A cross-platform tool to find and decrypt Group Policy Preferences passwords from the SYSVOL share using low-privileged domain accounts.
- Only requires a low privileges domain user account.
- Automatically gets the list of all domain controllers from the LDAP.
- Finds all the Group Policy Preferences Passwords present in SYSVOL share on each domain controller.
- Decrypts the passwords and prints them in cleartext.
- Outputs to a Excel file with option
--export-xlsx <path_to_xlsx_file>. - Option to test the credentials of the found GPP passwords with the
--test-credentialsoption. - Multi-threaded mode with option
--threads <number_of_threads>.
By default, the tool will only find the GPP passwords and print them in cleartext:
./FindGPPPasswords-linux-amd64 --domain <domain> --username <username> --password <password>
There is also the possibility to test the credentials of the found GPP passwords with the --test-credentials option.
./FindGPPPasswords-linux-amd64 --test-credentials --domain <domain> --username <username> --password <password>
$ ./FindGPPPasswords -h FindGPPPasswords - by Remi GASCOU (Podalirius) @ TheManticoreProject - v1.2 Usage: FindGPPPasswords [--quiet] [--debug] [--no-colors] [--export-xlsx <string>] [--test-credentials] --domain <string> --username <string> [--password <string>] [--hashes <string>] [--threads <int>] [--nameserver <string>] --dc-ip <string> [--ldap-port <tcp port>] [--use-ldaps] -q, --quiet Show no information at all. (default: false) -d, --debug Debug mode. (default: false) -nc, --no-colors No colors mode. (default: false) Additional Options: -x, --export-xlsx <string> Path to output Excel file. (default: "") -tc, --test-credentials Test credentials. (default: false) Authentication: -d, --domain <string> Active Directory domain to authenticate to. -u, --username <string> User to authenticate as. -p, --password <string> Password to authenticate with. (default: "") -H, --hashes <string> NT/LM hashes, format is LMhash:NThash. (default: "") -T, --threads <int> Number of threads to use. (default: 0) DNS Settings: -ns, --nameserver <string> IP Address of the DNS server to use in the queries. If omitted, it will use the IP of the domain controller specified in the -dc parameter. (default: "") LDAP Connection Settings: -dc, --dc-ip <string> IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted, it will use the domain part (FQDN) specified in the identity parameter. -lp, --ldap-port <tcp port> Port number to connect to LDAP server. (default: 389) -L, --use-ldaps Use LDAPS instead of LDAP. (default: false) Pull requests are welcome. Feel free to open an issue if you want to add other features.
- Remi GASCOU (Podalirius) for the creation of the FindGPPPasswords project before transferring it to TheManticoreProject.