Dump LAPS passwords with ldapsearch

If you’ve ever been pentesting an organization that had LAPS, you know that it is the best solution for randomizing local administrator passwords on the planet. (You should just be leaving them disabled).
LAPS stores it’s information in Active Directory:
The expiration time: ms-Mcs-AdmPwdExpirationTime: 131461867015760024
And the actual password in clear text: ms-Mcs-AdmPwd: %v!e#7S#{s})+y2yS#(
When LAPS first came it, any user in Active Directory could read it.

This is a Security Bloggers Network syndicated blog post authored by Room362. Read the original post at: Room362