Problem statement

Following the compromise of one machine, attackers will seek to leverage other machines to escalate their privileges or gain access to the information they desire.

Within Windows domains, a bounce technique involves exploiting the local administrator account, whose password is often the same across machines. This password can be easily obtained if it is deployed via GPO (see...). CVE-2014-1812 / MS14-025 / KB2962486), otherwise attackers can obtain the hash and use it directly to authenticate on other machines (Pass-The-Hash technique).

Our experience from penetration tests conducted by Intrinsec at our clients' sites shows that this redirection technique is very often feasible. We continue to discover passwords in Group Policy Objects (GPOs): although this functionality has been removed by Microsoft, the policy must be manually cleaned to properly remove the password.

To address this widespread problem, Microsoft released the Local Administrator Password Solution (LAPS) tool on May 1, 2015. MSA3062591 / KB3062591.

This solution is free, is based on the existing infrastructure (Active Directory domain) and allows the administration of workstations (e.g. administrators or support).

 

Deployment tips

For general deployment instructions, we recommend that you follow the guide provided by Microsoft, the file of which is called "LAPS_OperationsGuide.docx".

The machines on which LAPS is deployed generate a random password and store it in their machine account in the Active Directory database:
It is therefore important to restrict access to the ms-Mcs-AdmPwd attribute, for example, to workstation administrators or support staff. Two PowerShell commands are available for this purpose:

• Set-AdmPwdReadPasswordPermission: read access to the password
• Set-AdmPwdResetPasswordPermission: write access to reset it

 

Note that if the "extended rights" permission is enabled on the OU for certain groups, which is not the default setting, these groups will also have access to passwords. This topic is discussed in the "LAPS_OperationsGuide.docx" installation guide, section 2.2.1.

The PowerShell command `Find-AdmPwdExtendedRights` allows you to see the affected groups. Here is an example (intentionally vulnerable):

From a pentester's point of view

NetSPI published an article to introduce LAPS and share a PowerShell script for recovering poorly protected passwords: Running LAPS Around Cleartext Passwords. The script automatically filters active machine accounts and indicates whether LAPS is used (presence of the expiration attribute) and the password if it is readable.

It is possible to achieve a similar result with a simple LDAP client (here LDAP Browser) and a query:
Passwords from machines to AD are transmitted via LDAP with encryption and signature options enabled (source: https://code.msdn.microsoft.com/windowsdesktop/Solution-for-management-of-ae44e789/sourcecode?fileId=131854&pathId=606758226).

LDAP connection to AD:
Sending the password for storage:

Examples

Initial configuration using PowerShell on Active Directory:

1. List of available commands
2. Updated AD schema for new attributes
3. Verification of the restriction of the "extended rights" authorization«
4. Allowing machines to save their password

 

Be sure to configure the GPO correctly by enabling and configuring LAPS:

Obtaining a password by an administrator using PowerShell and a thick client:

Notes

• Microsoft had initially published a simple PowerShell script in its KB2962486 to assign a different password to each machine. This solution has the disadvantage of storing the passwords in a text file, which is not recommended and does not allow sharing within an administration team.
• LAPS has existed since approximately 2012 under the name AdmPwd. It has only just been officially released and supported by Microsoft.