PowerShell script - auto-gpppassword.ps1

As you may have noticed I have been researching into PowerShell for a while now. During the research I came across an attack against group policy preferences.

I thought of writing a script in PowerShell which will search, extract and decrypt the password from these XML files. However, I found that Chris Cambell (@obscuresec) had already written a script for it (http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html).

But, after doing some tests and comparing to the Metasploit’s GPP post exploitation module I realised that the original script (and later the new version available at this link) did not scan the whole network for other domain controllers accessible to the current user or scan for additional XML files such as Drives.xml and Printers.xml.

So, I thought I will add these to the existing script and then convert them into a standalone script for my consumption. Now that the script is stable within my environment (needs more testing) I thought I will publish it and see what you have to say about it.

Auto-gpppassword.ps1

Auto-gpppassword will enumerate all the domains to which the current user is a member of as well as all domain controllers accessible within the network before trying to extract and decrypt the encrypted local admin passwords.

In addition, if any unlisted XML files are located within the location, the script will use a regex to pick up cpassword field and then tries to decrypt it.

Link:

Current Version:

v1.0

License:

GNU GPL v2

Usage

Default is to enumerate domains to which current user is a member of

.\auto-gpppassword.ps1

To enumerate all domain controllers accessible within the network

.\auto-gpppassword -enumall:$true

By default the script will not check for network access to the server. This might require admin access to the system (for packet crafting).

.\auto-gpppassword -checkacc:$true

Kudos to Chris Cambell (@obscuresec) – http://obscuresecurity.blogsopt.co.uk for writing Get-GPPPassword.ps1 on which my script heavily relies on.