Local Administrator Password Solution (LAPS)
This task discusses how to enumerate and obtain a local administrator password within the Active Directory environment if a LAPS feature is configured and enabled.
Group Policy Preferences (GPP)
A Windows OS has a built-in Administrator account which can be accessed using a password. Changing passwords in a large Windows environment with many computers is challenging. Therefore, Microsoft implemented a method to change local administrator accounts across workstations using Group Policy Preferences (GPP).
GPP is a tool that allows administrators to create domain policies with embedded credentials. Once the GPP is deployed, different XML files are created in the SYSVOL folder. SYSVOL is an essential component of Active Directory and creates a shared directory on an NTFS volume that all authenticated domain users can access with reading permission.
The issue was the GPP relevant XML files contained a password encrypted using AES-256 bit encryption. At that time, the encryption was good enough until Microsoft somehow published its private key on MSDN. Since Domain users can read the content of the SYSVOL folder, it becomes easy to decrypt the stored passwords. One of the tools to crack the SYSVOL encrypted password is Get-GPPPassword.
Local Administrator Password Solution (LAPS)
In 2015, Microsoft removed storing the encrypted password in the SYSVOL folder. It introduced the Local Administrator Password Solution (LAPS), which offers a much more secure approach to remotely managing the local administrator password.
The new method includes two new attributes (ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime) of computer objects in the Active Directory. The ms-mcs-AdmPwd attribute contains a clear-text password of the local administrator, while the ms-mcs-AdmPwdExpirationTime contains the expiration time to reset the password. LAPS uses admpwd.dll to change the local administrator password and update the value of ms-mcs-AdmPwd.
Enumerate for LAPS
The provided VM has the LAPS enabled, so let's start enumerating it. First, we check if LAPS is installed in the target machine, which can be done by checking the admpwd.dll path.
C:\Users\thm>dir "C:\Program Files\LAPS\CSE"
Volume in drive C has no label.
Volume Serial Number is A8A4-C362
Directory of C:\Program Files\LAPS\CSE
06/06/2022 01:01 PM .
06/06/2022 01:01 PM ..
05/05/2021 07:04 AM 184,232 AdmPwd.dll
1 File(s) 184,232 bytes
2 Dir(s) 10,306,015,232 bytes freeThe output confirms that we have LAPS on the machine. Let's check the available commands to use for AdmPwd cmdlets as follows,
PS C:\Users\thm> Get-Command *AdmPwd*
CommandType Name Version Source
----------- ---- ------- ------
Cmdlet Find-AdmPwdExtendedRights 5.0.0.0 AdmPwd.PS
Cmdlet Get-AdmPwdPassword 5.0.0.0 AdmPwd.PS
Cmdlet Reset-AdmPwdPassword 5.0.0.0 AdmPwd.PS
Cmdlet Set-AdmPwdAuditing 5.0.0.0 AdmPwd.PS
Cmdlet Set-AdmPwdComputerSelfPermission 5.0.0.0 AdmPwd.PS
Cmdlet Set-AdmPwdReadPasswordPermission 5.0.0.0 AdmPwd.PS
Cmdlet Set-AdmPwdResetPasswordPermission 5.0.0.0 AdmPwd.PS
Cmdlet Update-AdmPwdADSchema 5.0.0.0 AdmPwd.PSNext, we need to find which AD organizational unit (OU) has the "All extended rights" attribute that deals with LAPS. We will be using the "Find-AdmPwdExtendedRights" cmdlet to provide the right OU. Note that getting the available OUs could be done in the enumeration step. Our OU target in this example is THMorg. You can use the -Identity * argument to list all available OUs.
PS C:\Users\thm> Find-AdmPwdExtendedRights -Identity THMorg
ObjectDN ExtendedRightHolders
-------- --------------------
OU=THMorg,DC=thm,DC=red {THM\THMGroupReader}The output shows that the THMGroupReader group in THMorg has the right access to LAPS. Let's check the group and its members.
PS C:\Users\thm> net groups "THMGroupReader"
Group name THMGroupReader
Comment
Members
-------------------------------------------------------------------------------
bk-admin
The command completed successfully.
PS C:\Users\victim> net user test-admin
User name test-admin
Full Name THM Admin Test Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
[** Removed **]
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users *Domain Admins
*THMGroupReader *Enterprise Admins
The command completed successfully.Getting the Password
We found that the bk-admin user is a member of THMGroupReader, so in order to get the LAPS password, we need to compromise or impersonate the bk-admin user. After compromising the right user, we can get the LAPS password using Get-AdmPwdPassword cmdlet by providing the target machine with LAPS enabled.
PS C:\> Get-AdmPwdPassword -ComputerName creds-harvestin
ComputerName DistinguishedName Password ExpirationTimestamp
------------ ----------------- -------- -------------------
CREDS-HARVESTIN CN=CREDS-HARVESTIN,OU=THMorg,DC=thm,DC=red FakePassword 2/11/2338 11:05:2...It is important to note that in a real-world AD environment, the LAPS is enabled on specific machines only. Thus, you need to enumerate and find the right target computer as well as the right user account to be able to get the LAPS password. There are many scripts to help with this, but we included the LAPSToolkit PowerShell script in C:\Tool to try it out.