Last updated
Last updated
There are some techniques that we can leverage to backdoor the LAPS administrative tooling and obtain a copy of passwords when viewed by an admin. This module will demonstrate this idea using the LAPS PowerShell cmdlet Get-AdmPwdPassword. If installed on a machine, the LAPS PowerShell modules can be found under C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AdmPwd.PS.
Since PowerShell heavily utilises the .NET Framework, the DLLs here are written in C# which makes them fairly trivial to download, modify and re-upload. Download AdmPwd.PS.dll and AdmPwd.Utils.dll, sync them to your attacking machine and open AdmPwd.PS.dll with dnSpy. Use the Assembly Explorer to drill down into the DLL, namespaces and classes until you find the GetPassword method. This method calls DirectoryUtils.GetPasswordInfo which returns a PasswordInfo object. You can click on the name and dnSpy will take you to the class definition. It contains properties for ComputerName, DistinguishedName, Password and ExpirationTimestamp. The password is simply the plaintext password that is shown to the admin. Let's modify the code to send the plaintext passwords to us over an HTTP GET request. OPSEC This is obviously an irresponsible method to use in the real world, because the plaintext password is being sent unencrypted over the wire. This is just an example. Go back to the GetPassword method, right-click somewhere in the main window and select Edit Method. The first thing we need to do is add a new assembly reference, using the little button at the bottom of the edit window. Use the search box to find and add System.Net. This code will simply instantiate a new WebClient and call the DownloadString method, passing the computer name and password in the URI. Once the modifications are in place, click the Compile button in the bottom-right of the edit window. Then select File > Save Module to write the changes to disk. Upload the DLL back to the target to overwrite the existing file.
One downside to this tactic is that it will break the digital signature of the DLL, but it will not prevent PowerShell from using it.
As nlamb on Workstation 1, grab the LAPS password for a computer.
You should see a corresponding hit in your CS weblog.