← Back to search

Dump gMSA Passwords with gMSADumper

credentialswindowstool

Summary

Retrieve the managed password blob (NT hash) of Group Managed Service Accounts from a domain controller using valid domain credentials.

Walkthrough

Group Managed Service Accounts (gMSA) store their passwords in AD, and any principal allowed to read them can recover the NT hash.

Steps

  1. Supply valid domain credentials with -u/-p and the domain with -d.
  2. Point -l at the LDAP server / domain controller (<IP>).
  3. The tool returns the gMSA NT hash, which can be used for pass-the-hash or further authentication.

Commands

bash

python3 gMSADumper/gMSADumper.py -u <USER> -p <PASS> -d <TARGET> -l <IP>