mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-26 21:13:44 +00:00
228 lines
12 KiB
Markdown
228 lines
12 KiB
Markdown
|
# FreeIPA Pentesting
|
|||
|
|
|||
|
{% hint style="success" %}
|
|||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|||
|
|
|||
|
<details>
|
|||
|
|
|||
|
<summary>Support HackTricks</summary>
|
|||
|
|
|||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|||
|
|
|||
|
</details>
|
|||
|
{% endhint %}
|
|||
|
|
|||
|
## Basic Information
|
|||
|
|
|||
|
FreeIPA is an open-source **alternative** to Microsoft Windows **Active Directory**, mainly for **Unix** environments. It combines a complete **LDAP directory** with an MIT **Kerberos** Key Distribution Center for management akin to Active Directory. Utilizing the Dogtag **Certificate System** for CA & RA certificate management, it supports **multi-factor** authentication, including smartcards. SSSD is integrated for Unix authentication processes.
|
|||
|
|
|||
|
## Fingerprints
|
|||
|
|
|||
|
### Files & Environment Variables
|
|||
|
|
|||
|
* The file at `/etc/krb5.conf` is where Kerberos client information, necessary for enrollment in the domain, is stored. This includes KDCs and admin servers' locations, default settings, and mappings.
|
|||
|
* System-wide defaults for IPA clients and servers are set in the file located at `/etc/ipa/default.conf`.
|
|||
|
* Hosts within the domain must have a `krb5.keytab` file at `/etc/krb5.keytab` for authentication processes.
|
|||
|
* Various environment variables (`KRB5CCNAME`, `KRB5_KTNAME`, `KRB5_CONFIG`, `KRB5_KDC_PROFILE`, `KRB5RCACHETYPE`, `KRB5RCACHEDIR`, `KRB5_TRACE`, `KRB5_CLIENT_KTNAME`, `KPROP_PORT`) are used to point to specific files and settings relevant to Kerberos authentication.
|
|||
|
|
|||
|
### Binaries
|
|||
|
|
|||
|
Tools such as `ipa`, `kdestroy`, `kinit`, `klist`, `kpasswd`, `ksu`, `kswitch`, and `kvno` are central to managing FreeIPA domains, handling Kerberos tickets, changing passwords, and acquiring service tickets, among other functionalities.
|
|||
|
|
|||
|
### Network
|
|||
|
|
|||
|
An illustration is provided to depict a typical FreeIPA server setup.
|
|||
|
|
|||
|
## Authentication
|
|||
|
|
|||
|
Authentication in FreeIPA, leveraging **Kerberos**, mirrors that in **Active Directory**. Access to domain resources necessitates a valid Kerberos ticket, which can be stored in various locations depending on FreeIPA domain configuration.
|
|||
|
|
|||
|
### **CCACHE Ticket Files**
|
|||
|
|
|||
|
CCACHE files, stored typically in **`/tmp`** with **600** permissions, are binary formats for storing Kerberos credentials, important for authentication without a user's plaintext password due to their portability. Parsing a CCACHE ticket can be done using the `klist` command, and re-using a valid CCACHE Ticket involves exporting `KRB5CCNAME` to the ticket file's path.
|
|||
|
|
|||
|
### **Unix Keyring**
|
|||
|
|
|||
|
Alternatively, CCACHE Tickets can be stored in the Linux keyring, offering more control over ticket management. The scope of ticket storage varies (`KEYRING:name`, `KEYRING:process:name`, `KEYRING:thread:name`, `KEYRING:session:name`, `KEYRING:persistent:uidnumber`), with `klist` capable of parsing this information for the user. However, re-using a CCACHE Ticket from the Unix keyring can pose challenges, with tools like **Tickey** available for extracting Kerberos tickets.
|
|||
|
|
|||
|
### Keytab
|
|||
|
|
|||
|
Keytab files, containing Kerberos principals and encrypted keys, are critical for obtaining valid ticket granting tickets (TGT) without needing the principal's password. Parsing and re-using credentials from keytab files can be easily performed with utilities like `klist` and scripts such as **KeytabParser**.
|
|||
|
|
|||
|
### Cheatsheet
|
|||
|
|
|||
|
You can find more information about how to use tickets in linux in the following link:
|
|||
|
|
|||
|
{% content-ref url="privilege-escalation/linux-active-directory.md" %}
|
|||
|
[linux-active-directory.md](privilege-escalation/linux-active-directory.md)
|
|||
|
{% endcontent-ref %}
|
|||
|
|
|||
|
## Enumeration
|
|||
|
|
|||
|
{% hint style="warning" %}
|
|||
|
You could perform the **enumeration** via **ldap** and other **binary** tools, or **connecting to the web page in the port 443 of the FreeIPA server**.
|
|||
|
{% endhint %}
|
|||
|
|
|||
|
### Hosts, Users, and Groups <a href="#id-4b3b" id="id-4b3b"></a>
|
|||
|
|
|||
|
It's possible to create **hosts**, **users** and **groups**. Hosts and users are sorted into containers called “**Host Groups**” and “**User Groups**” respectively. These are similar to **Organizational Units** (OU).
|
|||
|
|
|||
|
By default in FreeIPA, the LDAP server allows for **anonymous binds**, and a large swath of data is enumerable **unauthenticated**. This can enumerate all data available unauthenticated:
|
|||
|
|
|||
|
```
|
|||
|
ldapsearch -x
|
|||
|
```
|
|||
|
|
|||
|
To get **more information** you need to use an **authenticated** session (check the Authentication section to learn how to prepare an authenticated session).
|
|||
|
|
|||
|
```bash
|
|||
|
# Get all users of domain
|
|||
|
ldapsearch -Y gssapi -b "cn=users,cn=compat,dc=domain_name,dc=local"
|
|||
|
|
|||
|
# Get users groups
|
|||
|
ldapsearch -Y gssapi -b "cn=groups,cn=accounts,dc=domain_name,dc=local"
|
|||
|
|
|||
|
# Get all the hosts
|
|||
|
ldapsearch -Y gssapi -b "cn=computers,cn=accounts,dc=domain_name,dc=local"
|
|||
|
|
|||
|
# Get hosts groups
|
|||
|
ldapsearch -Y gssapi -b "cn=hostgroups,cn=accounts,dc=domain_name,dc=local"
|
|||
|
```
|
|||
|
|
|||
|
From a domain joined machine you will be able to use **installed binaries** to enumerate the domain:
|
|||
|
|
|||
|
```bash
|
|||
|
ipa user-find
|
|||
|
ipa usergroup-find
|
|||
|
ipa host-find
|
|||
|
ipa host-group-find
|
|||
|
|
|||
|
-------------------
|
|||
|
|
|||
|
ipa user-show <username> --all
|
|||
|
ipa usergroup-show <user group> --all
|
|||
|
ipa host-find <host> --all
|
|||
|
ipa hostgroup-show <host group> --all
|
|||
|
```
|
|||
|
|
|||
|
{% hint style="info" %}
|
|||
|
The **admin** user of **FreeIPA** is the equivalent to **domain admins** from **AD**.
|
|||
|
{% endhint %}
|
|||
|
|
|||
|
### Hashes <a href="#id-482b" id="id-482b"></a>
|
|||
|
|
|||
|
The **root** user from the **IPA serve**r has access to the password **hashes**.
|
|||
|
|
|||
|
* The password hash of a user is stored as **base64** in the “**userPassword**” **attribute**. This hash might be **SSHA512** (old versions of FreeIPA) or **PBKDF2\_SHA256**.
|
|||
|
* The **Nthash** of the password store as **base64** in “**ipaNTHash**” if system has **integration** with **AD**.
|
|||
|
|
|||
|
To crack these hashes:
|
|||
|
|
|||
|
• If freeIPA integrated with AD, **ipaNTHash** is easy to crack: You should **decode** **base64** -> re-encoded it as **ASCII** hex -> John The Ripper or **hashcat** can help you to crack it fast
|
|||
|
|
|||
|
• If an old version of FreeIPA is used, so **SSHA512** is used: You should decode **base64** -> find SSHA512 **hash** -> John The Ripper or **hashcat** can help you to crack it
|
|||
|
|
|||
|
• If new version of FreeIPA is used, so **PBKDF2\_SHA256** is used: You should decode **base64** -> find PBKDF2\_SHA256 -> it’s **length** is 256 byte. John can work with 256 bits (32 byte) -> SHA-265 used as the pseudo-random function, block size is 32 byte -> you can use only first 256 bit of our PBKDF2\_SHA256 hash -> John The Ripper or hashcat can help you to crack it
|
|||
|
|
|||
|
<figure><img src="../.gitbook/assets/image (655).png" alt=""><figcaption></figcaption></figure>
|
|||
|
|
|||
|
To extract the hashes you need to be **root in the FreeIPA server**, there you can use the tool **`dbscan`** to extract them:
|
|||
|
|
|||
|
<figure><img src="../.gitbook/assets/image (293).png" alt=""><figcaption></figcaption></figure>
|
|||
|
|
|||
|
### HBAC-Rules <a href="#id-482b" id="id-482b"></a>
|
|||
|
|
|||
|
There are the rules that grant specific permissions to users or hosts over resources (hosts, services, service groups...)
|
|||
|
|
|||
|
```bash
|
|||
|
# Enumerate using ldap
|
|||
|
ldapsearch -Y gssapi -b "cn=hbac,dc=domain_name,dc=local"
|
|||
|
# Using ipa
|
|||
|
ipa hbacrule-find
|
|||
|
# Show info of rule
|
|||
|
ipa hbacrule-show <hbacrule> --all
|
|||
|
```
|
|||
|
|
|||
|
#### Sudo-Rules
|
|||
|
|
|||
|
FreeIPA enables centralized control over **sudo permissions** via sudo-rules. These rules allow or limit the execution of commands with sudo on hosts within the domain. An attacker could potentially identify the applicable hosts, users, and allowed commands by examining these rulesets.
|
|||
|
|
|||
|
```bash
|
|||
|
# Enumerate using ldap
|
|||
|
ldapsearch -Y gssapi -b "cn=sudorules,cn=sudo,dc=domain_name,dc=local"
|
|||
|
# Using ipa
|
|||
|
ipa sudorule-find
|
|||
|
# Show info of rule
|
|||
|
ipa sudorule-show <sudorule> --all
|
|||
|
```
|
|||
|
|
|||
|
### Role-Based Access Control
|
|||
|
|
|||
|
A **role** is comprised of various **privileges**, each of which encompasses a collection of **permissions**. These roles can be assigned to Users, User **Groups**, **Hosts**, Host Groups, and Services. For instance, consider the default “User Administrator” role in FreeIPA to exemplify this structure.
|
|||
|
|
|||
|
The role `User Administrator` has these privileges:
|
|||
|
|
|||
|
* **User Administrators**
|
|||
|
* **Group Administrators**
|
|||
|
* **Stage User Administrators**
|
|||
|
|
|||
|
With the following commands it's possibel to enumerate the roles, privileges and permissions:
|
|||
|
|
|||
|
```bash
|
|||
|
# Using ldap
|
|||
|
ldapsearch -Y gssapi -b "cn=roles,cn=accounts,dc=westeros,dc=local"
|
|||
|
# Using ipa binary
|
|||
|
ipa role-find
|
|||
|
ipa role-show <role> --all
|
|||
|
ipa privilege-find
|
|||
|
ipa privilege-show <privilege> --all
|
|||
|
ipa permission-find
|
|||
|
ipa permission-show <permission> --all
|
|||
|
```
|
|||
|
|
|||
|
### Attack Scenario Example
|
|||
|
|
|||
|
In [https://posts.specterops.io/attacking-freeipa-part-iii-finding-a-path-677405b5b95e](https://posts.specterops.io/attacking-freeipa-part-iii-finding-a-path-677405b5b95e) you can find a simple example of how to abuse some permissions to compromise the domain.
|
|||
|
|
|||
|
### Linikatz/LinikatzV2
|
|||
|
|
|||
|
* [https://github.com/Orange-Cyberdefense/LinikatzV2](https://github.com/Orange-Cyberdefense/LinikatzV2)
|
|||
|
* [https://github.com/CiscoCXSecurity/linikatz](https://github.com/CiscoCXSecurity/linikatz)
|
|||
|
|
|||
|
## Privesc
|
|||
|
|
|||
|
### ~~root user creation~~
|
|||
|
|
|||
|
{% hint style="warning" %}
|
|||
|
If you can **create a new user with the name `root`**, you can impersonate him and you will be able to **SSH into any machine as root.**
|
|||
|
|
|||
|
**THIS HAS BEEN PATCHED.**
|
|||
|
{% endhint %}
|
|||
|
|
|||
|
You can check a detailed explaination in [https://posts.specterops.io/attacking-freeipa-part-iv-cve-2020-10747-7c373a1bf66b](https://posts.specterops.io/attacking-freeipa-part-iv-cve-2020-10747-7c373a1bf66b)
|
|||
|
|
|||
|
## References
|
|||
|
|
|||
|
* [https://posts.specterops.io/attacking-freeipa-part-iv-cve-2020-10747-7c373a1bf66b](https://posts.specterops.io/attacking-freeipa-part-iv-cve-2020-10747-7c373a1bf66b)
|
|||
|
* [https://posts.specterops.io/attacking-freeipa-part-i-authentication-77e73d837d6a](https://posts.specterops.io/attacking-freeipa-part-i-authentication-77e73d837d6a)
|
|||
|
* [https://posts.specterops.io/attacking-freeipa-part-ii-enumeration-ad27224371e1](https://posts.specterops.io/attacking-freeipa-part-ii-enumeration-ad27224371e1)
|
|||
|
* [https://www.youtube.com/watch?v=9dOu-7BTwPQ](https://www.youtube.com/watch?v=9dOu-7BTwPQ)
|
|||
|
|
|||
|
{% hint style="success" %}
|
|||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|||
|
|
|||
|
<details>
|
|||
|
|
|||
|
<summary>Support HackTricks</summary>
|
|||
|
|
|||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|||
|
|
|||
|
</details>
|
|||
|
{% endhint %}
|