Retrieve LAPS Passwords with goLAPS: A Domain Security Tool

By /

Listen to this Post

GitHub – sensepost/goLAPS: Retrieve LAPS (Local Administrator Password Solution) passwords from a domain. This tool is inspired by pyLAPS and is designed for security professionals performing red team or blue team operations.

🔗 URL: github.com/sensepost/goLAPS

You Should Know: How goLAPS Works & Practical Usage

What is LAPS?

LAPS is a Microsoft solution that manages local administrator passwords in Active Directory (AD) environments. It randomizes and stores passwords securely, reducing the risk of lateral movement attacks.

Installing & Using goLAPS

1. Clone the Repository:

git clone https://github.com/sensepost/goLAPS.git 
cd goLAPS

2. Build the Tool:

go build

3. Run goLAPS:

./goLAPS -domain example.com -username user -password pass

Key Commands & Detection

  • LDAP Query Used by goLAPS: 
    (&(objectCategory=computer)(ms-MCS-AdmPwd=))
  • Detecting Suspicious LDAP Requests:
    Monitor for unusual LDAP queries targeting `ms-MCS-AdmPwd` in Windows Event Logs: 

    Get-WinEvent -LogName "Security" | Where-Object { $_.Message -like "ms-MCS-AdmPwd" }

  • Mitigation:

  • Restrict LDAP queries to authorized users.
  • Enable LAPS auditing in Group Policy.

Alternative Tools & Techniques

  • PowerShell LAPS Retrieval: 
    Get-AdmPwdPassword -ComputerName "TARGET_PC"
  • Manual LDAP Query (Windows): 
    ([bash]"(&(objectCategory=computer)(ms-MCS-AdmPwd=))").FindAll()

What Undercode Say

goLAPS is a powerful tool for retrieving LAPS passwords, but its usage should be strictly for authorized security testing. Unauthorized access to LAPS passwords can lead to domain compromise. Defenders should monitor LDAP queries and restrict permissions to prevent abuse.

Expected Output:

Computer: DC01 
Password: xY7!pQ2 
Expires: 2023-12-31

For defenders, logging and alerting on `ms-MCS-AdmPwd` queries is critical to detect potential attackers early.

Related Cybersecurity Commands:

  • Linux (for AD queries): 
    ldapsearch -x -H ldap://domain.com -D "[email protected]" -W -b "dc=domain,dc=com" "(ms-MCS-AdmPwd=)"
  • Windows Defender Logging: 
    auditpol /set /subcategory:"DS Access" /success:enable /failure:enable
  • LAPS GPO Enforcement: 
    gpupdate /force

This tool highlights the importance of securing LAPS implementations and monitoring for abnormal LDAP activity.

Expected Output:

[+] Successfully retrieved LAPS passwords for 3 computers.

References:

Reported By: Florian Hansemann – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: