Skip to content

LAPSv2 SID fix#37

Merged
psycep merged 1 commit into
mandiant:mainfrom
AntonKovalsky:LAPSv2_SID_fix
Jul 17, 2026
Merged

LAPSv2 SID fix#37
psycep merged 1 commit into
mandiant:mainfrom
AntonKovalsky:LAPSv2_SID_fix

Conversation

@AntonKovalsky

Copy link
Copy Markdown
Contributor

LAPSv2 SID fix

  1. CreateSecurityDescriptor (pkg/dpaping) — canonical SD byte layout (DACL→owner→group); MS-GKDI keys the returned seed off the exact SD bytes. (the main bug)
  2. scanForSID fallback (pkg/dpaping) — fixed "no SID found".
  3. DH shared-secret zero-padding (pkg/dpaping) — fixes a latent intermittent failure.
  4. JSON UTF-16 trim (tools/GetLAPSPassword) — this one, fixes the dropped closing brace.

LAPSv2 SID fix
@google-cla

google-cla Bot commented Jun 15, 2026

Copy link
Copy Markdown

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@psycep

psycep commented Jul 17, 2026

Copy link
Copy Markdown
Collaborator

Testing notes

Validated end-to-end against a live Windows LAPS v2 (encrypted / MS-GKDI) target in a lab domain, since this path can't be exercised without an encrypted-LAPS host.

Setup: extended the AD schema for Windows LAPS (Update-LapsADSchema), granted the target computer self-write, configured the Windows LAPS AD-backup-with-encryption policy on it (encryption principal = Domain Admins; domain functional level 2016; KDS root key present), and forced a rotation so msLAPS-EncryptedPassword was populated (~1278 bytes). The legacy ms-Mcs-AdmPwd attribute was cleared so the tool reaches the encrypted branch rather than short-circuiting on v1.

A/B result (identical command, Kerberos auth to GKDI):

Build Behavior Result
main (pre-fix) old SD layout, no SID fallback Fails: no SID found in CMS structure
this PR scanForSID fallback + canonical SD layout Retrieves the group key via GKDI GetKey and decrypts to the correct plaintext password

Both changes are exercised: the scanForSID fallback is what lets the SID be extracted from this encoding (main fails without it), and the security-descriptor layout is accepted by GKDI GetKey, which returns a working key — the decrypted password matched the expected policy-length value.

Out of scope, filed separately: while testing this we uncovered a pre-existing bug in the post-decrypt handling — the plaintext is recovered correctly but the JSON parse drops a few trailing bytes ({"n":...,"p":"..." returned without its closing brace), so the final parse fails. A follow-up PR will address that; it is independent of the SID/SD fix here.

@psycep
psycep merged commit c0a7597 into mandiant:main Jul 17, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants