KDS Root Keys: All Secrets Finally Revealed

Key Distribution Service (KDS) Root Keys have been an integral part of Active Directory since Windows Server 2012. These cryptographic seeds are predominantly used to generate passwords of managed service accounts (gMSA and dMSA) but are also utilized by DPAPI-NG (also known as CNG DPAPI) to encrypt sensitive information using SID Protectors. Although researchers have previously published PoC implementations of the cryptographic algorithms used with KDS Root Keys, many scenarios have not yet been covered by research and tooling.

In this session, we will demonstrate online and offline attacks against virtually ALL use cases of KDS Root Keys, including:

• Decryption of volumes with BitLocker SID Protector enabled.
• Exporting RSA private keys from group-protected PFX files.
• Extracting DNSSEC signing keys (ZSK and KSK) from Active Directory.
• Revealing ASP.NET Core encrypted database connection strings.
• Bulk export of LAPS and DSRM passwords from ntds.dit, LDAP, or DCSync.
• Generating gMSA and dMSA passwords (Golden *MSA Attack)

We will also be presenting a newly discovered universal way of attacking DPAPI-NG in Windows, which allows us to decrypt any secrets encrypted using the SID protector, without requiring to develop application-specific decryptors.

After an Active Directory domain is fully compromised, malicious actors can steal KDS Root Keys using LDAP, DCSync, or ntds.dit. These keys can then be abused to unlock secrets that often go beyond the boundaries of AD. The session will include demos of BitLocker SID protector exploitation, group‑protected PFX/RSA key export, DNSSEC ZSK/KSK extraction, ASP.NET Core database connection string recovery, bulk LAPS/DSRM password export, and gMSA/dMSA password generation. Although some of variations on these attacks are already known, there will definitely be a twist to it.