Post Exploitationlapspassworddumpldapactive-directory

LAPS Dumper

Tool that dumps LAPS passwords. Dumps every LAPS password the account has the ability to read with a domain.

Description

lapsdumper is a specialized tool designed to extract Local Administrator Password Solution (LAPS) passwords from Active Directory environments. LAPS is a Microsoft feature that manages unique local administrator passwords for domain-joined computers, storing them securely in Active Directory attributes.

The tool authenticates to LDAP using provided credentials and queries for LAPS passwords that the authenticated account has permission to access. It is particularly useful in penetration testing and red team operations where domain credentials have been obtained and LAPS passwords need to be recovered for lateral movement to workstations and servers.

By connecting to the domain's LDAP server, lapsdumper retrieves the encrypted password attributes (ms-Mcs-AdmPwd) for specified computers or all accessible ones, enabling attackers to gain administrative access to target systems.

How It Works

lapsdumper uses python3-ldap3 to establish an LDAP connection to the specified domain controller or LDAP server. It authenticates with the provided username and password (or LM:NT hash), then queries Active Directory for LAPS password attributes (ms-Mcs-AdmPwd) on computer objects. The tool enumerates all computer accounts the authenticated user has read permissions for, decrypting and extracting the LAPS passwords stored in these attributes.

Installation

bash

sudo apt install lapsdumper

Flags

-h, --helpshow this help message and exit

-u, --username USERNAMEusername for LDAP

-p, --password PASSWORDpassword for LDAP (or LM:NT hash)

-l, --ldapserver LDAPSERVERLDAP server (or domain)

-d, --domain DOMAINDomain

-c COMPUTERtarget computer (see man page)

-o OUTPUToutput file (see man page)

Examples

Dumps all LAPS passwords accessible to the specified domain user across the entire corp.local domain

lapsdumper -u 'DOMAIN\user' -p 'Password123' -d 'corp.local'

Connects to specific LDAP server dc01.corp.local and dumps LAPS passwords using domain credentials

lapsdumper -u 'user' -p 'P@ssw0rd' -l 'dc01.corp.local' -d 'corp.local'

Uses NTLM hash authentication to dump LAPS passwords for service account

lapsdumper -u 'svc_account' -p 'aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0' -d 'example.com'

Dumps LAPS password specifically for WORKSTATION01 computer account

lapsdumper -u 'admin' -p 'Summer2026!' -d 'contoso.com' -c 'WORKSTATION01'

Dumps all accessible LAPS passwords and saves output to laps_passwords.txt file

lapsdumper -u 'jdoe' -p 'Password1' -d 'testlab.local' -o laps_passwords.txt

Uses compromised krbtgt credentials against specific DC IP to extract LAPS passwords

lapsdumper -u 'DOMAIN\krbtgt' -p 'compromised_hash' -l '10.10.10.10' -d 'domain.local'

Updated 2026-04-16kali.org ↗