Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

of

FreeIPA - Attacking the Active Directory of Linux Slide 1 FreeIPA - Attacking the Active Directory of Linux Slide 2 FreeIPA - Attacking the Active Directory of Linux Slide 3 FreeIPA - Attacking the Active Directory of Linux Slide 4 FreeIPA - Attacking the Active Directory of Linux Slide 5 FreeIPA - Attacking the Active Directory of Linux Slide 6 FreeIPA - Attacking the Active Directory of Linux Slide 7 FreeIPA - Attacking the Active Directory of Linux Slide 8 FreeIPA - Attacking the Active Directory of Linux Slide 9 FreeIPA - Attacking the Active Directory of Linux Slide 10 FreeIPA - Attacking the Active Directory of Linux Slide 11 FreeIPA - Attacking the Active Directory of Linux Slide 12 FreeIPA - Attacking the Active Directory of Linux Slide 13 FreeIPA - Attacking the Active Directory of Linux Slide 14 FreeIPA - Attacking the Active Directory of Linux Slide 15 FreeIPA - Attacking the Active Directory of Linux Slide 16 FreeIPA - Attacking the Active Directory of Linux Slide 17 FreeIPA - Attacking the Active Directory of Linux Slide 18 FreeIPA - Attacking the Active Directory of Linux Slide 19 FreeIPA - Attacking the Active Directory of Linux Slide 20 FreeIPA - Attacking the Active Directory of Linux Slide 21 FreeIPA - Attacking the Active Directory of Linux Slide 22 FreeIPA - Attacking the Active Directory of Linux Slide 23 FreeIPA - Attacking the Active Directory of Linux Slide 24 FreeIPA - Attacking the Active Directory of Linux Slide 25 FreeIPA - Attacking the Active Directory of Linux Slide 26 FreeIPA - Attacking the Active Directory of Linux Slide 27 FreeIPA - Attacking the Active Directory of Linux Slide 28 FreeIPA - Attacking the Active Directory of Linux Slide 29 FreeIPA - Attacking the Active Directory of Linux Slide 30 FreeIPA - Attacking the Active Directory of Linux Slide 31 FreeIPA - Attacking the Active Directory of Linux Slide 32 FreeIPA - Attacking the Active Directory of Linux Slide 33 FreeIPA - Attacking the Active Directory of Linux Slide 34 FreeIPA - Attacking the Active Directory of Linux Slide 35 FreeIPA - Attacking the Active Directory of Linux Slide 36 FreeIPA - Attacking the Active Directory of Linux Slide 37 FreeIPA - Attacking the Active Directory of Linux Slide 38 FreeIPA - Attacking the Active Directory of Linux Slide 39 FreeIPA - Attacking the Active Directory of Linux Slide 40
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

0 Likes

Share

Download to read offline

FreeIPA - Attacking the Active Directory of Linux

Download to read offline

FreeIPA is the open source answer to Active Directory, bringing the functionality of Kerberos and centralized management to the unix world. This talk will dive into the background of FreeIPA, how to attack it, and its parallels to traditional Active Directory. We will cover the FreeIPA equivalents of credential abuse, discovery, and lateral movement, highlighting the similarities and differences from traditional Active Directory tradecraft. This will culminate in multiple real-world demos showing how chains of abuse, previously accessible only in Windows environments, are now possible in the unix realm, providing a new medium for offensive research into Kerberos and LDAP environments.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

FreeIPA - Attacking the Active Directory of Linux

  1. 1. FreeIPA: Attacking the Active Directory of Linux
  2. 2. /usr/bin/whoami ● Julian Catrambone (@n0pe_sled) ● Senior Consultant at SpecterOps ● Reformed Red Teamer ● IPA enthusiast 2
  3. 3. What is FreeIPA? • Unix Open-Source Active Directory Alternative • Full LDAP directory Infrastructure backed by MIT Kerberos • Implements Dogtag certificate management system, allowing for multi-factor authentication • Integration into the standard Unix auth processes via SSSD
  4. 4. Why do we care? • FreeIPA is used pervasively in order to manage a large variety of cloud resources. • Interesting new medium for common active directory and kerberos based attacks. • A lot of the attack primitives may able to other Unix based systems tied into Active Directory.
  5. 5. https://blog.cloudflare.com/introducing-flan-scan/
  6. 6. Our Lab
  7. 7. Situational Awareness Credential Abuse Domain Enumeration Lateral Movement
  8. 8. Situational Awareness • How can we identify that a host is enrolled in a Domain, and specifically FreeIPA?
  9. 9. Situational Awareness There are a few key indicators that a Linux host has been enrolled in a Domain. They ultimately consist of various binaries, files, and environment variables. • Default Kerberos Configuration Files • /etc/krb5.conf • /etc/krb5.keytab • /tmp/krb5cc_* • Default FreeIPA Configuration Files • /etc/ipa/* • ~/.cache/ipa/schema/* • ~/.cache/ipa/servers/*
  10. 10. Situational Awareness • Kerberos Environmental Variables • KRB5CCNAME • KRB5_KTNAME • KRB5_CONFIG • KRB5_KDC_PROFILE • KRB5RCACHETYPE • KRB5CACHEDIR • KRB5_TRACE • KRB5_CLIENT_KTNAME • KPROP_PORT • Kerberos Binaries • kdestroy • kinit • klist • kpasswd • ksu • kswitch • kvno • FreeIPA Binaries • ipa • ipa-certupdate • ipa-client-automount • ipa-client-configure-first • ipa-client-install • ipa-getcert • ipa-getkeytab • ipa-join • ipa-rmkeytab
  11. 11. Situational Awareness Credential Abuse Domain Enumeration Lateral Movement
  12. 12. Credential Abuse Kerberos tickets in FreeIPA are very similar to tickets in active directory. The main difference is in how they are utilized, and stored. They can be stored in the Following ways: • CCACHE Ticket Files • KeyTab Files • Inside of the Unix Keyring
  13. 13. Credential Abuse: CCACHE Tickets CCACHE Tickets are binaries that contain the credential material required to authenticate. By default these files are stored in c:tmp with (0600) permissions.
  14. 14. Credential Abuse: CCACHE Tickets In order to use a CCACHE Ticket the following must be true: • The current user context has read access to the file • The ticket is not expired • The host OS is enrolled in the domain, or has right configuration files If all of those conditions are meet the ticket can be used in the current session by setting the KRB5CCNAME environment variable
  15. 15. Credential Abuse: Keytabs Keytabs are permanent binary credential files. Once created they do not require a password to authenticate. However they are restricted to specific principals.
  16. 16. https://github.com/its-a-feature/KeytabParser
  17. 17. Credential Abuse: Unix Keyring The keyring lives inside of the kernel, and gives administrators more inherent controls over the retrieval and use of stored tickets. Tickets can be scoped in the following different ways: 1. KEYRING:name 2. KEYRING:process:name 3. KEYRING:thread:name 4. KEYRING:session:name 5. KEYRING:persistent:uidnumber 6. KEYRING:user:<name>
  18. 18. Credential Abuse: Unix Keyring
  19. 19. Credential Abuse: Unix Keyring https://github.com/TarlogicSecurity/tickey
  20. 20. Situational Awareness Credential Abuse Domain Enumeration Lateral Movement
  21. 21. Domain Enumeration FreeIPA mimic’s a lot of traditional Active Directory’s functionality with some caveats. Let’s briefly talk about some of the different objects, and how they interact with each other.
  22. 22. Domain Enumeration: Users/Hosts Hosts in FreeIPA correspond to the individual systems attached to the domain. Similarly, users are the users in the domain. With the IPA binary you can search all of the hosts/users on the domain with the following commands: • ipa host-find • ipa host-show <hostname> --all • ipa user-find • ipa user-show <user> --all
  23. 23. Domain Enumeration: Hosts and Users may have the following controls set to control authentication, and privilege escalation: • HBAC Rules: Host Based Access Control Rules • ipa hbacrule-find • ipa hbacrule-show <ruleset> --all • SUDO Rules: Rules controlling who can execute Sudo, and which commands that user can execute • ipa sudorules-find • ipa sudorules-show <ruleset> --all
  24. 24. Situational Awareness Credential Abuse Domain Enumeration Lateral Movement
  25. 25. Lateral Movement • HBAC Rules show us which hosts specific users inside the environment can authenticate to • Inside of FreeIPA environments SSH is configured by default to allow Kerberos authentication
  26. 26. Lets Recap : Situational Awareness • Identified several configuration files, and binaries • /etc/krb5.conf • /etc/ipa/ca.crt • /usr/bin/ipa • /usr/sbin/ipa* • /usr/bin/k*
  27. 27. Lab Recap: Credential Abuse • Identified a valid Kerberos TGT in a CCACHE file • /tmp/krb5cc_30920003 • Set the KRB5CCNAME environment variable to that TGT • export KRB5CCNAME=/tmp/krb5cc_30920003 • Validated the ticket with klist • klist /tmp/krb5cc_30920003
  28. 28. Lab Recap: Domain Enumeration • Grabbed the user information for nginxadmin • ipa user-show --all nginxadmin • Identified they were a member of the web-admin HBAC Rule • ipa hbacrule-show --all web-admin • The web-admin HBAC Rule delegated access to mysql.westeros.local
  29. 29. Lab Recap: Lateral Movement • After entering the context of nginxadmin we can use SSH to move laterally throughout the environment • export KRB5CCNAME=/tmp/krb5cc_30920003 • ssh nginxadmin@mysql.westeros.local
  30. 30. CVE 2020-10747 • The authentication process established by default in FreeIPA will authenticate via the domain, and then establish a session for the local user corresponding to the domain user. • The ”User Administrators” privilege allows for new users to be created inside of FreeIPA • Thus creating a user named “root” inside of FreeIPA results in being able to authenticate as the local root (uid=0) account
  31. 31. RedHat official statement • Roles are used to classify permitted actions but are not used as a tool to implement privilege separation or to protect from privilege escalation. As a result, using privileges to gain additional privileges is not something considered unexpected. This bug has been rejected as a security flaw. Users with privileges should be reserved to trusted persons.
  32. 32. RedHat official statement • RedHat has retained the fixed pull request despite the CVE being revoked and the vulnerability being reclassified as “CLOSED NOTABUG” on https://bugzilla.redhat.com/show_bug.cgi?id=1810160.
  33. 33. Possible Attack Abuse Techniques • Long Living Tickets • kinit -r 14d -l 7d <user> • kinit -R <user> with the ticket loaded inside the renew window • Credential Storage Downgrade • /etc/krb5.conf is the configuration file that each host looks to when determining which location to store each ticket generated by the host. • default_ccache_name = KEYRING:persistent:%{uid} • Creating a Keytab • ipa-getkeytab -s ipa.westeros.local -p admin@WESTEROS.LOCAL -P -k /tmp/admin.keytab • With the right permissions it is possible to modify HBAC Rules, and Sudo Rules remotely. • This could enable lateral movement or privilege escalation.

FreeIPA is the open source answer to Active Directory, bringing the functionality of Kerberos and centralized management to the unix world. This talk will dive into the background of FreeIPA, how to attack it, and its parallels to traditional Active Directory. We will cover the FreeIPA equivalents of credential abuse, discovery, and lateral movement, highlighting the similarities and differences from traditional Active Directory tradecraft. This will culminate in multiple real-world demos showing how chains of abuse, previously accessible only in Windows environments, are now possible in the unix realm, providing a new medium for offensive research into Kerberos and LDAP environments.

Views

Total views

534

On Slideshare

0

From embeds

0

Number of embeds

31

Actions

Downloads

6

Shares

0

Comments

0

Likes

0

×