Credential Dumping: LAPS

In this post, you will find out how Microsoft’s LAPs feature can be abused by the attacker to get
the end-user password.

Table of Content
• Introduction
• Working of LAPS
• Prerequisites/ Configuration
• Credential Dumping
o Metasploit
o Empire
o CrackMapExec
o SharpLAPS
o NetTools
o Get-LAPSPasswords
• Conclusion

Introduction
The “Local Administrator Password Solution” (LAPS) provides management of local account
passwords of domain-joined computers. Passwords are stored in Active Directory (AD) and
protected by ACL, so only eligible users can read it or request its reset.
For environments in which users are required to log on to computers without domain
credentials, password management can become a complex issue. Such environments greatly
increase the risk of a Pass-the-Hash (PtH) credential replay attack. The Local Administrator
Password Solution (LAPS) provides a solution to this issue of using a common local account with
an identical password on every computer in a domain. LAPS resolves this issue by setting a
different, random password for the common local administrator account on every computer in
the domain. Domain administrators using the solution can determine which users, such as
helpdesk administrators, are authorized to read passwords.
LAPS simplifies password management while helping customers implement recommended
defenses against cyberattacks. In particular, the solution mitigates the risk of lateral escalation

www.hackingarticles.in 1 www.ignitetechnologies.in
that results when customers use the same administrative local account and password
combination on their computers. LAPS stores the password for each computer’s local
administrator account in Active Directory, secured in a confidential attribute in the computer’s
corresponding Active Directory object. The computer is allowed to update its password data in
Active Directory, and domain administrators can grant read access to authorized users or
groups, such as workstation helpdesk administrators.
Use LAPS to automatically manage local administrator passwords on domain-joined computers
so that passwords are unique on each managed computer, randomly generated, and securely
stored in Active Directory infrastructure. The solution is built on Active Directory infrastructure
and does not require other supporting technologies. LAPS uses a Group Policy client-side
extension (CSE) that you install on managed computers to perform all management tasks. The
solution’s management tools provide easy configuration and administration.

Working of LAPS
The core of the LAPS solution is a GPO client-side extension (CSE) that performs the following
tasks and can enforce the following actions during a GPO update: It checks whether the
password of the local Administrator account has expired. It generates a new password when
the old password is either expired or is required to be changed before expiration. It validates
the new password against the password policy. It reports the password to Active Directory,
storing it with a confidential attribute with the computer account in Active Directory. It also
reports the next expiration time for the password to Active Directory, storing it with an
attribute with the computer account in Active Directory. It can also change the password of the
Administrator account. And the password then can be read from Active Directory by users who
are allowed to do so. Eligible users can request a password change for a computer.

Prerequisites/ Configuration
Before beginning with the credential dumping phase, we need to setup the LAPS on our
Windows Server 2016 or Windows 10 machine. We need to perform 3 specific tasks that
include installation of LAPS fat client, Configuring PowerShell Module, and Implementing Group
Policy templates.
Please download the LAPS Installation Executable from Microsoft Download Centre.
Once downloaded, run the Microsoft Installer file. After clicking Next on the Setup Wizard, we
will be provided an option to configure our installation process. Select the options as
demonstrated in the image below.

www.hackingarticles.in 2 www.ignitetechnologies.in
We need to ensure that we have all of the following installed on the machine including the Fat
client UI, PowerShell Module, and the GPO Editor Template. This will lead to the next page
where there will be an Install button to continue the process. After installation is complete,
click on the Finish button to conclude the process.

www.hackingarticles.in 3 www.ignitetechnologies.in
Next, we will run the PowerShell instance and change the Execution Policy to bypass. Then we
will move to install the Module AdmPwd.PS. It is the PowerShell module that was created as a
part of the installation process we performed earlier. We need to Update the Schema and then
integrate the LAPS to the OU of your choice. Here, we are implementing the LAPS on the OU
Tech for Administrators as shown in the image below.
powershell -ep bypass
Import-Module AdmPwd.PS
Update-AdmPwdADSchema
Set-AdmPwdComputerSelfPermission -OrgUnit Tech
Set-AdmPwdReadPasswordPermission -OrgUnit Tech -AllowedPrincipals Administrators

www.hackingarticles.in 4 www.ignitetechnologies.in
Next, we need the Group Policy Management to edit so that it can accommodate the password
changes that come into the picture with the implementation. We see that we have the Default
Domain Policy under the name of the domain we want to implement the LAPS on. We right-
click on the Default Domain Policy and select the Edit option from the drop-down menu as
shown in the image below.

www.hackingarticles.in 5 www.ignitetechnologies.in
Here we are configuring the Group Policies to adapt for the LAPS implementation. The LAPS
settings can be located inside the Computer Configuration, you will find the Policies section
under which we have the Administrative Templates. Here we have the LAPS settings. It has 4
options for us to toggle. Right-click on the policy settings Enable local admin password
management and click on properties. Here we have to manage the local administrator
password, we will need to enable the policy setting and click OK to continue.

www.hackingarticles.in 6 www.ignitetechnologies.in
After Enabling the various options, we can see that we have all three settings enabled. We
configured the Password Settings for LAPS, we entered the name of the administrator that is
allowed to manage the passwords as raj. Then we also enabled the local admin password
management for LAPS.

www.hackingarticles.in 7 www.ignitetechnologies.in
To make all the changes in the policy active, we need to perform a Group Policy update as
shown in the image below:

Since the LAPS is activated on our machine, we can check for the credentials and the users that
are generated due to the installation. We need to open the Active Directory Users and
Computers window as shown. Also, to work effectively we need to enable the Advanced
Features option as demonstrated.

Now to ensure that it is working fine, let’s check the password given by LAPs to DEMO in its
properties. As you can observe in the given below image the LAPS has assigned the random
password to the demo.

www.hackingarticles.in 8 www.ignitetechnologies.in
We can also use the LAPS UI that was installed as a part of LAPS to configure and toggle the
various users, properties, and credentials with the ability to set the expiration date and time for
the password of that particular user as shown in the image.

www.hackingarticles.in 9 www.ignitetechnologies.in
Metasploit
On compromised accounts of DC, use the following module of the Metasploit to extract the
LAPS password for other end users. It will recover the LAPS (Local Administrator Password
Solution) passwords, configured in Active Directory, which is usually only accessible by
privileged users. Note that the local administrator account name is not stored in Active
Directory, so it is assumed to be ‘Administrator’ by default.
use post/windows/gather/credentials/enum_laps
post(windows/gather/credentials/enum_laps) > set session 2
post(windows/gather/credentials/enum_laps) > exploit
As a result, it will dump password in cleartext as shown in the image given below.

PowerShell Empire
The same can be done with the help of PowerShell Empire, it allows an attacker to dump the
end-user's credentials through a compromised account. It uses a PowerShell script to get the
LAPS password with the help of the following:

www.hackingarticles.in 10 www.ignitetechnologies.in
usemodule credential/get_lapspasswords
execute
Similarly, it will also dump passwords in cleartext, thus an attacker can access the other
machine present in the network with the help of extracted credentials.

CrackMapExec
CrackMapExec, also known as CME, is a post-exploitation tool. The developer of the tool
describes it as a “Swiss army knife for pen-testing networks”, which I find is an apt description.
The tool is developed in python and lets us move laterally in an environment while being
situationally aware. It abuses the Active Directory security by gathering all the information from
IP addresses to harvesting the credentials from SAM. Here, we are using it to connect to the
Active Directory from our Kali Linux machine via the LDAP protocol and then try to dump the
credentials from LAPS in clear text as shown in the image below. For more details, check out
Lateral Movement on Active Directory: CrackMapExec
crackmapexec ldap 192.168.1.172 -u administrator -p ‘Ignite@123’ –kdcHost 192.168.1.172 -
M laps

www.hackingarticles.in 11 www.ignitetechnologies.in
Enough tools and frameworks from our Linux-based Kali machine. Time to perform Credential
Dumping from the Windows Machine since it will be the most readily available machine
connected in the Active Directory. We start with SharpLAPS

SharpLAPS
It is an executable that was created to be executed within the Cobalt Strike session but can be
used as a standalone executable. It targets the ms-msc-AdmPwd attribute and grabs the
credentials that are stored inside it. Download here.
SharpLAPS.exe /user:IGNITE\Administrator /pass:Ignite@123 /host:192.168.1.172

NetTools
Next, we move onto a GUI-based approach. Here, we use a tool that was created to debug the
Active Directory Issues but can be used to perform credential dumping on LAPS as well. It
provides the ability to troubleshoot, query, report, and update Active Directory and other
LDAP-based directories. Download here.

www.hackingarticles.in 12 www.ignitetechnologies.in
Get-LAPSPasswords
After Linux based approach and Windows binaries and GUI systems, we finally descend upon
the PowerShell function that can pull the local admin passwords from the LDAP which are
stored via the LAPS implementation. It was created by Karl Fosaaen. It can be obtained from his
GitHub.
Get-LAPSPasswords -DomainController 192.168.1.172 -Credential IGNITE\Administrator |
Format-Table -AutoSize

Conclusion
We see that LAPS is an admirable function that was introduced by Microsoft but it poses the
threat of leaking sensitive credential data. This is a lapse in security that cannot be ignored.
Hence, it is recommended to integrate additional security measures with the implementation
of LAPS to prevent such leakage. This article can serve as the go-to guide to test the LAPS
implementation in your network environment.

www.hackingarticles.in 13 www.ignitetechnologies.in
www.hackingarticles.in 14 www.ignitetechnologies.in