Lateral Movement Part 1

March 30, 2017 | Views: 3619

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Scenario: you are a normal user in your company’s domain. No admin privileges. Nothing. You can’t even install a program on your machine.

What if I told you, that you can be the local administrator on your machine and probably on several more in your organization?

I am not able to count the number of things you are able to do as a local admin (evil / non-evil) :-)…for this post am going to demonstrate how to simply move from a normal user and gain local admin privileges. This is an attack vector I have been using in various security assessments I have been doing. Time to let the cat out of the bag…haha.

What are Global Policy Preferences Passwords?

In a nutshell, sys admins have 100 plus machines on a domain and want to configure all the machines, chances are they are bound to use the same local admin password to install programs and configure the machines in the domain. They use the GPO to do this; hence the use of the Global Policy Preference Password to conveniently push the same password to all hosts in the domain. Convenience at the expense of security – how many times do we see that?

Ways to find the GPPP password?

To be honest, countless. But I shall show some few here.

  1. Manually traversing to \<domain name>SYSVOL<domain name>Policies

Look for *.xml files; specifically Groups.xml or Services.xml.

Opening one of the Groups.xml files we see a cpassword field which is encrypted. Game over? NO. Microsoft published the decryption AES key here – a whole 32-byte AES key. Let that sink in.

So basically decrypt and have your local administrator password…in CLEARTEXT.

2. Use Powershell tools:

For the lazy ones, there are multiple powershell tools to find the GPPP. An example is the Get-GPPP.ps1, shoutout to this smart guy @obscuresec.

3. A custom tool designed to explicitly output the password in cleartext – gp3finder by Oliver Morton:

4. Trust metasploit not to get left out…msf FTW!

Okay, we get the point – it’s too easy to get this password.

Now that we have the local admin password.

The mere fact that you have got this password from GPPP tells you one thing – chances are that it is used on most if not all machines in the domain! Think about the lateral movement that is possible, the dumping of passwords – mimikatz, anyone?

That doesn’t so good for the blue teamers, right? In the next post we are going to see practical ways to mitigate this.

Remember this is not a new attack vector, the reason I am putting this up is because in all penetration testing assessments I have been doing, this has been a recurring vulnerability.

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Awesome info.
    Keep up the good work.

    More like these please.

    Thanks for your time.

  2. Hmm, here they were smarter just added a domain account as admin, no cpasswd –‘ today

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge



Is Linux Worth Learning in 2020?
Views: 295 / December 14, 2019
How do I Get MTA Certified?
Views: 893 / December 12, 2019
How much does your PAM software really cost?
Views: 1344 / December 10, 2019
How Do I Get into Android Development?
Views: 1723 / December 8, 2019

We recommend always using caution when following any link

Are you sure you want to continue?