GPOs

• cPassword-Attack
  • MS14-025 group policy preferences attack
    • so this might be server 2012 story
  • metasploit: smb_enum_gpp + gpp_decrypt
• enter replication (this has anonymous access) with smbclient
  • prompt off, recurse on
  • mget *
  • notice Groups.xml
  • copy cpassword, gpp-decrypt, then use name+cpassword to login
• crackmapexec kann das auch

references

• https://www.synacktiv.com/en/publications/gpoddity-exploiting-active-directory-gpos-through-ntlm-relaying-and-more