Dump gMSA Passwords with gMSADumper
credentialswindowstool
Summary
Retrieve the managed password blob (NT hash) of Group Managed Service Accounts from a domain controller using valid domain credentials.
Walkthrough
Group Managed Service Accounts (gMSA) store their passwords in AD, and any principal allowed to read them can recover the NT hash.
Steps
- Supply valid domain credentials with
-u/-pand the domain with-d. - Point
-lat the LDAP server / domain controller (<IP>). - The tool returns the gMSA NT hash, which can be used for pass-the-hash or further authentication.
Commands
bash
python3 gMSADumper/gMSADumper.py -u <USER> -p <PASS> -d <TARGET> -l <IP>