Friday, 22 June 2012

Exploiting Windows 2008 Group Policy Preferences - Expanded

This follows on from the disclsoure http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences which discussed how Group Policy Preferences can be used to create Local Users on machines and the resulting passwords easily decrypted. (Edit: 25/7/2012 Metasploit module now available in the framework)

Browsing the MSDN documentation I noticed that there were many other preferences that could be set that also allow a password to be stored. For example Services.xml specifies services to run on end machines, and can specify a specific user and password for that service to run as.

Whilst these preferences may not be used as commonly as local users preferences (to set local administrator passwords), they may lead to current valid domain credentials rather than just local users accounts - for example specifying a domain user to connect to a network share in Drives.xml.

In addition to Groups.xml the following preference policy files will take an optional 'cpassword' attribute:

Services\Services.xml
http://msdn.microsoft.com/en-us/library/cc980070(v=prot.13)

ScheduledTasks\ScheduledTasks.xml
http://msdn.microsoft.com/en-us/library/cc422920(v=prot.13)
http://msdn.microsoft.com/en-us/library/dd341350(v=prot.13)
http://msdn.microsoft.com/en-us/library/dd304114(v=prot.13)

Printers\Printers.xml
http://msdn.microsoft.com/en-us/library/cc422918(v=prot.13)

Drives\Drives.xml
http://msdn.microsoft.com/en-us/library/cc704598(v=prot.13)

DataSources\DataSources.xml
http://msdn.microsoft.com/en-us/library/cc422926(v=prot.13)


Working with scriptmonkey, who already had a DC configured, we verified this theory against the DataSources by creating one with the following attributes:

 <Properties action="U" userDSN="0" dsn="test" driver="SQL Server" description="test data source" username="testusername" cpassword="AzVJmXh/J9KrU5n0czX1uBPLSUjzFE8j7dOltPD8tLk" />

D:\>decrypt.py AzVJmXh/J9KrU5n0czX1uBPLSUjzFE8j7dOltPD8tLk
testpassword


Solution - dont specify passwords within the Group Preference Policies as these are quite trivial to retrieve and decode!


Playing around with Win Server 2012 it looks like there is more warning about these settings:

 


Also dont forget you can search the domain/SYSVOL/scripts/ folder (NETLOGON is a mirror for Win2K machines) for hardcoded passwords that administrators have included in scripts... However that functionality isn't included in the module but findstr for password may pay dividends!

1 comment:

  1. The original website appears to be down (along with the Python POC).

    For a Ruby POC/Decoder from Chris Gates see:


    http://carnal0wnage.attackresearch.com/2012/10/group-policy-preferences-and-getting.html

    ReplyDelete