Skip to content

Add example script to enum, parse and extract gMSA passwords - gmsadump.py#2171

Open
ThatTotallyRealMyth wants to merge 9 commits into
fortra:masterfrom
ThatTotallyRealMyth:add-gmsapassword-example
Open

Add example script to enum, parse and extract gMSA passwords - gmsadump.py#2171
ThatTotallyRealMyth wants to merge 9 commits into
fortra:masterfrom
ThatTotallyRealMyth:add-gmsapassword-example

Conversation

@ThatTotallyRealMyth
Copy link
Copy Markdown
Contributor

@ThatTotallyRealMyth ThatTotallyRealMyth commented Apr 10, 2026
edited
Loading

Hi there!

This PR adds gmsadump.py, a new example script for enumerating Group Managed Service Accounts (gMSAs) as well as extracting their current(and previous) NT, and AES kerberos keys credentials. This script is heavily based on https://github.com/micahvandeusen/gMSADumper

Many differences exist but credit goes to micahvandeusen for doing a lot of the heavy lifting. Additionally, this script was also a team effort by myself and @chin-tech

Additionally, all ldap3 elements from gMSADumper were extracted in favor of impackets. Mainly due to the fact that ldap3 cant support connecting to a DC enforcing LDAP signing using NTLM(no sasl support).

Features

  • enumerate gMSA objects, identifying users/groups/ous etc that can read their passwords
  • identify principals allowed to read each gMSA password
  • retrieve and parse msDS-ManagedPassword attribute t to extract the NT, and AES creds format
  • display previous password in NT hash and AES kerberos key formats.
  • Allow for selecting a specific gmsa(using -gmsa) object to enumerate who can read its msDS-ManagedPassword(name and sid)
  • Allowing for the retrieval of a target gMSA objects credentials via -gmsa. It also accepts wild cards, appends the $ when not given
  • implement a -enum flag that allows user to avoid extraction and only enum all gMSA objects and the readers ACLs

Sample Output

For example using the -enum flag with specifying a target, it will only enum that:

└─$ time python3 gmsadump.py dmz.domain.comi/meowmeowbinks:PasswordSuper10+ -dc-ip 192.168.133.60 -enum -gmsa svc-gMSA-10
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] [+] Using plain LDAP with NTLM Sign+Seal.
[*] Querying 192.168.133.60 for gMSA objects.

[*] Account:    svc-gMSA-10$
    [*]Readable by:
      - user91 (S-1-5-21-4829137541-2641803372-908776154-1711)
      - user92 (S-1-5-21-4829137541-2641803372-908776154-1712)
      - user93 (S-1-5-21-4829137541-2641803372-908776154-1713)
      - user94 (S-1-5-21-4829137541-2641803372-908776154-1714)
      - user95 (S-1-5-21-4829137541-2641803372-908776154-1715)
      - user96 (S-1-5-21-4829137541-2641803372-908776154-1716)
      - user97 (S-1-5-21-4829137541-2641803372-908776154-1717)
      - user98 (S-1-5-21-4829137541-2641803372-908776154-1718)
      - user99 (S-1-5-21-4829137541-2641803372-908776154-1719)
      - user100 (S-1-5-21-4829137541-2641803372-908776154-1720)


real    1.80s
user    0.17s
sys     0.03s
cpu     11%

By default, it will extract all the gmsas your calling user can extract while also printing out which other gMSA objects are present + who can read those:

└─$ time python3 gmsadump.py dmz.domain.com/meowmeowbinks:PasswordSuper10+ -dc-ip 192.168.133.60 -debug                 
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[+] [*] Connecting to ldap://192.168.133.60
[+] Connecting to 192.168.133.60, port 389, SSL False, signing True
[+] [*] Authenticating with NTLM
[*] [+] Using plain LDAP with NTLM Sign+Seal.
[*] Querying 192.168.133.60 for gMSA objects.
[+] Search filter: (&(objectClass=msDS-GroupManagedServiceAccount))
[+] Attributes requested: ['sAMAccountName', 'msDS-GroupMSAMembership', 'msDS-ManagedPassword']

[*] Account:    dmzsvcgmsa$
    [*]Readable by:
      - Domain Users (S-1-5-21-4829137541-2641803372-908776154-513)
      - Domain Computers (S-1-5-21-4829137541-2641803372-908776154-515)
      - dadmin (S-1-5-21-4829137541-2641803372-908776154-1106)
      - meowmeowbinks (S-1-5-21-4829137541-2641803372-908776154-1608)
    dmzsvcgmsa$::::f402e86e144f8ffdbf6cb3234c38551f
    dmzsvcgmsa$:aes256-cts-hmac-sha1-96:012e473fec16e6c1c854008d7fcaf770e21473b5496f0dea221f45052cd53d6b
    dmzsvcgmsa$:aes128-cts-hmac-sha1-96:d8cd81bc7b680058252e8c8e116b5f6c

    [Previous Password]
    dmzsvcgmsa$::::c6490ecce53b223e80f3ed60c8da0ce0
    dmzsvcgmsa$:aes256-cts-hmac-sha1-96:b52b9490c32da232c52116a7a47d88bf077887ad8dd3d767dec90fa773b1a0d0
    dmzsvcgmsa$:aes128-cts-hmac-sha1-96:439e2e09b0f75da09ad6003bfb08123a

[*] Account:    svc-gMSA-1$
    [*]Readable by:
      - user1 (S-1-5-21-4829137541-2641803372-908776154-1621)
      - user2 (S-1-5-21-4829137541-2641803372-908776154-1622)
      - user3 (S-1-5-21-4829137541-2641803372-908776154-1623)
      - user4 (S-1-5-21-4829137541-2641803372-908776154-1624)
      - user5 (S-1-5-21-4829137541-2641803372-908776154-1625)
      - user6 (S-1-5-21-4829137541-2641803372-908776154-1626)
      - user7 (S-1-5-21-4829137541-2641803372-908776154-1627)
      - user8 (S-1-5-21-4829137541-2641803372-908776154-1628)
      - user9 (S-1-5-21-4829137541-2641803372-908776154-1629)
      - user10 (S-1-5-21-4829137541-2641803372-908776154-1630)
[*] msDS-ManagedPassword not returned (this account may not be authorized to read it)

[*] Account:    svc-gMSA-2$
    [*]Readable by:
      - user11 (S-1-5-21-4829137541-2641803372-908776154-1631)
      - user12 (S-1-5-21-4829137541-2641803372-908776154-1632)
      - user13 (S-1-5-21-4829137541-2641803372-908776154-1633)
      - user14 (S-1-5-21-4829137541-2641803372-908776154-1634)
      - user15 (S-1-5-21-4829137541-2641803372-908776154-1635)
      - user16 (S-1-5-21-4829137541-2641803372-908776154-1636)
      - user17 (S-1-5-21-4829137541-2641803372-908776154-1637)
      - user18 (S-1-5-21-4829137541-2641803372-908776154-1638)
      - user19 (S-1-5-21-4829137541-2641803372-908776154-1639)
      - user20 (S-1-5-21-4829137541-2641803372-908776154-1640)
[*] msDS-ManagedPassword not returned (this account may not be authorised to read it)

[*] Account:    svc-gMSA-3$
    [*]Readable by:
      - user21 (S-1-5-21-4829137541-2641803372-908776154-1641)
      - user22 (S-1-5-21-4829137541-2641803372-908776154-1642)
      - user23 (S-1-5-21-4829137541-2641803372-908776154-1643)
      - user24 (S-1-5-21-4829137541-2641803372-908776154-1644)
      - user25 (S-1-5-21-4829137541-2641803372-908776154-1645)
      - user26 (S-1-5-21-4829137541-2641803372-908776154-1646)
      - user27 (S-1-5-21-4829137541-2641803372-908776154-1647)
      - user28 (S-1-5-21-4829137541-2641803372-908776154-1648)
      - user29 (S-1-5-21-4829137541-2641803372-908776154-1649)
      - user30 (S-1-5-21-4829137541-2641803372-908776154-1650)
[*] msDS-ManagedPassword not returned (this account may not be authorised to read it)

[*] Account:    svc-gMSA-4$
    [*]Readable by:
      - user31 (S-1-5-21-4829137541-2641803372-908776154-1651)
      - user32 (S-1-5-21-4829137541-2641803372-908776154-1652)
      - user33 (S-1-5-21-4829137541-2641803372-908776154-1653)
      - user34 (S-1-5-21-4829137541-2641803372-908776154-1654)
      - user35 (S-1-5-21-4829137541-2641803372-908776154-1655)
      - user36 (S-1-5-21-4829137541-2641803372-908776154-1656)
      - user37 (S-1-5-21-4829137541-2641803372-908776154-1657)
      - user38 (S-1-5-21-4829137541-2641803372-908776154-1658)
      - user39 (S-1-5-21-4829137541-2641803372-908776154-1659)
      - user40 (S-1-5-21-4829137541-2641803372-908776154-1660)
[*] msDS-ManagedPassword not returned (this account may not be authorised to read it)

[*] Account:    svc-gMSA-5$
    [*]Readable by:
      - user41 (S-1-5-21-4829137541-2641803372-908776154-1661)
      - user42 (S-1-5-21-4829137541-2641803372-908776154-1662)
      - user43 (S-1-5-21-4829137541-2641803372-908776154-1663)
      - user44 (S-1-5-21-4829137541-2641803372-908776154-1664)
      - user45 (S-1-5-21-4829137541-2641803372-908776154-1665)
      - user46 (S-1-5-21-4829137541-2641803372-908776154-1666)
      - user47 (S-1-5-21-4829137541-2641803372-908776154-1667)
      - user48 (S-1-5-21-4829137541-2641803372-908776154-1668)
      - user49 (S-1-5-21-4829137541-2641803372-908776154-1669)
      - user50 (S-1-5-21-4829137541-2641803372-908776154-1670)
[*] msDS-ManagedPassword not returned (this account may not be authorised to read it)

[*] Account:    svc-gMSA-6$
    [*]Readable by:
      - user51 (S-1-5-21-4829137541-2641803372-908776154-1671)
      - user52 (S-1-5-21-4829137541-2641803372-908776154-1672)
      - user53 (S-1-5-21-4829137541-2641803372-908776154-1673)
      - user54 (S-1-5-21-4829137541-2641803372-908776154-1674)
      - user55 (S-1-5-21-4829137541-2641803372-908776154-1675)
      - user56 (S-1-5-21-4829137541-2641803372-908776154-1676)
      - user57 (S-1-5-21-4829137541-2641803372-908776154-1677)
      - user58 (S-1-5-21-4829137541-2641803372-908776154-1678)
      - user59 (S-1-5-21-4829137541-2641803372-908776154-1679)
      - user60 (S-1-5-21-4829137541-2641803372-908776154-1680)
[*] msDS-ManagedPassword not returned (this account may not be authorised to read it)

[*] Account:    svc-gMSA-7$
    [*]Readable by:
      - user61 (S-1-5-21-4829137541-2641803372-908776154-1681)
      - user62 (S-1-5-21-4829137541-2641803372-908776154-1682)
      - user63 (S-1-5-21-4829137541-2641803372-908776154-1683)
      - user64 (S-1-5-21-4829137541-2641803372-908776154-1684)
      - user65 (S-1-5-21-4829137541-2641803372-908776154-1685)
      - user66 (S-1-5-21-4829137541-2641803372-908776154-1686)
      - user67 (S-1-5-21-4829137541-2641803372-908776154-1687)
      - user68 (S-1-5-21-4829137541-2641803372-908776154-1688)
      - user69 (S-1-5-21-4829137541-2641803372-908776154-1689)
      - user70 (S-1-5-21-4829137541-2641803372-908776154-1690)
[*] msDS-ManagedPassword not returned (this account may not be authorised to read it)

[*] Account:    svc-gMSA-8$
    [*]Readable by:
      - user71 (S-1-5-21-4829137541-2641803372-908776154-1691)
      - user72 (S-1-5-21-4829137541-2641803372-908776154-1692)
      - user73 (S-1-5-21-4829137541-2641803372-908776154-1693)
      - user74 (S-1-5-21-4829137541-2641803372-908776154-1694)
      - user75 (S-1-5-21-4829137541-2641803372-908776154-1695)
      - user76 (S-1-5-21-4829137541-2641803372-908776154-1696)
      - user77 (S-1-5-21-4829137541-2641803372-908776154-1697)
      - user78 (S-1-5-21-4829137541-2641803372-908776154-1698)
      - user79 (S-1-5-21-4829137541-2641803372-908776154-1699)
      - user80 (S-1-5-21-4829137541-2641803372-908776154-1700)
[*] msDS-ManagedPassword not returned (this account may not be authorised to read it)

[*] Account:    svc-gMSA-9$
    [*]Readable by:
      - user81 (S-1-5-21-4829137541-2641803372-908776154-1701)
      - user82 (S-1-5-21-4829137541-2641803372-908776154-1702)
      - user83 (S-1-5-21-4829137541-2641803372-908776154-1703)
      - user84 (S-1-5-21-4829137541-2641803372-908776154-1704)
      - user85 (S-1-5-21-4829137541-2641803372-908776154-1705)
      - user86 (S-1-5-21-4829137541-2641803372-908776154-1706)
      - user87 (S-1-5-21-4829137541-2641803372-908776154-1707)
      - user88 (S-1-5-21-4829137541-2641803372-908776154-1708)
      - user89 (S-1-5-21-4829137541-2641803372-908776154-1709)
      - user90 (S-1-5-21-4829137541-2641803372-908776154-1710)
[*] msDS-ManagedPassword not returned (this account may not be authorised to read it)

[*] Account:    svc-gMSA-10$
    [*]Readable by:
      - user91 (S-1-5-21-4829137541-2641803372-908776154-1711)
      - user92 (S-1-5-21-4829137541-2641803372-908776154-1712)
      - user93 (S-1-5-21-4829137541-2641803372-908776154-1713)
      - user94 (S-1-5-21-4829137541-2641803372-908776154-1714)
      - user95 (S-1-5-21-4829137541-2641803372-908776154-1715)
      - user96 (S-1-5-21-4829137541-2641803372-908776154-1716)
      - user97 (S-1-5-21-4829137541-2641803372-908776154-1717)
      - user98 (S-1-5-21-4829137541-2641803372-908776154-1718)
      - user99 (S-1-5-21-4829137541-2641803372-908776154-1719)
      - user100 (S-1-5-21-4829137541-2641803372-908776154-1720)
[*] msDS-ManagedPassword not returned (this account may not be authorised to read it)

real    13.08s
user    0.55s
sys     0.03s
cpu     4%

I made a PR prior but realized it was from my main branch instead of a separate one since I also opened a separate PR for badsuccor, in #2170 so I had to close it.

This one comes with many more improvements, better exception handling and more control over enumeration vs cred extraction.

@ThatTotallyRealMyth ThatTotallyRealMyth mentioned this pull request Apr 14, 2026
Merged
14 tasks
@ThatTotallyRealMyth
Removed custom nthash/kerberos key derivations for impackets generate…
b1c1829 
…_kerberos_keys and fixed resolution issue when using kerberos auth + additional logging for -dc-host arg
@ThatTotallyRealMyth
removed uv dependency injection
555f593
@ThatTotallyRealMyth ThatTotallyRealMyth mentioned this pull request Apr 26, 2026
Merged
@anadrianmanrique anadrianmanrique added in review This issue or pull request is being analyzed Examples labels May 27, 2026
@anadrianmanrique anadrianmanrique self-assigned this May 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@anadrianmanrique anadrianmanrique

Labels

Examples in review This issue or pull request is being analyzed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ThatTotallyRealMyth @anadrianmanrique @chin-tech