> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# ReadLAPSPassword

> This privilege allows a principal to read the LAPS password from a computer.

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

For systems using legacy LAPS, the following AD computer object properties are relevant:

* **ms-Mcs-AdmPwd**: The plaintext LAPS password
* **ms-Mcs-AdmPwdExpirationTime**: The LAPS password expiration time

For systems using Windows LAPS (2023 edition), the following AD computer object properties are relevant:

* **msLAPS-Password**: The plaintext LAPS password
* **msLAPS-PasswordExpirationTime**: The LAPS password expiration time
* **msLAPS-EncryptedPassword**: The encrypted LAPS password
* **msLAPS-EncryptedPasswordHistory**: The encrypted LAPS password history
* **msLAPS-EncryptedDSRMPassword**: The encrypted Directory Services Restore Mode (DSRM) password
* **msLAPS-EncryptedDSRMPasswordHistory**: The encrypted DSRM password history

## Abuse Info

 Plaintext attributes can be read using a simple LDAP client. For example, with PowerView:

```
Get-DomainComputer "MachineName" -Properties "cn","ms-mcs-admpwd","ms-mcs-admpwdexpirationtime"
```

 On Linux, using bloodyAD:

```
bloodyAD --host $DC_IP -d $DOMAIN -u $USER -p $PASSWORD get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime
```

 Encrypted attributes can be decrypted using Microsoft's LAPS PowerShell module. For example:

```
Get-LapsADPassword "WIN10" -AsPlainText
```

The encrypted attributes can also be retrieved and decrypted using [lapsv2decrypt](https://github.com/xpn/RandomTSScripts/tree/master/lapsv2decrypt) (dotnet or BOF).

## Opsec Considerations

Reading properties from LDAP is extremely low risk, and can only be found using monitoring of LDAP queries.

## Edge Schema

Source: [User](/resources/nodes/user), [Group](/resources/nodes/group), [Computer](/resources/nodes/computer)\
Destination: [Computer](/resources/nodes/computer)\
Traversable: **Yes**

## References

* [https://www.specterops.io/assets/resources/an\_ace\_up\_the\_sleeve.pdf](https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf)
* [https://adsecurity.org/?p=3164](https://adsecurity.org/?p=3164)
* [https://learn.microsoft.com/en-us/powershell/module/laps/get-lapsadpassword](https://learn.microsoft.com/en-us/powershell/module/laps/get-lapsadpassword)
* [https://github.com/xpn/RandomTSScripts/tree/master/lapsv2decrypt](https://github.com/xpn/RandomTSScripts/tree/master/lapsv2decrypt)
* [https://github.com/CravateRouge/bloodyAD](https://github.com/CravateRouge/bloodyAD)
* [https://specterops.io/blog/2018/08/07/bloodhound-2-0/](https://specterops.io/blog/2018/08/07/bloodhound-2-0/)