Skip to content

Added GMS managed passwords#54

Open
B0TAxy wants to merge 2 commits intofox-it:mainfrom
B0TAxy:feat/added_gms_managed_password
Open

Added GMS managed passwords#54
B0TAxy wants to merge 2 commits intofox-it:mainfrom
B0TAxy:feat/added_gms_managed_password

Conversation

@B0TAxy
Copy link
Copy Markdown

@B0TAxy B0TAxy commented Apr 10, 2026

Add GMS Managed Password Support

Overview

This PR integrates the GMS-managed password into our utility attributes. By mapping this structure, we enable automatic decoding, ensuring that GMS passwords are handled consistently with our existing attribute workflows.

🛠 Proposed Changes

  • Data Structure Definition: Added the new GMS password struct to c_ds.py.
  • Type Hinting: Updated c_ds.pyi with relevant struct metadata for better IDE support and type safety.
  • Auto-Decoding: Registered the new struct in the ATTRIBUTE_ENCODE_DECODE_MAP within util.py to enable seamless encoding/decoding.

🧪 Testing & Validation

Important

Status: Manual verification is pending due to a lack of specific GMS test data.

I am looking for suggestions on how best to validate this change. Specifically:
Mock Data: Does anyone have a hex dump or sample GMS-managed password blob I can use for a unit test?

📝 Checklist

  • Struct defined in c_ds.py
  • Metadata added to c_ds.pyi
  • Logic added to util.py
  • Unit tests added (Pending test data)

@B0TAxy B0TAxy mentioned this pull request Apr 10, 2026
Open
Schamper
Schamper requested changes Apr 10, 2026
View reviewed changes
dissect/database/ese/ntds/c_ds.py
CHAR Hash[29][16]; // The formal definition has Hash1, Hash2, ..., Hash29
} WDIGEST_CREDENTIALS;

typedef struct _GMS_MANAGED_PASSWORD {
Copy link
Copy Markdown
Member

@Schamper Schamper Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you have a resource for the structure you used? All resources I can find on msDS-ManagedPassword show a very different structure, but I'm not sure if that's just the difference between what LDAP would return vs what's stored in the database.

Copy link
Copy Markdown
Author

@B0TAxy B0TAxy Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're absolutely right. I checked and realized my sources were incorrect, so I will make sure to fix it.

dissect/database/ese/ntds/util.py
"trustAuthIncoming": (None, _pek_decrypt),
"trustAuthOutgoing": (None, _pek_decrypt),
"msDS-ExecuteScriptPassword": (None, _pek_decrypt),
"msDS-ManagedPassword": (None, lambda db, value: bytearray(c_ds.GMS_MANAGED_PASSWORD(value).Password).hex()),
Copy link
Copy Markdown
Member

@Schamper Schamper Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is now positioned under a # Protected attributes comment, while this is not a protected attribute (as far as I can find). Can this attribute appear on any object type, or just specific types? I was thinking more of a @property on e.g. the User object, but it would help to know on which object types this attribute can appear.

Copy link
Copy Markdown
Author

@B0TAxy B0TAxy Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I understand, it can only exist under a computer account, but I don't really get how this is different from supplemental credentials

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Schamper Schamper Schamper requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@B0TAxy @Schamper