Local Administrator Password Solution (LAPS)
Resources
(1) Learning resources
ms-Mcs-AdmPwd attribute
What is Windows LAPS?
Windows LAPS PowerShell cmdlets
(2) Exploitation examples
Basic concepts
What is the ms-Mcs-AdmPwd attribute?
...
AllExtendedRights
1. What is the "All extended rights" attribute given to an AD organizational unit (OU) under the context of LAPS?
For a given OU with this attribute set, any extended right holders (groups, users, etc.) will be able to read the LAPS password for any machines under that particular OU. Since the LAPS password mostly involves the local administrator account, this means that the rights holder will be able to retrieve the password for that account (stored in the ms-Mcs-AdmPwd attribute).
Exploitation steps
Find an OU has the "All extended rights" attribute that deals with LAPS
...
Retrieve the extended right holders for that particular OU
PS> Find-AdmPwdExtendedRights -Identity <OU>...
Retrieve the users in the group
Given that a particular group has the extended rights, ...
PS> net groups <GROUP>
PS> Get-ADGroupMembers ......
Retrieve the LAPS password
Given that we have compromised or impersonate a particular user of the group (found in the previous step), we can retrieve the LAPS password of a particular machine under the OU. This will provide us with the local administrator password for that machine.
First, we have to load the credentials for the user to impersonate using either a TGT (ptt) or simply using a username and password combination with the runas.exe utility:
mimikatz # kerberos::ptt ...
PS> runas.exe /netonly ...Next, we can retrieve the password:
PS> Get-AdmPwdPassword -ComputerName <TARGET_COMPUTER>...
Last updated