Dump LAPS passwords with ldapsearch
If you’ve ever been pentesting an organization that had LAPS, you know that it is the best solution for randomizing local administrator passwords on the planet. (You should just be leaving them disabled).
LAPS stores it’s information in Active Directory:
The expiration time:
And the actual password in clear text:
When LAPS first came it, any user in Active Directory could read it. Microsoft fixed that, you now have to have the
All extended rights permission to the object or Full Control of it.
In many organizations, there are pockets of OU admins, or even standard users that are in charge of a specific set of Users and (in particular) computers in which they have full control over.
There is already a Metasploit module thanks to Meatballs: https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/enum_laps.rb. But, unfortunately I don’t always have access to a Meterpreter session to run the module.
ldapsearch (which is included in the package
ldapscripts on Debian/Ubuntu) can be used to make the same query that the module does. Here is an example run:
Lets break this down:
-x- Use basic authentication
-h 192.168.80.10- Connect to the Domain Controller for ldap
-D "helpdesk" -w ASDqwe123- Login as the
helpdeskuser, with the password
-b "dc=sittingduck,dc=info"- This loads the base LDAP object of the entire domain.
"(ms-MCS-AdmPwd=*)"- Filter out any objects that I can’t see a value for
ms-MCS-AdmPwdfor. (If you have rights as that user to see even one Administrator password, this will show it.)
ms-MCS-AdmPwd- Only show me the
ms-MCS-AdmPwdobject (which by default includes the object name and DN so you will still know what host it belongs to)
What does that look like?
Now, just having the local admin password doesn’t ensure that it’s enabled, but there is a good bet that you are good to go now.
P.S. You can also authenticate using Kerberos (think Golden/Silver tickets)
P.P.S Because Windows doesn’t (to the best of my knowledge) require signing on Domain Controllers for LDAP connections yet (probably does in 2016 or will soon), with a little bit of coding you can get ntlmrelayx to dump LAPS passwords ;-)