FREEIPA

What is FreeIPA ?

https://posts.specterops.io/attacking-freeipa-part-i-authentication-77e73d837d6a
https://posts.specterops.io/attacking-freeipa-part-ii-enumeration-ad27224371e1
# Open source alternative to Microsoft Windows Active Directory
# Primarily used as an integrated management solution for Unix environments.
# Similar to Active Directory, FreeIPA implements a full LDAP directory infrastructure

# So all together we have a Unix host management system
# Complete with LDAP and Kerberos that allows for multi-factor authentication.

Informations

Files

# Kerberos informations to get enrolled (location of KDCs...)
/etc/krb5.conf

# Default configuration file (set system-wide defaults)
/etc/ipa/default.conf

# Required on all hosts inside the domain (authentication process)
/etc/krb5.keytab

Environment variables

# Location of the CCACHE
KRB5CCNAME

# Location of the keytab
KRB5_KTNAME

# Location of Kerberos configuration file
KRB5_CONFIG

# Location of Kerberos configuration file with additional information (KDC)
KRB5_KDC_PROFILE

# Default type of replay cache
KRB5RCACHETYPE

# Directory for replay caches
KRB5RCACHEDIR

# Location of logs
KRB5_TRACE

# Default client keytab filename
KRB5_CLIENT_KTNAME

# Default port for kprop
KPROP_PORT

Binaries

# Standard for managing domain
ipa

# Destroy any current Kerberos tickets in the users session
kdestroy

# Establish, or renew Kerberos tickets
kinit

# Lists any current Kerberos tickets in use
klist

# Change a Kerberos prinipal's password
kpasswd

# Alternative for the su binary
ksu

# Switch the current credential cache in use
kswitch

# Acquires a service ticket for the specified Kerberos principals and 
# Prints out the key version numbers of each
kvno

Authentication

# CCache
# File used to store tickets, usually in /tmp
# Parsing ticket using klist
export KRB5CCNAME=/tmp/krb5cc_0
klist /tmp/krb5cc_0

# Unix Keyring
# Admins can store tickets inside keyring
# Tickey can extract Kerberos tickets from the keyring (https://github.com/TarlogicSecurity/tickey)
kinit admin
klist 
./tickey
export KRB5CCNAME=/tmp/<ticket_outfile>
klist

# Keytab
# It consists of pairs of Kerberos principals and encrypted keys that are derived 
# From the Kerberos password associated with the principal
# Keytab parser (https://github.com/its-a-feature/KeytabParser) can parse for ticket generation
python KeytabParser.py /etc/krb5.keytab
kinit -kt /etc/krb5.keytab host/name.domain.local@domain.local
klist

Enumeration

# Hosts, Users and Groups
# Hosts, and users can be sorted into containers called “Host Groups” and “User Groups” respectively
# Similar to OU in Active Directory

# Host-Based Access Control Rules (HBAC-Rules), Privileges, Roles, and Sudo-Rules
# Can be applied to any of the objects above

# You can enumerate using LDAP queries or built-in FreeIPA tools
# LDAP Queries

# Get all unauthenticated accessible data
ldapsearch -x 

# After authentication, get all users
kinit -kt /etc/krb5.keytab
ldapsearch -Y gssapi -b "cn=users,cn=compat,dc=westeros,dc=local"

# Get all hosts
ldapsearch -Y gssapi -b "cn=computers,cn=accounts,dc=westeros,dc=local"

# Host group
ldapsearch -Y gssapi -b "cn=hostgroups,cn=accounts,dc=westeros,dc=local"  

# User groups
ldapsearch -Y gssapi -b "cn=groups,cn=accounts,dc=westeros,dc=local"
# Built-in tools
# Installed by default when enrolling, but need valid account
# If you find yourself in a situation where you are lacking a valid domain credential
# Each host is deployed with a keytab credential for that host. 
# This keytab can be used to obtain a valid Credential Cache(CCACHE) TGT for the host itself

ipa user-find
ipa usergroup-find
ipa host-find
ipa host-group-find
-------------------
ipa user-show <username> --all
ipa usergroup-show <user group> --all
ipa host-find <host> --all
ipa hostgroup-show <host group> --all
# HBAC-Rules
# Access controls, at a high level, define who has access to what

# Get all HBAC-Rules
ldapsearch -Y gssapi -b "cn=hbac,dc=westeros,dc=local"

# Built-in
ipa hbacrule-find
-----------------
ipa hbacrule-show <hbacrule> --all
# Sudo-Rules
# Equivalent to HBAC-Rules but additionnal info can be set (sudoers options, run as...)

# Get all Sudo-Rules
ldapsearch -Y gssapi -b "cn=sudorules,cn=sudo,dc=westeros,dc=local"

# Built-in
ipa sudorule-find
-----------------
ipa sudorule-show <sudorule> --all
# Role-Bases Access Control
# Role-based access control (RBAC) is a hierarchical way of organizing access to the data managed by FreeIPA

# Get all roles
ldapsearch -Y gssapi -b "cn=roles,cn=accounts,dc=westeros,dc=local"

# Built-in
ipa role-find
ipa role-show <role> --all
ipa privilege-find 
ipa privilege-show <privilege> --all
ipa permission-find
ipa permission-show <permission> --all