hacktricks/windows-hardening/active-directory-methodology/laps.md

# LAPS

<details>

<summary><strong>Support HackTricks and get benefits!</strong></summary>

- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!

- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)

- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)

- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**

- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

</details>

## Basic Information

**LAPS** allows you to **manage the local Administrator password** (which is **randomised**, unique, and **changed regularly**) on domain-joined computers. These passwords are centrally stored in Active Directory and restricted to authorised users using ACLs. Passwords are protected in transit from the client to the server using Kerberos v5 and AES.

When using LAPS, 2 new attributes appear in the computer objects of the domain: _ms-msc-AdmPwd_ and _ms-mcs-AdmPwdExpirationTime._ These attributes contains the plain-text admin password and the expiration time. Then, in a domain environment, it could be interesting to check which users can read these attributes.

### Check if activated

```bash
reg query "HKLM\Software\Policies\Microsoft Services\AdmPwd" /v AdmPwdEnabled

dir "C:\Program Files\LAPS\CSE"
# Check if that folder exists and contains AdmPwd.dll

# Find GPOs that have "LAPS" or some other descriptive term in the name
Get-DomainGPO | ? { $_.DisplayName -like "*laps*" } | select DisplayName, Name, GPCFileSysPath | fl

# Search computer objects where the ms-Mcs-AdmPwdExpirationTime property is not null (any Domain User can read this property)
Get-DomainObject -SearchBase "LDAP://DC=sub,DC=domain,DC=local" | ? { $_."ms-mcs-admpwdexpirationtime" -ne $null } | select DnsHostname
```

### LAPS Password Access

You could **download the raw LAPS policy** from `\\dc\SysVol\domain\Policies\{4A8A4E8E-929F-401A-95BD-A7D40E0976C8}\Machine\Registry.pol` and then use **`Parse-PolFile`** from the [**GPRegistryPolicyParser**](https://github.com/PowerShell/GPRegistryPolicyParser) package can be used to convert this file into human-readable format.

Moreover, the **native LAPS PowerShell cmdlets** can be used if they're installed on a machine we have access to:

```powershell
Get-Command *AdmPwd*

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Cmdlet          Find-AdmPwdExtendedRights                          5.0.0.0    AdmPwd.PS
Cmdlet          Get-AdmPwdPassword                                 5.0.0.0    AdmPwd.PS
Cmdlet          Reset-AdmPwdPassword                               5.0.0.0    AdmPwd.PS
Cmdlet          Set-AdmPwdAuditing                                 5.0.0.0    AdmPwd.PS
Cmdlet          Set-AdmPwdComputerSelfPermission                   5.0.0.0    AdmPwd.PS
Cmdlet          Set-AdmPwdReadPasswordPermission                   5.0.0.0    AdmPwd.PS
Cmdlet          Set-AdmPwdResetPasswordPermission                  5.0.0.0    AdmPwd.PS
Cmdlet          Update-AdmPwdADSchema                              5.0.0.0    AdmPwd.PS

# List who can read LAPS password of the given OU
Find-AdmPwdExtendedRights -Identity Workstations | fl

# Read the password
Get-AdmPwdPassword -ComputerName wkstn-2 | fl
```

**PowerView** can also be used to find out **who can read the password and read it**:

```powershell
# Find the principals that have ReadPropery on ms-Mcs-AdmPwd
Get-AdmPwdPassword -ComputerName wkstn-2 | fl

# Read the password
Get-DomainObject -Identity wkstn-2 -Properties ms-Mcs-AdmPwd
```

Finally, [**LAPSToolkit**](https://github.com/leoloobeek/LAPSToolkit) **can also be useful for the same purpose.**

## **LAPS Persistence**

### **Expiration Date**

Once admin, it's possible to **obtain the passwords** and **prevent** a machine from **updating** its **password** by **setting the expiration date into the future**.

```powershell
# Get expiration time
Get-DomainObject -Identity computer-21 -Properties ms-mcs-admpwdexpirationtime

# Change expiration time
## It's needed SYSTEM on the computer
Set-DomainObject -Identity wkstn-2 -Set @{"ms-mcs-admpwdexpirationtime"="232609935231523081"}
```

{% hint style="warning" %}
The password will still reset if an **admin** uses the **`Reset-AdmPwdPassword`** cmdlet; or if **Do not allow password expiration time longer than required by policy** is enabled in the LAPS GPO.
{% endhint %}

### Backdoor

The original source code for LAPS can be found [here](https://github.com/GreyCorbel/admpwd), therefore it's possible to put a backdoor in the code (inside the `Get-AdmPwdPassword` method in `Main/AdmPwd.PS/Main.cs` for example) that will somehow **exfiltrate new passwords or store them somewhere**.

Then, just compile the new `AdmPwd.PS.dll` and upload it to the machine in `C:\Tools\admpwd\Main\AdmPwd.PS\bin\Debug\AdmPwd.PS.dll` (and change the modification time).

<details>

<summary><strong>Support HackTricks and get benefits!</strong></summary>

- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!

- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)

- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)

- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**

- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

</details>
GitBook: [#3402] No subject 2022-08-17 05:31:13 +00:00			`# LAPS`

			`<details>`

			`<summary><strong>Support HackTricks and get benefits!</strong></summary>`

GitBook: [#3560] No subject 2022-10-05 00:11:28 +00:00			`- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`

			`- Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`

			`- Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`

			`- Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`

			`- Share your hacking tricks by submitting PRs to the [hacktricks github repo](https://github.com/carlospolop/hacktricks).`
GitBook: [#3402] No subject 2022-08-17 05:31:13 +00:00
			`</details>`

			`## Basic Information`

			`LAPS allows you to manage the local Administrator password (which is randomised, unique, and changed regularly) on domain-joined computers. These passwords are centrally stored in Active Directory and restricted to authorised users using ACLs. Passwords are protected in transit from the client to the server using Kerberos v5 and AES.`

GitBook: [#3560] No subject 2022-10-05 00:11:28 +00:00			`When using LAPS, 2 new attributes appear in the computer objects of the domain: _ms-msc-AdmPwd_ and _ms-mcs-AdmPwdExpirationTime._ These attributes contains the plain-text admin password and the expiration time. Then, in a domain environment, it could be interesting to check which users can read these attributes.`
GitBook: [#3402] No subject 2022-08-17 05:31:13 +00:00
			`### Check if activated`

			```bash
			`reg query "HKLM\Software\Policies\Microsoft Services\AdmPwd" /v AdmPwdEnabled`

			`dir "C:\Program Files\LAPS\CSE"`
			`# Check if that folder exists and contains AdmPwd.dll`

			`# Find GPOs that have "LAPS" or some other descriptive term in the name`
			`Get-DomainGPO \| ? { $_.DisplayName -like "laps" } \| select DisplayName, Name, GPCFileSysPath \| fl`

			`# Search computer objects where the ms-Mcs-AdmPwdExpirationTime property is not null (any Domain User can read this property)`
			`Get-DomainObject -SearchBase "LDAP://DC=sub,DC=domain,DC=local" \| ? { $_."ms-mcs-admpwdexpirationtime" -ne $null } \| select DnsHostname`
			```

			`### LAPS Password Access`

			You could download the raw LAPS policy from `\\dc\SysVol\domain\Policies\{4A8A4E8E-929F-401A-95BD-A7D40E0976C8}\Machine\Registry.pol` and then use `Parse-PolFile` from the [GPRegistryPolicyParser](https://github.com/PowerShell/GPRegistryPolicyParser) package can be used to convert this file into human-readable format.

			`Moreover, the native LAPS PowerShell cmdlets can be used if they're installed on a machine we have access to:`

			```powershell
			`Get-Command AdmPwd`

			`CommandType Name Version Source`
			`----------- ---- ------- ------`
			`Cmdlet Find-AdmPwdExtendedRights 5.0.0.0 AdmPwd.PS`
			`Cmdlet Get-AdmPwdPassword 5.0.0.0 AdmPwd.PS`
			`Cmdlet Reset-AdmPwdPassword 5.0.0.0 AdmPwd.PS`
			`Cmdlet Set-AdmPwdAuditing 5.0.0.0 AdmPwd.PS`
			`Cmdlet Set-AdmPwdComputerSelfPermission 5.0.0.0 AdmPwd.PS`
			`Cmdlet Set-AdmPwdReadPasswordPermission 5.0.0.0 AdmPwd.PS`
			`Cmdlet Set-AdmPwdResetPasswordPermission 5.0.0.0 AdmPwd.PS`
			`Cmdlet Update-AdmPwdADSchema 5.0.0.0 AdmPwd.PS`

			`# List who can read LAPS password of the given OU`
			`Find-AdmPwdExtendedRights -Identity Workstations \| fl`

			`# Read the password`
			`Get-AdmPwdPassword -ComputerName wkstn-2 \| fl`
			```

			`PowerView can also be used to find out who can read the password and read it:`

			```powershell
			`# Find the principals that have ReadPropery on ms-Mcs-AdmPwd`
			`Get-AdmPwdPassword -ComputerName wkstn-2 \| fl`

			`# Read the password`
			`Get-DomainObject -Identity wkstn-2 -Properties ms-Mcs-AdmPwd`
			```

GitBook: [#3560] No subject 2022-10-05 00:11:28 +00:00			`Finally, [LAPSToolkit](https://github.com/leoloobeek/LAPSToolkit) can also be useful for the same purpose.`
GitBook: [#3402] No subject 2022-08-17 05:31:13 +00:00
			`## LAPS Persistence`

			`### Expiration Date`

			`Once admin, it's possible to obtain the passwords and prevent a machine from updating its password by setting the expiration date into the future.`

			```powershell
			`# Get expiration time`
			`Get-DomainObject -Identity computer-21 -Properties ms-mcs-admpwdexpirationtime`

			`# Change expiration time`
			`## It's needed SYSTEM on the computer`
			`Set-DomainObject -Identity wkstn-2 -Set @{"ms-mcs-admpwdexpirationtime"="232609935231523081"}`
			```

			`{% hint style="warning" %}`
			The password will still reset if an admin uses the `Reset-AdmPwdPassword` cmdlet; or if Do not allow password expiration time longer than required by policy is enabled in the LAPS GPO.
			`{% endhint %}`

			`### Backdoor`

			The original source code for LAPS can be found [here](https://github.com/GreyCorbel/admpwd), therefore it's possible to put a backdoor in the code (inside the `Get-AdmPwdPassword` method in `Main/AdmPwd.PS/Main.cs` for example) that will somehow exfiltrate new passwords or store them somewhere.

			Then, just compile the new `AdmPwd.PS.dll` and upload it to the machine in `C:\Tools\admpwd\Main\AdmPwd.PS\bin\Debug\AdmPwd.PS.dll` (and change the modification time).

			`<details>`

			`<summary><strong>Support HackTricks and get benefits!</strong></summary>`

GitBook: [#3560] No subject 2022-10-05 00:11:28 +00:00			`- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`

			`- Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`

			`- Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`

			`- Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`

			`- Share your hacking tricks by submitting PRs to the [hacktricks github repo](https://github.com/carlospolop/hacktricks).`
GitBook: [#3402] No subject 2022-08-17 05:31:13 +00:00
			`</details>`