{"id":37066727,"url":"https://github.com/t0thkr1s/gpp-decrypt","last_synced_at":"2026-01-14T07:49:54.461Z","repository":{"id":43858732,"uuid":"229057582","full_name":"t0thkr1s/gpp-decrypt","owner":"t0thkr1s","description":"Tool to parse the Group Policy Preferences XML file which extracts the username and decrypts the cpassword attribute.","archived":false,"fork":false,"pushed_at":"2025-08-07T05:32:55.000Z","size":54,"stargazers_count":142,"open_issues_count":0,"forks_count":12,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-09-24T18:09:57.718Z","etag":null,"topics":["active-directory","cpassword","cpassword-attribute","decryption","decrypts","extracts","gpp-decrypt","group-policy","parse","python3","screenshot"],"latest_commit_sha":null,"homepage":"https://medium.com/infosec-adventures","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/t0thkr1s.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-12-19T13:13:28.000Z","updated_at":"2025-09-20T05:31:58.000Z","dependencies_parsed_at":"2022-09-16T19:20:42.764Z","dependency_job_id":null,"html_url":"https://github.com/t0thkr1s/gpp-decrypt","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/t0thkr1s/gpp-decrypt","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t0thkr1s%2Fgpp-decrypt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t0thkr1s%2Fgpp-decrypt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t0thkr1s%2Fgpp-decrypt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t0thkr1s%2Fgpp-decrypt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/t0thkr1s","download_url":"https://codeload.github.com/t0thkr1s/gpp-decrypt/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t0thkr1s%2Fgpp-decrypt/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28413506,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T05:26:33.345Z","status":"ssl_error","status_checked_at":"2026-01-14T05:21:57.251Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["active-directory","cpassword","cpassword-attribute","decryption","decrypts","extracts","gpp-decrypt","group-policy","parse","python3","screenshot"],"created_at":"2026-01-14T07:49:53.988Z","updated_at":"2026-01-14T07:49:54.450Z","avatar_url":"https://github.com/t0thkr1s.png","language":"Python","funding_links":[],"categories":["红队\u0026渗透测试"],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n# 🚀 GPP-Decrypt\n\n**A tool to decrypt Group Policy Preferences (GPP) passwords**\n\n[![Python](https://img.shields.io/badge/Python-3.6%2B-blue?style=for-the-badge\u0026logo=python)](https://www.python.org/)\n[![License](https://img.shields.io/badge/License-GPL%20v3-green?style=for-the-badge)](https://github.com/t0thkr1s/gpp-decrypt/blob/master/LICENSE)\n[![Stars](https://img.shields.io/github/stars/t0thkr1s/gpp-decrypt?style=for-the-badge)](https://github.com/t0thkr1s/gpp-decrypt/stargazers)\n\n\u003c/div\u003e\n\n![Screenshot](https://i.imgur.com/dn7tNDc.png)\n\n## About\n\nGroup Policy Preferences (GPP) was introduced in Windows Server 2008 and allows administrators to set domain passwords via Group Policy. However, the passwords are encrypted with a publicly known AES-256 key, making them trivial to decrypt.\n\nThis tool decrypts these passwords from GPP XML files commonly found in SYSVOL shares.\n\n\u003e **Note**: Microsoft released [MS14-025](https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30) which prevents new credentials from being stored in GPP. However, existing GPP XML files with encrypted passwords may still exist in many environments.\n\n## Installation\n\n### From PyPI (Recommended)\n\n```bash\npip install gpp-decrypt\n```\n\n### From Source\n\n```bash\ngit clone https://github.com/t0thkr1s/gpp-decrypt.git\ncd gpp-decrypt\npip install .\n```\n\n### Using Docker\n\n```bash\ndocker build -t gpp-decrypt .\ndocker run -v $(pwd):/data gpp-decrypt -f /data/groups.xml\n```\n\n## Usage\n\n### Command Line Interface\n\n```bash\n# Decrypt passwords from a GPP XML file\ngpp-decrypt -f groups.xml\n\n# Decrypt a single cpassword\ngpp-decrypt -c \"j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw\"\n\n# Show verbose output\ngpp-decrypt -f groups.xml --verbose\n\n# Suppress banner\ngpp-decrypt -f groups.xml --no-banner\n```\n\n### As a Python Library\n\n```python\nfrom gpp_decrypt import decrypt_password, parse_xml_file\n\n# Decrypt a single password\npassword = decrypt_password(\"j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw\")\nprint(f\"Decrypted: {password}\")\n\n# Parse and decrypt from XML file\nresults = parse_xml_file(\"groups.xml\")\nfor cred in results:\n    print(f\"Username: {cred['username']}, Password: {cred['password']}\")\n```\n\n## Example\n\nGPP XML files are typically found in the SYSVOL share of a domain controller:\n```\n\\\\\u003cDOMAIN\u003e\\SYSVOL\\\u003cDOMAIN\u003e\\Policies\\{\u003cPOLICY_GUID\u003e}\\Machine\\Preferences\\Groups\\Groups.xml\n\\\\\u003cDOMAIN\u003e\\SYSVOL\\\u003cDOMAIN\u003e\\Policies\\{\u003cPOLICY_GUID\u003e}\\User\\Preferences\\Groups\\Groups.xml\n```\n\nExample Groups.xml structure:\n```xml\n\u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\n\u003cGroups clsid=\"{3125E937-EB16-4b4c-9934-544FC6D24D26}\"\u003e\n  \u003cUser clsid=\"{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}\" \n        name=\"Administrator\" \n        image=\"2\" \n        changed=\"2023-01-01 00:00:00\" \n        uid=\"{EF57DA28-5F69-4530-A59E-AAB58578219D}\"\u003e\n    \u003cProperties action=\"U\" \n                newName=\"\" \n                fullName=\"\" \n                description=\"\" \n                cpassword=\"j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw\" \n                changeLogon=\"0\" \n                noChange=\"1\" \n                neverExpires=\"1\" \n                acctDisabled=\"0\" \n                userName=\"Administrator\"/\u003e\n  \u003c/User\u003e\n\u003c/Groups\u003e\n```\n\n## References\n\n- [Microsoft's MS14-025 Security Bulletin](https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30)\n- [Original GPP Decrypt Research](https://labs.portcullis.co.uk/blog/are-you-considering-using-microsoft-group-policy-preferences/)\n- [Group Policy Preferences and Getting Your Domain 0wned](https://www.rapid7.com/blog/post/2016/07/27/pentesting-in-the-real-world-group-policy-pwnage/)\n\n## License\n\nThis project is licensed under the GNU General Public License v3.0 - see the [LICENSE](LICENSE) file for details.\n\n## Disclaimer\n\nThis tool is designed for authorized security testing and system administration only. Users are responsible for complying with all applicable laws and regulations. The authors assume no liability for misuse or damage caused by this program.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ft0thkr1s%2Fgpp-decrypt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ft0thkr1s%2Fgpp-decrypt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ft0thkr1s%2Fgpp-decrypt/lists"}