Skip to content

Added GMS managed passwords #54

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
B0TAxy wants to merge 2 commits into
base: main
Choose a base branch
from
+25 −0
Open

Added GMS managed passwords #54

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
726cd1a
Added gms passowrd
B0TAxy Apr 10, 2026
aeed0dd
Deleted mistake
B0TAxy Apr 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions dissect/database/ese/ntds/c_ds.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,5 +90,12 @@
CHAR Reserved3[12];
CHAR Hash[29][16]; // The formal definition has Hash1, Hash2, ..., Hash29
} WDIGEST_CREDENTIALS;

typedef struct _GMS_MANAGED_PASSWORD {
Copy link
Copy Markdown
Member

@Schamper Schamper Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you have a resource for the structure you used? All resources I can find on msDS-ManagedPassword show a very different structure, but I'm not sure if that's just the difference between what LDAP would return vs what's stored in the database.

Copy link
Copy Markdown
Author

@B0TAxy B0TAxy Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're absolutely right. I checked and realized my sources were incorrect, so I will make sure to fix it.

WORD Version;
WORD Reserved;
DWORD Length;
CHAR Password[Length];
} GMS_MANAGED_PASSWORD;
"""
c_ds = cstruct(ds_def)
17 changes: 17 additions & 0 deletions dissect/database/ese/ntds/c_ds.pyi
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -324,6 +324,23 @@ class _c_ds(__cs__.cstruct):
def __init__(self, fh: bytes | memoryview | bytearray | BinaryIO, /): ...

WDIGEST_CREDENTIALS: TypeAlias = _WDIGEST_CREDENTIALS
class _GMS_MANAGED_PASSWORD(__cs__.Structure):
Version: _c_ds.uint16
Reserved: _c_ds.uint16
Length: _c_ds.uint32
Password: __cs__.Array[__cs__.CharArray]
@overload
def __init__(
self,
Version: _c_ds.uint16 | None = ...,
Reserved: _c_ds.uint16 | None = ...,
Length: _c_ds.uint32 | None = ...,
Password: __cs__.Array[__cs__.CharArray] | None = ...,
): ...
@overload
def __init__(self, fh: bytes | memoryview | bytearray | BinaryIO, /): ...

GMS_MANAGED_PASSWORD: TypeAlias = _GMS_MANAGED_PASSWORD

# Technically `c_ds` is an instance of `_c_ds`, but then we can't use it in type hints
c_ds: TypeAlias = _c_ds
1 change: 1 addition & 0 deletions dissect/database/ese/ntds/util.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -267,6 +267,7 @@ def _decode_pwd_history(db: Database, value: list[bytes]) -> list[bytes]:
"trustAuthIncoming": (None, _pek_decrypt),
"trustAuthOutgoing": (None, _pek_decrypt),
"msDS-ExecuteScriptPassword": (None, _pek_decrypt),
"msDS-ManagedPassword": (None, lambda db, value: bytearray(c_ds.GMS_MANAGED_PASSWORD(value).Password).hex()),
Copy link
Copy Markdown
Member

@Schamper Schamper Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is now positioned under a # Protected attributes comment, while this is not a protected attribute (as far as I can find). Can this attribute appear on any object type, or just specific types? I was thinking more of a @property on e.g. the User object, but it would help to know on which object types this attribute can appear.

Copy link
Copy Markdown
Author

@B0TAxy B0TAxy Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I understand, it can only exist under a computer account, but I don't really get how this is different from supplemental credentials

}

ATTRIBUTE_LIST_ENCODE_DECODE_MAP: dict[
Expand Down