LAPS Auditing for Pentesters
Occurrence of finding Local Administrator Password Solution (LAPS) being implemented in Windows Infrastructure is increasing nowadays. Yeah !!, because its free solution from Microsoft and it works seamlessly on majority of operating system supported.
MS dictionary definition of LAPS :-
The "Local Administrator Password Solution" (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset.
Lets look at Pentesters perspective of LAPS auditing.
For this we are assuming Domain Admin privileges are already gained and have access to one domain joined machine. Now we are doing post exploitation which most important part of Internal Assessment to show impact to customer.
For auditing we are using LAPSToolkit by Leo Loobeek. Its a powershell script which can be copied to compromised machine and open the cmd.exe with Domain Admin privileges.
Lets import the LAPSToolkit.
First we are going to use Get-LAPSComputers :- It displays all computers with LAPS enabled, password expiration, and password if user has access. We would push the output of the command to CSV format.
PS C:\Users\Auditor> Get-LAPSComputers | Export-Csv -Path LAPS_Computer.csv -NoType
The generated CSV looks like (below image), since we ran the above command with DA privileges we can see the random password and its expiration on all LAPS enabled computers.
Next we are going to use Find-LAPSDelegatedGroups :- It searches through all OUs to see which AD groups can read the ms-Mcs-AdmPwd attribute. The out list of groups which are authorized to view the random passwords. (In our example we have Domain Admins and Desktop Admins)
So by now we have LAPS enabled computers and Groups which can view the random passwords on machines.
The toolkit also have Find-AdmPwdExtendedRights :- It parses through ExtendedRights for each AD computer with LAPS enabled and looks for which group has read access and if any user has "All Extended Rights". In short this cmdlet finds which all users can read the random password on each machine also this can take very long with a larger domain.
PS C:\Users\Auditor> Find-AdmPwdExtendedRights | Export-Csv -Path LAPS_AdmPwdExtendedRights.csv -NoType
In the generated CSV we can see the user/groups who got read rights to each LAPS enabled machine.
Since in above example we know ONLY Domain Admin and Desktop Admin (group) members should be allowed to read random password. But we observed even Bob.Alice can read the password on one workstation.
So now, we need to ask why above user Bob.Alice who is not the member of Domain Admin or Desktop Admin (group) allowed to read password ? In large infrastructure you might get various entries to report and audit.
References :- https://technet.microsoft.com/en-us/mt227395.aspx