Categories

Archives

Red Teaming

Credential Dumping: LAPS

In this post, you will find out how Microsoft’s LAPs feature can be abused by the attacker to get the end-user password.

Table of Content

  • Introduction
  • Working of LAPS
  • Prerequisites/ Configuration
  • Credential Dumping
    • Metasploit
    • Empire
    • CrackMapExec
    • SharpLAPS
    • NetTools
    • Get-LAPSPasswords
  • Conclusion

Introduction

The “Local Administrator Password Solution” (LAPS) provides management of local account passwords of domain-joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset.

For environments in which users are required to log on to computers without domain credentials, password management can become a complex issue. Such environments greatly increase the risk of a Pass-the-Hash (PtH) credential replay attack. The Local Administrator Password Solution (LAPS) provides a solution to this issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain. Domain administrators using the solution can determine which users, such as helpdesk administrators, are authorized to read passwords.

LAPS simplifies password management while helping customers implement recommended defenses against cyberattacks. In particular, the solution mitigates the risk of lateral escalation that results when customers use the same administrative local account and password combination on their computers. LAPS stores the password for each computer’s local administrator account in Active Directory, secured in a confidential attribute in the computer’s corresponding Active Directory object. The computer is allowed to update its password data in Active Directory, and domain administrators can grant read access to authorized users or groups, such as workstation helpdesk administrators.

Use LAPS to automatically manage local administrator passwords on domain-joined computers so that passwords are unique on each managed computer, randomly generated, and securely stored in Active Directory infrastructure. The solution is built on Active Directory infrastructure and does not require other supporting technologies. LAPS uses a Group Policy client-side extension (CSE) that you install on managed computers to perform all management tasks. The solution’s management tools provide easy configuration and administration.

Working of LAPS

The core of the LAPS solution is a GPO client-side extension (CSE) that performs the following tasks and can enforce the following actions during a GPO update: It checks whether the password of the local Administrator account has expired. It generates a new password when the old password is either expired or is required to be changed before expiration. It validates the new password against the password policy. It reports the password to Active Directory, storing it with a confidential attribute with the computer account in Active Directory. It also reports the next expiration time for the password to Active Directory, storing it with an attribute with the computer account in Active Directory. It can also change the password of the Administrator account. And the password then can be read from Active Directory by users who are allowed to do so. Eligible users can request a password change for a computer.

Prerequisites/ Configuration

Before beginning with the credential dumping phase, we need to setup the LAPS on our Windows Server 2016 or Windows 10 machine. We need to perform 3 specific tasks that include installation of LAPS fat client, Configuring PowerShell Module, and Implementing Group Policy templates.

Please download the LAPS Installation Executable from Microsoft Download Centre.

Once downloaded, run the Microsoft Installer file. After clicking Next on the Setup Wizard, we will be provided with an option to configure our installation process. Select the options as demonstrated in the image below.

We need to ensure that we have all of the following installed on the machine including the Fat client UI, PowerShell Module, and the GPO Editor Template. This will lead to the next page where there will be an Install button to continue the process. After installation is complete, click on the Finish button to conclude the process.

Next, we will run the PowerShell instance and change the Execution Policy to bypass. Then we will move to install the Module AdmPwd.PS. It is the PowerShell module that was created as a part of the installation process we performed earlier. We need to Update the Schema and then integrate the LAPS to the OU of your choice. Here, we are implementing the LAPS on the OU Tech for Administrators as shown in the image below.

powershell -ep bypass
Import-Module AdmPwd.PS
Update-AdmPwdADSchema
Set-AdmPwdComputerSelfPermission -OrgUnit Tech
Set-AdmPwdReadPasswordPermission -OrgUnit Tech -AllowedPrincipals Administrators

Next, we need the Group Policy Management to edit so that it can accommodate the password changes that come into the picture with the implementation. We see that we have the Default Domain Policy under the name of the domain we want to implement the LAPS on. We right-click on the Default Domain Policy and select the Edit option from the drop-down menu as shown in the image below.  

Here we are configuring the Group Policies to adapt for the LAPS implementation. The LAPS settings can be located inside the Computer Configuration, you will find the Policies section under which we have the Administrative Templates. Here we have the LAPS settings. It has 4 options for us to toggle. Right-click on the policy settings Enable local admin password management and click on properties. Here we have to manage the local administrator password, we will need to enable the policy setting and click OK to continue.

After Enabling the various options, we can see that we have all three settings enabled. We configured the Password Settings for LAPS, we entered the name of the administrator that is allowed to manage the passwords as raj. Then we also enabled the local admin password management for LAPS.

To make all the changes in the policy active, we need to perform a Group Policy update as shown in the image below:

Since the LAPS is activated on our machine, we can check for the credentials and the users that are generated due to the installation. We need to open the Active Directory Users and Computers window as shown. Also, to work effectively we need to enable the Advanced Features option as demonstrated.

Now to ensure that it is working fine, let’s check the password given by LAPs to DEMO in its properties.  As you can observe in the given below image the LAPS has assigned the random password to the demo.

We can also use the LAPS UI that was installed as a part of LAPS to configure and toggle the various users, properties, and credentials with the ability to set the expiration date and time for the password of that particular user as shown in the image.

Metasploit

On compromised accounts of DC, use the following module of the Metasploit to extract the LAPS password for other end users. It will recover the LAPS (Local Administrator Password Solution) passwords, configured in Active Directory, which is usually only accessible by privileged users. Note that the local administrator account name is not stored in Active Directory, so it is assumed to be ‘Administrator’ by default.

use post/windows/gather/credentials/enum_laps
post(windows/gather/credentials/enum_laps) > set session 2
post(windows/gather/credentials/enum_laps) > exploit

As a result, it will dump the password in cleartext as shown in the image given below.

PowerShell Empire

The same can be done with the help of PowerShell Empire, it allows an attacker to dump the end-user’s credentials through a compromised account. It uses a PowerShell script to get the LAPS password with the help of the following:

usemodule credential/get_lapspasswords
execute

Similarly, it will also dump passwords in cleartext, thus an attacker can access the other machine present in the network with the help of extracted credentials.

CrackMapExec

CrackMapExec, also known as CME, is a post-exploitation tool. The developer of the tool describes it as a “Swiss army knife for pen-testing networks”, which I find is an apt description. The tool is developed in python and lets us move laterally in an environment while being situationally aware. It abuses the Active Directory security by gathering all the information from IP addresses to harvesting the credentials from SAM. Here, we are using it to connect to the Active Directory from our Kali Linux machine via the LDAP protocol and then try to dump the credentials from LAPS in clear text as shown in the image below. For more details, check out Lateral Movement on Active Directory: CrackMapExec

crackmapexec ldap 192.168.1.172 -u administrator -p ‘Ignite@123’ –kdcHost 192.168.1.172 -M laps

Enough tools and frameworks from our Linux-based Kali machine. Time to perform Credential Dumping from the Windows Machine since it will be the most readily available machine connected in the Active Directory. We start with SharpLAPS

SharpLAPS

It is an executable that was created to be executed within the Cobalt Strike session but can be used as a standalone executable. It targets the ms-msc-AdmPwd attribute and grabs the credentials that are stored inside it. Download here.

SharpLAPS.exe /user:IGNITE\Administrator /pass:Ignite@123 /host:192.168.1.172

NetTools

Next, we move onto a GUI-based approach. Here, we use a tool that was created to debug the Active Directory Issues but can be used to perform credential dumping on LAPS as well. It provides the ability to troubleshoot, query, report, and update Active Directory and other LDAP-based directories. Download here.

Get-LAPSPasswords

After Linux based approach and Windows binaries and GUI systems, we finally descend upon the PowerShell function that can pull the local admin passwords from the LDAP which are stored via the LAPS implementation. It was created by Karl Fosaaen. It can be obtained from his GitHub.

Get-LAPSPasswords -DomainController 192.168.1.172 -Credential IGNITE\Administrator | Format-Table -AutoSize

Conclusion

We see that LAPS is an admirable function that was introduced by Microsoft but it poses the threat of leaking sensitive credential data. This is a lapse in security that cannot be ignored. Hence, it is recommended to integrate additional security measures with the implementation of LAPS to prevent such leakage. This article can serve as the go-to guide to test the LAPS implementation in your network environment.

Author: Pavandeep Singh is a Technical Writer, Researcher, and Penetration Tester. Can be Contacted on Twitter and LinkedIn

3 thoughts on “Credential Dumping: LAPS

  1. Hi Kavish

    Nice article!
    When you say “On compromised account of DC” ; does this mean that you first have to compromise an account (domain user /guest ?) before you can get the passwords, i assume?
    I am qurious if Microsoft has acknowledged your findings ?

    1. It’s not so simple! The compromised account must have rights to read the “ms-Mcs-AdmPwd” attribute from the Computer Account.

  2. Thanks for the detailed and clear article. It would be very useful for an administrator needing to check if their LAPS implementation is done well.
    I found this statement a little exaggerated though “poses the threat of leaking sensitive credential data”. You basically need to compromise an account which has access to read LAPS passwords, which in many cases will be a domain admin account (i.e. in most small businesses which may only have one or two IT staff, and don’t have “Helpdesk” staff. If the attacker has domain admin, you’re completely screwed anyway and LAPS passwords are kind of irrelevant since a domain admin could just reset all PC local admin passwords remotely in a few seconds with the appropriate script.

Comments are closed.