Running Laps Simply About Cleartext Passwords

Intro

Managing credentials for local administrator accounts is difficult to do. From setting rigid passwords, to setting unique passwords across multiple machines, nosotros rarely encounter it done correctly. On the bulk of our pen tests nosotros encounter that near of the domain computers are configured alongside the same local admin credentials. This tin last actually handy every bit an attacker, every bit it provides us lateral access to systems across the network.
One of the reported fixes (from Microsoft) is to shop the local admin passwords inwards LDAP every bit a confidential attribute of the reckoner account. This tin last automated using Microsoft tools together with rigid local passwords tin last enforced (and automatically changed). In theory, this is a prissy idea. But inwards practise it results inwards the cleartext storage of passwords (not good). Previous attempts at local administrator credential administration (from Microsoft) resulted inwards local administrator credentials existence exposed to all users on the domain (through grouping policy preferences). The GPP cpassword storage passwords number was fixed (5/13/14) together with we're non seeing it every bit often whatsoever more.

LAPS

LAPS is Microsoft's tool to shop local admin passwords inwards LDAP. As long every bit everything is configured correctly, it should last fine to use. But if y'all don't laid the permissions correctly on the LDAP attributes, y'all could last exposing the local admin credentials to users on the domain. LAPS uses 2 LDAP attributes to shop the local administrator credentials, ms-MCS-AdmPwd (stores the password) together with ms-MCS-AdmPwdExpirationTime (stores when it expires). The Microsoft recommendations says to take away the extended rights to the attributes from specific users together with groups. This is a practiced affair to do, only it tin last a hurting to larn laid upward properly. Long floor short, if you're using LAPS, soul on the domain should last able to read those local admin credentials inwards cleartext. This volition non ever last a privilege escalation route, only it could last handy information to accept when you're pivoting to sensitive systems after you've escalated. In our demonstrate domain, our LAPS deployment defaulted to allowing all domain users to accept read access to the password. We also could accept screwed upward the install instructions.
I ambit together a quick PowerShell script to clit the LAPS specific LDAP attributes for all of the computers joined to the domain. I used Scott Sutherland's Get-ExploitableSystems script (now included inwards PowerView) every bit the template. You tin detect it on my GitHub page.

Script Usage together with Output

Here's the output using an trouble organization human relationship that does non accept rights to read the credentials (but proves they exist):

PS C:\> Get-LAPSPasswords -DomainController 192.168.1.1 -Credential DEMO\karl | Format-Table -AutoSize  Hostname                    Stored Readable Password Expiration --------                    ------ -------- -------- ---------- WIN-M8V16OTGIIN.test.domain   0      0               NA WIN-M8V16OTGIIN.test.domain   0      0               NA ASSESS-WIN7-TEST.test.domain  1      0               6/3/2015 7:09:28 PM

Here's the same dominance existence run alongside an trouble organization human relationship alongside read access to the password:

PS C:\> Get-LAPSPasswords -DomainController 192.168.1.1 -Credential DEMO\administrator | Format-Table -AutoSize  Hostname                    Stored Readable Password       Expiration --------                    ------ -------- --------       ---------- WIN-M8V16OTGIIN.test.domain   0      0                     NA WIN-M8V16OTGIIN.test.domain   0      0                     NA ASSESS-WIN7-TEST.test.domain  1      1      $sl+xbZz2&qtDr 6/3/2015 7:09:28 PM

The usage is pretty uncomplicated together with everything is tabular array friendly, then it's slow to export to a CSV.
Special thank y'all to Scott Sutherland for letting me exercise his Get-ExploitableSystems script every bit the bones for the script. The LDAP enquiry functions came from Carlos Perez's PoshSec-Mod (and also adapted from Scott's script). And the overall thought to port this over to a Powerview-friendly business office came from a conversation alongside @_wald0 on Twitter.

Links

• http://blogs.technet.com/b/askpfeplat/archive/2014/05/19/how-to-automate-changing-the-local-administrator-password.aspx
• https://code.msdn.microsoft.com/Solution-for-management-of-ae44e789
• https://technet.microsoft.com/en-us/library/security/3062591
• http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html

LDAP is a keen house to mine for sensitive data. Here's a duet of practiced examples:

• Custom Properties together with Descriptions inwards AD
• Faster Domain Escalation using LDAP

Bonus Material

If y'all conduct house to accept the AdmPwd.PS PowerShell module installed (as component subdivision of LAPS), y'all tin exercise the next one-liner to clit all the local admin credentials for your electrical flow domain (assuming y'all accept the rights):

foreach ($objResult in $colResults){$objComputer = $objResult.Properties; $objComputer.name|where {$objcomputer.name -ne $env:computername}|%{foreach-object {Get-AdmPwdPassword -ComputerName $_}}}