Groups.xml are found in the following directory \\IP-Address-of-the-DC\sysvol\NAME\Policies any domain user can access this directory, once you get creds go to it than do a search for groups.xml The important sections in the groups.xml file are the username and cpassword

See below were I’m using a test hash for the demo (note the hash was made up for this and will not reverse) but the demo shows how to do it manually in Kali once you get a real cpassword hash.




Manual reversal

root@kali:~ # /usr/share/metasploit-framework/tools/password/cpassword_decrypt.rb DemoHashab+5T4cr1H4gFZvD9OWzDEMO23ab5abpL6D124

[+] The decrypted AES password is: Foot32gBall@4147