SharpHoundCommon icon indicating copy to clipboard operation
SharpHoundCommon copied to clipboard
verified publisher icon BloodHoundAD

Fixed LAPS attributes

Open spyr0-sec opened this issue 1 year ago • 1 comments

Description

As discussed with @rvazarkar attributes for "new" LAPS were not being captured due to typos

Motivation and Context

ReadLAPSPassword edges were not being created as the password attributes were not captured in the GUID map

How Has This Been Tested?

This has not been tested, just sanity checked by matching up the names in the AD schema

Screenshots (if appropriate):

image

Example of the ms-LAPS-EncryptedPassword GUID

image

Types of changes

  • [ ] Chore (a change that does not modify the application functionality)
  • [x] Bug fix (non-breaking change which fixes an issue)
  • [ ] New feature (non-breaking change which adds functionality)
  • [ ] Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • [ ] Documentation updates are needed, and have been made accordingly.
  • [ ] I have added and/or updated tests to cover my changes.
  • [ ] All new and existing tests passed.
  • [ ] My changes include a database migration.

spyr0-sec avatar Oct 02 '24 12:10 spyr0-sec

Looks like there is another issue with building the GUID cache. I'm getting a handful of these errors in my lab when running SharpHound with v -1: Error while building GUID cache for EXTERNAL.LOCAL: Query - Caught unrecoverable exception: The size limit was exceeded

That effects legacy LAPS too. Will get that fixed first and then test your PR.

JonasBK avatar Oct 07 '24 13:10 JonasBK

Think I have worked out the confusion. The HasLAPS() logic seems to be not returning the value for the name attribute (directoryObject.TryGetLongProperty(LDAPProperties.LAPSExpirationTime, out var lapsExpiration)

Whereas, the BuildGuidCache is returning the SchemaIDGuid and the name values for the LAPS extended rights. So I have fixed the attributes in "new" LAPS. @JonasBK / @rvazarkar can I just get you confirm the name values are correct for the legacy LAPS.

LegacyLAPSExpirationTime = value of adminDisplayName / cn / lDAPDisplayName (assumings it different value to name) for ms-mcs-admpwdexpirationtime attribute

LegacyLAPSPassword = value of name for ms-mcs-admpwd attribute.

image

spyr0-sec avatar Oct 16 '24 22:10 spyr0-sec

Will test legacy LAPS later and if all good, will merge in. Thank you for the excellent work!

rvazarkar avatar Oct 17 '24 19:10 rvazarkar