a.k.a cPassword Attack

-> Group Policy Preferences (GPP) allowed admins to create policies using embedded credentials

-> These Credentials were encrypted and placed in a “cPassword”

-> The key was accidentally released to this “cPassword”

-> Patched in MS14-025, but it doesn’t prevent previous users

-» STILL RELEVANT ON PENTESTS (according to Heath Adams)

Examples from a real pentest by tcm-sec: (msfconsole - inverted colors)

Process

1. use msfconsole
2. RUN smb_enum_gpp after srtting apt OPTIONS
3. this will look for the Groups.xml -> if found it will look for cPasswords -> if found it will decrypt and print the password

Mitigation

1. PATCH! Fixed in KB29624886
2. In reality: delete the old GPP xml files stored in the SYSVOL