Run LAPS
One thing I've recommended in every penetration test report I've written is LAPS. It's a highly effective (and free!) way to significantly raise the bar for attackers looking to spread around your network using local Administrator credentials.
The majority of the material in here is gathered from Harmj0y and PyroTek3's blogs. This is just a post for me to muddle through what they've already written and understand things a bit better. Here's a brain dump.
About LAPS
Microsoft's Local Administrator Password Solution is a free product that provides a way to enforce a unique password for every managed system and a way for authorized users to view those passwords.
LAPS has two major components: an Active Directory schema extension, which adds the ms-Mcs-AdmPwd
(clear-text password) and ms-Mcs-AdmPwdExpirationTime
(date/time LAPS should force a password change on the client) attributes to all computer objects, and the LAPS client, which is on the receiving end of the password changes.
Of key importance in LAPS is the delegation rights for the two schema attributes, most importantly ms-Mcs-AdmPwd
.
Deploy Overview
The required steps in a LAPS deploy are:
- Extend the schema using the LAPS installer.
- Install the client on all in-scope machines.
- Delegate permission for all computers to update the two attributes on their own computer objects (SELF:WRITE).
- Delegate permission for a select group of users to view
ms-Mcs-AdmPwd
(clear-text password) and enforce a password change (by clearing thems-Mcs-AdmPwdExpirationTime
attribute) on the computer objects. - Configure a GPO to enable LAPS and set the appropriate password parameters (length, expiry, complexity).
LAPS Attribute Notes
The ms-Mcs-AdmPwd
attribute is only viewable to Domain Admins by default while the ms-Mcs-AdmPwdExpirationTime
attribute is viewable by all users. The latter design choice means that any domain user can determine:
- Whether a computer is managed by LAPS (no value vs. value present)
- When a computer's password was last changed (value in GPO subtracted from value in attribute)
- Whether a computer's local Administrator password is no longer managed by LAPS (time in the past)
Hunting for LAPS on the Client
If a computer is managed by LAPS, a DLL will be present and detectable by the following methods:
|
|
Hunting for LAPS on the Domain
It's possible to find LAPS computers using this one-liner:
|
|
With this information, we get not only a list of managed computers, but the ability to determine when their password will next change:
|
|
It's possible to change this date to some point in the future if the 'Do not allow password expiration time longer than required by policy' GPO setting is not configured or disabled.
Hunting for All LAPS Delegates
PowerView provides the easiest way of doing this using the following one-liner:
|
|
With this information, we can then do something like the following to give us the full list of admins:
|
|
Hunting for a Specific LAPS Delegate
Now shit is getting nesty.
|
|
This monstrosity does the following:
- Get the full data object of the Get-NetComputer command
- Extract and expand the DistinguishedName property
- Get the IndexOf the OU, and return just that part of the string. This will give us the OU the computer belongs to
- Use Get-ObjectAcl to enumerate the ACLs for the specified OU and resolve GUIDs to display names using -ResolveGUIDs
- Filter the permission entries to return only those that include read rights on the
ms-Mcs-AdmPwd
field - Since the result could be either a user or group, convert the name we get to a SID using Convert-NameToSid
- Pipe the SID to Get-ADObject to return the user/group object that has the read permissions to the
ms-Mcs-AdmPwd
field