Python tool that decrypts credentials stored in Group Policy Preferences (GPP) files (Groups.xml) located in the SYSVOL folder.
Project description
gpp-cpass-decrypt
Python 3 script that decrypts credentials (cPassword) stored in Group Policy Preferences (GPP) files (Groups.xml
) located in the SYSVOL folder.
A very handy and useful tool for Ethical Hackers during Penetration Testing Projects, Red Team Exercises or CTFs involving attacks to Active Directory infrastructures.
If you find gpp-cpass-decrypt
useful, please to the authors. Thank you!
Clone Repo
git clone https://github.com/galoget/gpp-cpass-decrypt
Install Dependencies
This tool has 2 dependencies:
In order to avoid conflicts with any other installed modules in your system, it is recommended (not mandatory) to use a virtual environment (virtualenv
).
Both dependencies are included in requirements.txt
and can be installed in any of the following ways (just use one method):
Method 1
By doing the automated installation from PyPi with pip3
, this command will install all dependencies (pip3
MUST be installed in your system):
pip3 install gpp-cpass-decrypt
With this method you can use the tool as any other command without calling it with Python (don't forget to add your pip binary path to your PATH variable).
In Kali Linux this is the default path you need to add to your PATH
environment variable.
/home/kali/.local/bin
Then, simply run:
gpp_cpass_decrypt -c <base64_encoded_cpassword>
Method 2
By using pip3
and installing the dependencies manually (pip3
MUST be installed in your system):
pip3 install pycryptodome colorama
Method 3
By using pip3
and requirements.txt
. Again pip3
MUST be installed in your system:
pip3 install -r requirements.txt
Method 4
By using setuptools:
python3 setup.py install
From Method 2 to Method 4. In case you don't want to install the tool in your system. You can use it as a Python script that is not managed by pip
:
python3 gpp_cpass_decrypt.py -c <base64_encoded_cpassword>
Running the tool
You can run the tool with any of the following commands. They are equivalent:
python3 gpp_cpass_decrypt.py -c <base64_encoded_cpassword>
python3 gpp_cpass_decrypt.py --cpassword <base64_encoded_cpassword>
Execution Example
Command:
Installed using Method 1:
gpp_cpass_decrypt -c "gtTqxKHj4RWsxHWcZcWtM8j7XbxiL7w+SwIyQbAetjEUfqBg2HmTklEXlDHuQPgE3NyuCKZ9Nu3oeXaeSt+9JQ=="
Expected Output:
Decrypted Password: Hackem Cybersecurity Research Group
More Examples:
You can continue testing the tool with the following encrypted strings:
Ciphertext 1: YTGHyibeELFS0elGK9Z40dryAJbGpDAMwgW3DakPXyE=
Plaintext 1: Hello World
Ciphertext 2: FhkrztByQuGCkRwrk18AUp/qLNAG33QC/96rUFoSQm+2O8jPqTtAeoOig3mhfsFGr6NsKrZBiI4d6iy8Jro/Bw==
Plaintext 2: HackemCTF{R3d_T34m_0p3r4t0r_3xp3rt_8724376348734}
Ciphertext 3: c+jaRBWag4oGSHYnF73o1snzocCYsF2EP1DO7CFbe70=
Plaintext 3: Cryptography is Fun
Disclaimer
This tool can only be used where strict consent has been given. Do not use it for illegal purposes! It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by any of the tools included in this repository.
License
This Project is licensed under GNU GPLv2.0 License. For any further detailes, please see the LICENSE file included in this repository.
Contact
In case you:
- Want to report a bug or any unexpected behavior
- Want to collaborate with the project or have an interesting ideas on how to improve it (new features)
- Have any questions about the tool that are not documented in the repository
You can contact the author directly in this link via a private message.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for gpp_cpass_decrypt-0.0.1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 21c872d17df350524be0758ae2564744f67941c12d620c294cdc030c791ea60d |
|
MD5 | ea09755ebc4a661c20cdaf2fe123a65a |
|
BLAKE2b-256 | f8bbac975fe115030d06b70463f9e2755c225c46bffa8a5bf414487032db66b1 |