FindGPPPasswords: Uncover Group Policy Preferences Passwords
FindGPPPasswords
A cross-platform tool to find and decrypt Group Policy Preferences passwords from the SYSVOL share using low-privileged domain accounts.
Features
- Only requires a low privileges domain user account.
- Automatically gets the list of all domain controllers from the LDAP.
- Finds all the Group Policy Preferences Passwords present in SYSVOL share on each domain controller.
- Decrypts the passwords and prints them in cleartext.
- Outputs to a Excel file with option
--export-xlsx <path_to_xlsx_file>. - Option to test the credentials of the found GPP passwords with the
--test-credentialsoption. - Multi-threaded mode with option
--threads <number_of_threads>.
Use
[pastacode lang=”markup” manual=”%24%20.%2FFindGPPPasswords%20-h%0AFindGPPPasswords%20-%20by%20Remi%20GASCOU%20(Podalirius)%20%40%20TheManticoreProject%20-%20v1.2%0A%0AUsage%3A%20FindGPPPasswords%20%5B–quiet%5D%20%5B–debug%5D%20%5B–no-colors%5D%20%5B–export-xlsx%20%3Cstring%3E%5D%20%5B–test-credentials%5D%20–domain%20%3Cstring%3E%20–username%20%3Cstring%3E%20%5B–password%20%3Cstring%3E%5D%20%5B–hashes%20%3Cstring%3E%5D%20%5B–threads%20%3Cint%3E%5D%20%5B–nameserver%20%3Cstring%3E%5D%20–dc-ip%20%3Cstring%3E%20%5B–ldap-port%20%3Ctcp%20port%3E%5D%20%5B–use-ldaps%5D%0A%0A%20%20-q%2C%20–quiet%20%20%20%20%20%20Show%20no%20information%20at%20all.%20(default%3A%20false)%0A%20%20-d%2C%20–debug%20%20%20%20%20%20Debug%20mode.%20(default%3A%20false)%0A%20%20-nc%2C%20–no-colors%20No%20colors%20mode.%20(default%3A%20false)%0A%0A%20%20Additional%20Options%3A%0A%20%20%20%20-x%2C%20–export-xlsx%20%3Cstring%3E%20Path%20to%20output%20Excel%20file.%20(default%3A%20%22%22)%0A%20%20%20%20-tc%2C%20–test-credentials%20%20%20%20Test%20credentials.%20(default%3A%20false)%0A%0A%20%20Authentication%3A%0A%20%20%20%20-d%2C%20–domain%20%3Cstring%3E%20%20%20Active%20Directory%20domain%20to%20authenticate%20to.%0A%20%20%20%20-u%2C%20–username%20%3Cstring%3E%20User%20to%20authenticate%20as.%0A%20%20%20%20-p%2C%20–password%20%3Cstring%3E%20Password%20to%20authenticate%20with.%20(default%3A%20%22%22)%0A%20%20%20%20-H%2C%20–hashes%20%3Cstring%3E%20%20%20NT%2FLM%20hashes%2C%20format%20is%20LMhash%3ANThash.%20(default%3A%20%22%22)%0A%20%20%20%20-T%2C%20–threads%20%3Cint%3E%20%20%20%20%20Number%20of%20threads%20to%20use.%20(default%3A%200)%0A%0A%20%20DNS%20Settings%3A%0A%20%20%20%20-ns%2C%20–nameserver%20%3Cstring%3E%20IP%20Address%20of%20the%20DNS%20server%20to%20use%20in%20the%20queries.%20If%20omitted%2C%20it%20will%20use%20the%20IP%20of%20the%20domain%20controller%20specified%20in%20the%20-dc%20parameter.%20(default%3A%20%22%22)%0A%0A%20%20LDAP%20Connection%20Settings%3A%0A%20%20%20%20-dc%2C%20–dc-ip%20%3Cstring%3E%20%20%20%20%20%20%20IP%20Address%20of%20the%20domain%20controller%20or%20KDC%20(Key%20Distribution%20Center)%20for%20Kerberos.%20If%20omitted%2C%20it%20will%20use%20the%20domain%20part%20(FQDN)%20specified%20in%20the%20identity%20parameter.%0A%20%20%20%20-lp%2C%20–ldap-port%20%3Ctcp%20port%3E%20Port%20number%20to%20connect%20to%20LDAP%20server.%20(default%3A%20389)%0A%20%20%20%20-L%2C%20–use-ldaps%20%20%20%20%20%20%20%20%20%20%20%20%20Use%20LDAPS%20instead%20of%20LDAP.%20(default%3A%20false)%0A” message=”” highlight=”” provider=”manual”/]
Example
By default, the tool will only find the GPP passwords and print them in cleartext:
./FindGPPPasswords-linux-amd64 –domain <domain> –username <username> –password <password>
There is also the possibility to test the credentials of the found GPP passwords with the --test-credentials option.
Download
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
