Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 04:33:28 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/linux-hardening/freeipa-pentesting.md
Translator workflow b442ae90c4 Translated to Klingon
2024-02-10 17:52:19 +00:00

20 KiB
Raw Blame History

FreeIPA Pentesting

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Basic Information

FreeIPA is an open-source alternative to Microsoft Windows Active Directory, mainly for Unix environments. It combines a complete LDAP directory with an MIT Kerberos Key Distribution Center for management akin to Active Directory. Utilizing the Dogtag Certificate System for CA & RA certificate management, it supports multi-factor authentication, including smartcards. SSSD is integrated for Unix authentication processes.

Fingerprints

Files & Environment Variables

  • The file at /etc/krb5.conf is where Kerberos client information, necessary for enrollment in the domain, is stored. This includes KDCs and admin servers' locations, default settings, and mappings.
  • System-wide defaults for IPA clients and servers are set in the file located at /etc/ipa/default.conf.
  • Hosts within the domain must have a krb5.keytab file at /etc/krb5.keytab for authentication processes.
  • Various environment variables (KRB5CCNAME, KRB5_KTNAME, KRB5_CONFIG, KRB5_KDC_PROFILE, KRB5RCACHETYPE, KRB5RCACHEDIR, KRB5_TRACE, KRB5_CLIENT_KTNAME, KPROP_PORT) are used to point to specific files and settings relevant to Kerberos authentication.

Binaries

Tools such as ipa, kdestroy, kinit, klist, kpasswd, ksu, kswitch, and kvno are central to managing FreeIPA domains, handling Kerberos tickets, changing passwords, and acquiring service tickets, among other functionalities.

Network

An illustration is provided to depict a typical FreeIPA server setup.

Authentication

Authentication in FreeIPA, leveraging Kerberos, mirrors that in Active Directory. Access to domain resources necessitates a valid Kerberos ticket, which can be stored in various locations depending on FreeIPA domain configuration.

CCACHE Ticket Files

CCACHE files, stored typically in /tmp with 600 permissions, are binary formats for storing Kerberos credentials, important for authentication without a user's plaintext password due to their portability. Parsing a CCACHE ticket can be done using the klist command, and re-using a valid CCACHE Ticket involves exporting KRB5CCNAME to the ticket file's path.

Unix Keyring

Alternatively, CCACHE Tickets can be stored in the Linux keyring, offering more control over ticket management. The scope of ticket storage varies (KEYRING:name, KEYRING:process:name, KEYRING:thread:name, KEYRING:session:name, KEYRING:persistent:uidnumber), with klist capable of parsing this information for the user. However, re-using a CCACHE Ticket from the Unix keyring can pose challenges, with tools like Tickey available for extracting Kerberos tickets.

Keytab

Keytab files, containing Kerberos principals and encrypted keys, are critical for obtaining valid ticket granting tickets (TGT) without needing the principal's password. Parsing and re-using credentials from keytab files can be easily performed with utilities like klist and scripts such as KeytabParser.

Cheatsheet

You can find more information about how to use tickets in linux in the following link:

{% content-ref url="privilege-escalation/linux-active-directory.md" %} linux-active-directory.md {% endcontent-ref %}

Enumeration

{% hint style="warning" %} You could perform the enumeration via ldap and other binary tools, or connecting to the web page in the port 443 of the FreeIPA server. {% endhint %}

Hosts, Users, and Groups

It's possible to create hosts, users and groups. Hosts and users are sorted into containers called “Host Groups” and “User Groups” respectively. These are similar to Organizational Units (OU).

By default in FreeIPA, the LDAP server allows for anonymous binds, and a large swath of data is enumerable unauthenticated. This can enumerate all data available unauthenticated:

ldapsearch -x

QaQHa'moHtaHvIS QaQHa'moHtaHvIS ghItlh (Authentication ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh ghItlh **ghIt

# Get all users of domain
ldapsearch -Y gssapi -b "cn=users,cn=compat,dc=domain_name,dc=local"

# Get users groups
ldapsearch -Y gssapi -b "cn=groups,cn=accounts,dc=domain_name,dc=local"

# Get all the hosts
ldapsearch -Y gssapi -b "cn=computers,cn=accounts,dc=domain_name,dc=local"

# Get hosts groups
ldapsearch -Y gssapi -b "cn=hostgroups,cn=accounts,dc=domain_name,dc=local"

Domain-ghItlhvam vItlhutlh machine-Daq domain-e' vItlhutlh binaries-pu' vItlhutlh installed-pu' vItlhutlh enumerate-pu' vItlhutlh.

ipa user-find
ipa usergroup-find
ipa host-find
ipa host-group-find

-------------------

ipa user-show <username> --all
ipa usergroup-show <user group> --all
ipa host-find <host> --all
ipa hostgroup-show <host group> --all

{% hint style="info" %} FreeIPA-n admin user domain admins-n AD-n qar'a'pu' je. {% endhint %}

Hashes

IPA server-Daq root user password hashes-vam vItlhutlh.

  • User password hash base64-Da' stored "userPassword" attribute-Da. SSHA512 (FreeIPA-De'wI'pu' jatlh) yu'bej PBKDF2_SHA256 yu'bej vIlegh.
  • Nthash password base64-Da' stored "ipaNTHash"-Da AD integration-Da.

vItlhutlhpu' vItlhutlh:

• freeIPA AD integration-Da' ipaNTHash vItlhutlhpu': base64 vItlhutlh -> ASCII hex re-encoded -> John The Ripper yu'wI'vam hashcat vItlhutlhpu' vItlhutlh

• freeIPA jatlh SSHA512 vItlhutlhpu': base64 vItlhutlh -> SSHA512 hash vItlhutlh -> John The Ripper yu'wI'vam hashcat vItlhutlhpu' vItlhutlh

• freeIPA jatlh PBKDF2_SHA256 vItlhutlhpu': base64 vItlhutlh -> PBKDF2_SHA256 vItlhutlh -> length 256 byte. John 256 bits (32 byte) yu'wI'vam SHA-265 vItlhutlh -> PBKDF2_SHA256 vItlhutlhpu' first 256 bit vItlhutlh -> John The Ripper yu'wI'vam hashcat vItlhutlhpu' vItlhutlh

vItlhutlhpu' vItlhutlh root in the FreeIPA server vItlhutlh, dbscan tool vItlhutlhpu' vItlhutlh:

HBAC-Rules

vItlhutlhpu' vItlhutlh users je hosts (hosts, services, service groups...) vItlhutlhpu' permissions vItlhutlh.

# Enumerate using ldap
ldapsearch -Y gssapi -b "cn=hbac,dc=domain_name,dc=local"
# Using ipa
ipa hbacrule-find
# Show info of rule
ipa hbacrule-show <hbacrule> --all

Sudo-Rules

FreeIPA jatlhpu' sudo permissions-lI'wI' centralize yuQjIjDI' sudo-rules. vItlhutlh 'ej vItlhutlh sudo vItlhutlh hosts Daq vay' users, 'ej allowed commands Daq vay' jatlhpu' potential attacker.

# Enumerate using ldap
ldapsearch -Y gssapi -b "cn=sudorules,cn=sudo,dc=domain_name,dc=local"
# Using ipa
ipa sudorule-find
# Show info of rule
ipa sudorule-show <sudorule> --all

Role-Based Access Control

Qa'pla' (Role) yIn (privileges) ghItlh (comprised) 'ej (each) 'oH (encompasses) 'ej (a collection of) 'oH (permissions). yIn (These) Qa'pla' (roles) yIn (can be) jIyItlh (assigned) ghItlh (to) ngem (Users), ngem (User) QoQ (Groups), ngem (Hosts), ngem (Host) QoQ (Groups), 'ej (and) ngem (Services). Qa'pla' (For instance), qaStaHvIS (consider) FreeIPA Qa'pla' (to exemplify) vaj (this) qoQ (structure).

The Qa'pla' (role) User Administrator yIn (has) yIn (these) yIn (privileges):

  • User Administrators
  • Group Administrators
  • Stage User Administrators

qaStaHvIS (With) vaj (the following) HIq (commands) 'oH (it's) possibel (possible) ghItlh (to enumerate) yIn (the) Qa'pla' (roles), yIn (privileges) 'ej (and) yIn (permissions):

command1
command2
command3

Note: The translation for "command1", "command2", and "command3" should be left in English.

# Using ldap
ldapsearch -Y gssapi -b "cn=roles,cn=accounts,dc=westeros,dc=local"
# Using ipa binary
ipa role-find
ipa role-show <role> --all
ipa privilege-find
ipa privilege-show <privilege> --all
ipa permission-find
ipa permission-show <permission> --all

Attack Scenario Example

In https://posts.specterops.io/attacking-freeipa-part-iii-finding-a-path-677405b5b95e you can find a simple example of how to abuse some permissions to compromise the domain.

Linikatz/LinikatzV2

Privesc

root user creation

{% hint style="warning" %} If you can create a new user with the name root, you can impersonate him and you will be able to SSH into any machine as root.

THIS HAS BEEN PATCHED. {% endhint %}

You can check a detailed explaination in https://posts.specterops.io/attacking-freeipa-part-iv-cve-2020-10747-7c373a1bf66b

References

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: