailPoet plugin (formerly known as Wysija Newsletter) for WordPress.

The vulnerability allows the attacker to upload any content including PHP script files to the server without authentication. Successful exploitation of the vulnerability allows the attacker to execute code on the WordPress system and take complete control of the website.

The popularity of the plugin (over 1.7 million downloads) has attracted the attention of Malware authors who have already seized the opportunity to create a worm designed to propagate via vulnerable WordPress systems [1].

The initial patch for the vulnerability failed to correctly fix the problem, therefore we recommend that users of the software apply the 2.6.9 update, even if patches were applied following the initial disclosure.

Scanning WordPress with AppCheck NG

The AppCheck NG system has a dedicated WordPress module designed to identify vulnerable plugins and configuration weaknesses.

Sign up now for a free trial to scan your web sites and application; Register HERE

Download Appcheck NG Brochure; Brochure Download

Download Appcheck NG Sample Report; Example Appcheck NG Webscan

Exploit

An exploit for the vulnerability has been published for the Metasploit Framework; Exploit Link

References

[1] Malware Infection; link

[2] Original Advisory; link

Posted in Uncategorized | Comments Off on 50,000 Websites Hacked Through Critical WordPress Vulnerability.