FindGPPPasswords: Uncover Group Policy Preferences Passwords

by ddos · Published May 23, 2025 · Updated May 22, 2025

FindGPPPasswords

A cross-platform tool to find and decrypt Group Policy Preferences passwords from the SYSVOL share using low-privileged domain accounts.

Features

Only requires a low privileges domain user account.
Automatically gets the list of all domain controllers from the LDAP.

Finds all the Group Policy Preferences Passwords present in SYSVOL share on each domain controller.
Decrypts the passwords and prints them in cleartext.
Outputs to a Excel file with option --export-xlsx <path_to_xlsx_file>.

Option to test the credentials of the found GPP passwords with the --test-credentials option.
Multi-threaded mode with option --threads <number_of_threads>.

Use

$ ./FindGPPPasswords -h
FindGPPPasswords - by Remi GASCOU (Podalirius) @ TheManticoreProject - v1.2

Usage: FindGPPPasswords [--quiet] [--debug] [--no-colors] [--export-xlsx <string>] [--test-credentials] --domain <string> --username <string> [--password <string>] [--hashes <string>] [--threads <int>] [--nameserver <string>] --dc-ip <string> [--ldap-port <tcp port>] [--use-ldaps]

  -q, --quiet      Show no information at all. (default: false)
  -d, --debug      Debug mode. (default: false)
  -nc, --no-colors No colors mode. (default: false)

  Additional Options:
    -x, --export-xlsx <string> Path to output Excel file. (default: "")
    -tc, --test-credentials    Test credentials. (default: false)

  Authentication:
    -d, --domain <string>   Active Directory domain to authenticate to.
    -u, --username <string> User to authenticate as.
    -p, --password <string> Password to authenticate with. (default: "")
    -H, --hashes <string>   NT/LM hashes, format is LMhash:NThash. (default: "")
    -T, --threads <int>     Number of threads to use. (default: 0)

  DNS Settings:
    -ns, --nameserver <string> IP Address of the DNS server to use in the queries. If omitted, it will use the IP of the domain controller specified in the -dc parameter. (default: "")

  LDAP Connection Settings:
    -dc, --dc-ip <string>       IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted, it will use the domain part (FQDN) specified in the identity parameter.
    -lp, --ldap-port <tcp port> Port number to connect to LDAP server. (default: 389)
    -L, --use-ldaps             Use LDAPS instead of LDAP. (default: false)

Example

By default, the tool will only find the GPP passwords and print them in cleartext:

./FindGPPPasswords-linux-amd64 –domain <domain> –username <username> –password <password>

There is also the possibility to test the credentials of the found GPP passwords with the --test-credentials option.

./FindGPPPasswords-linux-amd64 –test-credentials –domain <domain> –username <username> –password <password>

Search

Brilliantly

Content & Links