Group Policy Objects – PS One-liners and useful commands for pentesting

  • In case anyone needs a quick one-liner to backup Group Policy Objects (GPOs) in an Active Directory environment, use Backup-GPO PowerShell cmdlet the command below:

Backup-GPO –All –Path C:\Temp\BackupFolder

  • An authenticated Domain User can access the SYSVOL network shares in order to easily verify if there are any stored credentials using the following command. For example the “cpassword” attribute in the GPP XML files can be instantly decrypted into a plaintext format. 

Push-Location \\\\\sysvol gci * -Include *.xml,*.txt,*.bat,*.ps1,*.psm,*.psd -Recurse -EA SilentlyContinue | select-string password Pop-Location

  • Retrieve all stored credentials from one-liner from the Credential Manager using the CredentialManager PowerShell module:

Get-StoredCredential | % { write-host -NoNewLine $_.username; write-host -NoNewLine “:” ; $p = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($_.password) ; [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($p); }

  • This one-liner is very useful in testing if usernames and passwords in specific Winlogon Registry Location for auto login upon boot configured in Windows systems meant to be used as POS (Point of Sales) systems are stored in clear text. The following command will get the auto-login credentials from the registry:

gp ‘HKLM:\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon’ | select “Default*”

  • You can check your configured GPO by using the graphical interface or PowerShell. The following command can be used to review GPO in html format.

Get-GPO -Name “ScreenSaverTimeOut” | Get-GPOReport -ReportType HTML -Path $Home\report.html Invoke-Item $Home\report.html

Leave a Reply