Giters

passtheticket / Abusing_Laps_Toolkit

abusing misconfiguration for AD with LAPS

Home Page:https://docs.unsafe-inline.com/unsafe/abusing-laps

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

powershellactive-directorysecuritylapssecurity-tools

Abusing Laps Toolkit

Introduction

If the ms-DS-Machine-Account-Quota attribute value is default and there is no delegation about domain join permissions to add computer to Active Directory , a domain user can add computer account to domain using the ms-ds-machine-account-quota attribute . The domain user reads password (ms-mcs-admpwd) of local administrator user for the added host after LAPS is installed and uses the password for persistence. When setting up LAPS, only certain users are assigned password reading permission. However, the user obtains All extended rights over the added computer so that reads LAPS password. The user can bypass GPO restrictions obtaining password of local admin user, even after the user no longer has local Administrator privileges on a machine. For example, user can edit registry settings or add own account to local administrators group after GPO which removes undefined users from local administrators group.

  1. Open non-domain joined Windows virtual machine.
  2. Download LAPS.x64.msi and install it with powershell module extension (AdmPwd.PS)
  3. Import AdmPwd.PS
  • Import-Module AdmPwd.PS
  1. Add computer to Active Directory with domain user creds:
  • Add-ComputerToDomainWithUserRights
  1. Read local admin password and determine password policy:

    • If you are still a member of local administrators after updating GPO.
      Read ms-mcs-admpwd attribute via PowerView.ps1:

      Get-LapsLocalAdminPassword -disableDefender

    • If you are not a member of local administrators after updating GPO.
      Read ms-mcs-admpwd attribute via AdmPwd.PS:

      Get-LapsAdmPwd -LapsInstalled

Mitigation

Microsoft LAPS installation document is updated. So you can make configuration according to Microsoft LAPS_OperationsGuide.docx and LAPS_TechnicalSpecification documents. https://www.microsoft.com/en-us/download/confirmation.aspx?id=46899 If Laps Administrator Password Solution is used, set ms-ds-machine-account-quota as "0" or delegation must be applied a user group for adding computer to domain. Otherwise user can add computer to domain and read local admin user password, define password complexity via LAPS misconfiguration.

alt text

Details

https://docs.unsafe-inline.com/unsafe/abusing-laps

About

abusing misconfiguration for AD with LAPS

https://docs.unsafe-inline.com/unsafe/abusing-laps

powershellactive-directorysecuritylapssecurity-tools

License:MIT License

Languages

Language:PowerShell 100.0%