12 KiB
FreeIPA Pentesting
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Basic Information
FreeIPA is an open-source alternative to Microsoft Windows Active Directory, mainly for Unix environments. It combines a complete LDAP directory with an MIT Kerberos Key Distribution Center for management akin to Active Directory. Utilizing the Dogtag Certificate System for CA & RA certificate management, it supports multi-factor authentication, including smartcards. SSSD is integrated for Unix authentication processes.
Fingerprints
Files & Environment Variables
- The file at
/etc/krb5.conf
is where Kerberos client information, necessary for enrollment in the domain, is stored. This includes KDCs and admin servers' locations, default settings, and mappings. - System-wide defaults for IPA clients and servers are set in the file located at
/etc/ipa/default.conf
. - Hosts within the domain must have a
krb5.keytab
file at/etc/krb5.keytab
for authentication processes. - Various environment variables (
KRB5CCNAME
,KRB5_KTNAME
,KRB5_CONFIG
,KRB5_KDC_PROFILE
,KRB5RCACHETYPE
,KRB5RCACHEDIR
,KRB5_TRACE
,KRB5_CLIENT_KTNAME
,KPROP_PORT
) are used to point to specific files and settings relevant to Kerberos authentication.
Binaries
Tools such as ipa
, kdestroy
, kinit
, klist
, kpasswd
, ksu
, kswitch
, and kvno
are central to managing FreeIPA domains, handling Kerberos tickets, changing passwords, and acquiring service tickets, among other functionalities.
Network
An illustration is provided to depict a typical FreeIPA server setup.
Authentication
Authentication in FreeIPA, leveraging Kerberos, mirrors that in Active Directory. Access to domain resources necessitates a valid Kerberos ticket, which can be stored in various locations depending on FreeIPA domain configuration.
CCACHE Ticket Files
CCACHE files, stored typically in /tmp
with 600 permissions, are binary formats for storing Kerberos credentials, important for authentication without a user's plaintext password due to their portability. Parsing a CCACHE ticket can be done using the klist
command, and re-using a valid CCACHE Ticket involves exporting KRB5CCNAME
to the ticket file's path.
Unix Keyring
Alternatively, CCACHE Tickets can be stored in the Linux keyring, offering more control over ticket management. The scope of ticket storage varies (KEYRING:name
, KEYRING:process:name
, KEYRING:thread:name
, KEYRING:session:name
, KEYRING:persistent:uidnumber
), with klist
capable of parsing this information for the user. However, re-using a CCACHE Ticket from the Unix keyring can pose challenges, with tools like Tickey available for extracting Kerberos tickets.
Keytab
Keytab files, containing Kerberos principals and encrypted keys, are critical for obtaining valid ticket granting tickets (TGT) without needing the principal's password. Parsing and re-using credentials from keytab files can be easily performed with utilities like klist
and scripts such as KeytabParser.
Cheatsheet
You can find more information about how to use tickets in linux in the following link:
{% content-ref url="privilege-escalation/linux-active-directory.md" %} linux-active-directory.md {% endcontent-ref %}
Enumeration
{% hint style="warning" %} You could perform the enumeration via ldap and other binary tools, or connecting to the web page in the port 443 of the FreeIPA server. {% endhint %}
Hosts, Users, and Groups
It's possible to create hosts, users and groups. Hosts and users are sorted into containers called “Host Groups” and “User Groups” respectively. These are similar to Organizational Units (OU).
By default in FreeIPA, the LDAP server allows for anonymous binds, and a large swath of data is enumerable unauthenticated. This can enumerate all data available unauthenticated:
ldapsearch -x
To get more information you need to use an authenticated session (check the Authentication section to learn how to prepare an authenticated session).
# Get all users of domain
ldapsearch -Y gssapi -b "cn=users,cn=compat,dc=domain_name,dc=local"
# Get users groups
ldapsearch -Y gssapi -b "cn=groups,cn=accounts,dc=domain_name,dc=local"
# Get all the hosts
ldapsearch -Y gssapi -b "cn=computers,cn=accounts,dc=domain_name,dc=local"
# Get hosts groups
ldapsearch -Y gssapi -b "cn=hostgroups,cn=accounts,dc=domain_name,dc=local"
From a domain joined machine you will be able to use installed binaries to enumerate the domain:
ipa user-find
ipa usergroup-find
ipa host-find
ipa host-group-find
-------------------
ipa user-show <username> --all
ipa usergroup-show <user group> --all
ipa host-find <host> --all
ipa hostgroup-show <host group> --all
{% hint style="info" %} The admin user of FreeIPA is the equivalent to domain admins from AD. {% endhint %}
Hashes
The root user from the IPA server has access to the password hashes.
- The password hash of a user is stored as base64 in the “userPassword” attribute. This hash might be SSHA512 (old versions of FreeIPA) or PBKDF2_SHA256.
- The Nthash of the password store as base64 in “ipaNTHash” if system has integration with AD.
To crack these hashes:
• If freeIPA integrated with AD, ipaNTHash is easy to crack: You should decode base64 -> re-encoded it as ASCII hex -> John The Ripper or hashcat can help you to crack it fast
• If an old version of FreeIPA is used, so SSHA512 is used: You should decode base64 -> find SSHA512 hash -> John The Ripper or hashcat can help you to crack it
• If new version of FreeIPA is used, so PBKDF2_SHA256 is used: You should decode base64 -> find PBKDF2_SHA256 -> it’s length is 256 byte. John can work with 256 bits (32 byte) -> SHA-265 used as the pseudo-random function, block size is 32 byte -> you can use only first 256 bit of our PBKDF2_SHA256 hash -> John The Ripper or hashcat can help you to crack it
To extract the hashes you need to be root in the FreeIPA server, there you can use the tool dbscan
to extract them:
HBAC-Rules
There are the rules that grant specific permissions to users or hosts over resources (hosts, services, service groups...)
# Enumerate using ldap
ldapsearch -Y gssapi -b "cn=hbac,dc=domain_name,dc=local"
# Using ipa
ipa hbacrule-find
# Show info of rule
ipa hbacrule-show <hbacrule> --all
Sudo-Rules
FreeIPA enables centralized control over sudo permissions via sudo-rules. These rules allow or limit the execution of commands with sudo on hosts within the domain. An attacker could potentially identify the applicable hosts, users, and allowed commands by examining these rulesets.
# Enumerate using ldap
ldapsearch -Y gssapi -b "cn=sudorules,cn=sudo,dc=domain_name,dc=local"
# Using ipa
ipa sudorule-find
# Show info of rule
ipa sudorule-show <sudorule> --all
Role-Based Access Control
A role is comprised of various privileges, each of which encompasses a collection of permissions. These roles can be assigned to Users, User Groups, Hosts, Host Groups, and Services. For instance, consider the default “User Administrator” role in FreeIPA to exemplify this structure.
The role User Administrator
has these privileges:
- User Administrators
- Group Administrators
- Stage User Administrators
With the following commands it's possibel to enumerate the roles, privileges and permissions:
# Using ldap
ldapsearch -Y gssapi -b "cn=roles,cn=accounts,dc=westeros,dc=local"
# Using ipa binary
ipa role-find
ipa role-show <role> --all
ipa privilege-find
ipa privilege-show <privilege> --all
ipa permission-find
ipa permission-show <permission> --all
Attack Scenario Example
In https://posts.specterops.io/attacking-freeipa-part-iii-finding-a-path-677405b5b95e you can find a simple example of how to abuse some permissions to compromise the domain.
Linikatz/LinikatzV2
Privesc
root user creation
{% hint style="warning" %}
If you can create a new user with the name root
, you can impersonate him and you will be able to SSH into any machine as root.
THIS HAS BEEN PATCHED. {% endhint %}
You can check a detailed explaination in https://posts.specterops.io/attacking-freeipa-part-iv-cve-2020-10747-7c373a1bf66b
References
- https://posts.specterops.io/attacking-freeipa-part-iv-cve-2020-10747-7c373a1bf66b
- https://posts.specterops.io/attacking-freeipa-part-i-authentication-77e73d837d6a
- https://posts.specterops.io/attacking-freeipa-part-ii-enumeration-ad27224371e1
- https://www.youtube.com/watch?v=9dOu-7BTwPQ
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.