🤐GPP / cPassword Attacks

Group Policy Preferences (GPP) allowed administrators to create domain policies with embedded credentials

These policies allowed them to set local accounts, and embed credentials for various purposes that may otherwise require an embedded password in a script. So when a new Group Policy Preference (GPP) is generated, a xml file (generally Groups.xml) with the configuration data, including any passwords associated with the GPP, is created in the SYSVOL share which are folders on domain controllers accessible and readable to all authenticated domain users.

It was patched a long time ago but it's still good to try because if the older files were never deleted than the attack could still work

Nice CTF on the subject :

☢️pageActive

We can also use metasploit:

Build, Attack, Defend, Fix – Paving the way to DAZephrSec - Adventures In Information Security

GPP attacksInternal Pentest