Successfully reported this slideshow.

FreeIPA - Attacking the Active Directory of Linux

0

Share

Upcoming SlideShare
Keystone deep dive 1
Keystone deep dive 1
Loading in …3
×
1 of 40
1 of 40

FreeIPA - Attacking the Active Directory of Linux

0

Share

Download to read offline

Description

FreeIPA is the open source answer to Active Directory, bringing the functionality of Kerberos and centralized management to the unix world. This talk will dive into the background of FreeIPA, how to attack it, and its parallels to traditional Active Directory. We will cover the FreeIPA equivalents of credential abuse, discovery, and lateral movement, highlighting the similarities and differences from traditional Active Directory tradecraft. This will culminate in multiple real-world demos showing how chains of abuse, previously accessible only in Windows environments, are now possible in the unix realm, providing a new medium for offensive research into Kerberos and LDAP environments.

Transcript

  1. 1. FreeIPA: Attacking the Active Directory of Linux
  2. 2. /usr/bin/whoami ● Julian Catrambone (@n0pe_sled) ● Senior Consultant at SpecterOps ● Reformed Red Teamer ● IPA enthusiast 2
  3. 3. What is FreeIPA? • Unix Open-Source Active Directory Alternative • Full LDAP directory Infrastructure backed by MIT Kerberos • Implements Dogtag certificate management system, allowing for multi-factor authentication • Integration into the standard Unix auth processes via SSSD
  4. 4. Why do we care? • FreeIPA is used pervasively in order to manage a large variety of cloud resources. • Interesting new medium for common active directory and kerberos based attacks. • A lot of the attack primitives may able to other Unix based systems tied into Active Directory.
  5. 5. https://blog.cloudflare.com/introducing-flan-scan/
  6. 6. Our Lab
  7. 7. Situational Awareness Credential Abuse Domain Enumeration Lateral Movement
  8. 8. Situational Awareness • How can we identify that a host is enrolled in a Domain, and specifically FreeIPA?
  9. 9. Situational Awareness There are a few key indicators that a Linux host has been enrolled in a Domain. They ultimately consist of various binaries, files, and environment variables. • Default Kerberos Configuration Files • /etc/krb5.conf • /etc/krb5.keytab • /tmp/krb5cc_* • Default FreeIPA Configuration Files • /etc/ipa/* • ~/.cache/ipa/schema/* • ~/.cache/ipa/servers/*
  10. 10. Situational Awareness • Kerberos Environmental Variables • KRB5CCNAME • KRB5_KTNAME • KRB5_CONFIG • KRB5_KDC_PROFILE • KRB5RCACHETYPE • KRB5CACHEDIR • KRB5_TRACE • KRB5_CLIENT_KTNAME • KPROP_PORT • Kerberos Binaries • kdestroy • kinit • klist • kpasswd • ksu • kswitch • kvno • FreeIPA Binaries • ipa • ipa-certupdate • ipa-client-automount • ipa-client-configure-first • ipa-client-install • ipa-getcert • ipa-getkeytab • ipa-join • ipa-rmkeytab
  11. 11. Situational Awareness Credential Abuse Domain Enumeration Lateral Movement
  12. 12. Credential Abuse Kerberos tickets in FreeIPA are very similar to tickets in active directory. The main difference is in how they are utilized, and stored. They can be stored in the Following ways: • CCACHE Ticket Files • KeyTab Files • Inside of the Unix Keyring
  13. 13. Credential Abuse: CCACHE Tickets CCACHE Tickets are binaries that contain the credential material required to authenticate. By default these files are stored in c:tmp with (0600) permissions.
  14. 14. Credential Abuse: CCACHE Tickets In order to use a CCACHE Ticket the following must be true: • The current user context has read access to the file • The ticket is not expired • The host OS is enrolled in the domain, or has right configuration files If all of those conditions are meet the ticket can be used in the current session by setting the KRB5CCNAME environment variable
  15. 15. Credential Abuse: Keytabs Keytabs are permanent binary credential files. Once created they do not require a password to authenticate. However they are restricted to specific principals.
  16. 16. https://github.com/its-a-feature/KeytabParser
  17. 17. Credential Abuse: Unix Keyring The keyring lives inside of the kernel, and gives administrators more inherent controls over the retrieval and use of stored tickets. Tickets can be scoped in the following different ways: 1. KEYRING:name 2. KEYRING:process:name 3. KEYRING:thread:name 4. KEYRING:session:name 5. KEYRING:persistent:uidnumber 6. KEYRING:user:<name>
  18. 18. Credential Abuse: Unix Keyring
  19. 19. Credential Abuse: Unix Keyring https://github.com/TarlogicSecurity/tickey
  20. 20. Situational Awareness Credential Abuse Domain Enumeration Lateral Movement
  21. 21. Domain Enumeration FreeIPA mimic’s a lot of traditional Active Directory’s functionality with some caveats. Let’s briefly talk about some of the different objects, and how they interact with each other.
  22. 22. Domain Enumeration: Users/Hosts Hosts in FreeIPA correspond to the individual systems attached to the domain. Similarly, users are the users in the domain. With the IPA binary you can search all of the hosts/users on the domain with the following commands: • ipa host-find • ipa host-show <hostname> --all • ipa user-find • ipa user-show <user> --all
  23. 23. Domain Enumeration: Hosts and Users may have the following controls set to control authentication, and privilege escalation: • HBAC Rules: Host Based Access Control Rules • ipa hbacrule-find • ipa hbacrule-show <ruleset> --all • SUDO Rules: Rules controlling who can execute Sudo, and which commands that user can execute • ipa sudorules-find • ipa sudorules-show <ruleset> --all
  24. 24. Situational Awareness Credential Abuse Domain Enumeration Lateral Movement
  25. 25. Lateral Movement • HBAC Rules show us which hosts specific users inside the environment can authenticate to • Inside of FreeIPA environments SSH is configured by default to allow Kerberos authentication
  26. 26. Lets Recap : Situational Awareness • Identified several configuration files, and binaries • /etc/krb5.conf • /etc/ipa/ca.crt • /usr/bin/ipa • /usr/sbin/ipa* • /usr/bin/k*
  27. 27. Lab Recap: Credential Abuse • Identified a valid Kerberos TGT in a CCACHE file • /tmp/krb5cc_30920003 • Set the KRB5CCNAME environment variable to that TGT • export KRB5CCNAME=/tmp/krb5cc_30920003 • Validated the ticket with klist • klist /tmp/krb5cc_30920003
  28. 28. Lab Recap: Domain Enumeration • Grabbed the user information for nginxadmin • ipa user-show --all nginxadmin • Identified they were a member of the web-admin HBAC Rule • ipa hbacrule-show --all web-admin • The web-admin HBAC Rule delegated access to mysql.westeros.local
  29. 29. Lab Recap: Lateral Movement • After entering the context of nginxadmin we can use SSH to move laterally throughout the environment • export KRB5CCNAME=/tmp/krb5cc_30920003 • ssh nginxadmin@mysql.westeros.local
  30. 30. CVE 2020-10747 • The authentication process established by default in FreeIPA will authenticate via the domain, and then establish a session for the local user corresponding to the domain user. • The ”User Administrators” privilege allows for new users to be created inside of FreeIPA • Thus creating a user named “root” inside of FreeIPA results in being able to authenticate as the local root (uid=0) account
  31. 31. RedHat official statement • Roles are used to classify permitted actions but are not used as a tool to implement privilege separation or to protect from privilege escalation. As a result, using privileges to gain additional privileges is not something considered unexpected. This bug has been rejected as a security flaw. Users with privileges should be reserved to trusted persons.
  32. 32. RedHat official statement • RedHat has retained the fixed pull request despite the CVE being revoked and the vulnerability being reclassified as “CLOSED NOTABUG” on https://bugzilla.redhat.com/show_bug.cgi?id=1810160.
  33. 33. Possible Attack Abuse Techniques • Long Living Tickets • kinit -r 14d -l 7d <user> • kinit -R <user> with the ticket loaded inside the renew window • Credential Storage Downgrade • /etc/krb5.conf is the configuration file that each host looks to when determining which location to store each ticket generated by the host. • default_ccache_name = KEYRING:persistent:%{uid} • Creating a Keytab • ipa-getkeytab -s ipa.westeros.local -p admin@WESTEROS.LOCAL -P -k /tmp/admin.keytab • With the right permissions it is possible to modify HBAC Rules, and Sudo Rules remotely. • This could enable lateral movement or privilege escalation.

Description

FreeIPA is the open source answer to Active Directory, bringing the functionality of Kerberos and centralized management to the unix world. This talk will dive into the background of FreeIPA, how to attack it, and its parallels to traditional Active Directory. We will cover the FreeIPA equivalents of credential abuse, discovery, and lateral movement, highlighting the similarities and differences from traditional Active Directory tradecraft. This will culminate in multiple real-world demos showing how chains of abuse, previously accessible only in Windows environments, are now possible in the unix realm, providing a new medium for offensive research into Kerberos and LDAP environments.

Transcript

  1. 1. FreeIPA: Attacking the Active Directory of Linux
  2. 2. /usr/bin/whoami ● Julian Catrambone (@n0pe_sled) ● Senior Consultant at SpecterOps ● Reformed Red Teamer ● IPA enthusiast 2
  3. 3. What is FreeIPA? • Unix Open-Source Active Directory Alternative • Full LDAP directory Infrastructure backed by MIT Kerberos • Implements Dogtag certificate management system, allowing for multi-factor authentication • Integration into the standard Unix auth processes via SSSD
  4. 4. Why do we care? • FreeIPA is used pervasively in order to manage a large variety of cloud resources. • Interesting new medium for common active directory and kerberos based attacks. • A lot of the attack primitives may able to other Unix based systems tied into Active Directory.
  5. 5. https://blog.cloudflare.com/introducing-flan-scan/
  6. 6. Our Lab
  7. 7. Situational Awareness Credential Abuse Domain Enumeration Lateral Movement
  8. 8. Situational Awareness • How can we identify that a host is enrolled in a Domain, and specifically FreeIPA?
  9. 9. Situational Awareness There are a few key indicators that a Linux host has been enrolled in a Domain. They ultimately consist of various binaries, files, and environment variables. • Default Kerberos Configuration Files • /etc/krb5.conf • /etc/krb5.keytab • /tmp/krb5cc_* • Default FreeIPA Configuration Files • /etc/ipa/* • ~/.cache/ipa/schema/* • ~/.cache/ipa/servers/*
  10. 10. Situational Awareness • Kerberos Environmental Variables • KRB5CCNAME • KRB5_KTNAME • KRB5_CONFIG • KRB5_KDC_PROFILE • KRB5RCACHETYPE • KRB5CACHEDIR • KRB5_TRACE • KRB5_CLIENT_KTNAME • KPROP_PORT • Kerberos Binaries • kdestroy • kinit • klist • kpasswd • ksu • kswitch • kvno • FreeIPA Binaries • ipa • ipa-certupdate • ipa-client-automount • ipa-client-configure-first • ipa-client-install • ipa-getcert • ipa-getkeytab • ipa-join • ipa-rmkeytab
  11. 11. Situational Awareness Credential Abuse Domain Enumeration Lateral Movement
  12. 12. Credential Abuse Kerberos tickets in FreeIPA are very similar to tickets in active directory. The main difference is in how they are utilized, and stored. They can be stored in the Following ways: • CCACHE Ticket Files • KeyTab Files • Inside of the Unix Keyring
  13. 13. Credential Abuse: CCACHE Tickets CCACHE Tickets are binaries that contain the credential material required to authenticate. By default these files are stored in c:tmp with (0600) permissions.
  14. 14. Credential Abuse: CCACHE Tickets In order to use a CCACHE Ticket the following must be true: • The current user context has read access to the file • The ticket is not expired • The host OS is enrolled in the domain, or has right configuration files If all of those conditions are meet the ticket can be used in the current session by setting the KRB5CCNAME environment variable
  15. 15. Credential Abuse: Keytabs Keytabs are permanent binary credential files. Once created they do not require a password to authenticate. However they are restricted to specific principals.
  16. 16. https://github.com/its-a-feature/KeytabParser
  17. 17. Credential Abuse: Unix Keyring The keyring lives inside of the kernel, and gives administrators more inherent controls over the retrieval and use of stored tickets. Tickets can be scoped in the following different ways: 1. KEYRING:name 2. KEYRING:process:name 3. KEYRING:thread:name 4. KEYRING:session:name 5. KEYRING:persistent:uidnumber 6. KEYRING:user:<name>
  18. 18. Credential Abuse: Unix Keyring
  19. 19. Credential Abuse: Unix Keyring https://github.com/TarlogicSecurity/tickey
  20. 20. Situational Awareness Credential Abuse Domain Enumeration Lateral Movement
  21. 21. Domain Enumeration FreeIPA mimic’s a lot of traditional Active Directory’s functionality with some caveats. Let’s briefly talk about some of the different objects, and how they interact with each other.
  22. 22. Domain Enumeration: Users/Hosts Hosts in FreeIPA correspond to the individual systems attached to the domain. Similarly, users are the users in the domain. With the IPA binary you can search all of the hosts/users on the domain with the following commands: • ipa host-find • ipa host-show <hostname> --all • ipa user-find • ipa user-show <user> --all
  23. 23. Domain Enumeration: Hosts and Users may have the following controls set to control authentication, and privilege escalation: • HBAC Rules: Host Based Access Control Rules • ipa hbacrule-find • ipa hbacrule-show <ruleset> --all • SUDO Rules: Rules controlling who can execute Sudo, and which commands that user can execute • ipa sudorules-find • ipa sudorules-show <ruleset> --all
  24. 24. Situational Awareness Credential Abuse Domain Enumeration Lateral Movement
  25. 25. Lateral Movement • HBAC Rules show us which hosts specific users inside the environment can authenticate to • Inside of FreeIPA environments SSH is configured by default to allow Kerberos authentication
  26. 26. Lets Recap : Situational Awareness • Identified several configuration files, and binaries • /etc/krb5.conf • /etc/ipa/ca.crt • /usr/bin/ipa • /usr/sbin/ipa* • /usr/bin/k*
  27. 27. Lab Recap: Credential Abuse • Identified a valid Kerberos TGT in a CCACHE file • /tmp/krb5cc_30920003 • Set the KRB5CCNAME environment variable to that TGT • export KRB5CCNAME=/tmp/krb5cc_30920003 • Validated the ticket with klist • klist /tmp/krb5cc_30920003
  28. 28. Lab Recap: Domain Enumeration • Grabbed the user information for nginxadmin • ipa user-show --all nginxadmin • Identified they were a member of the web-admin HBAC Rule • ipa hbacrule-show --all web-admin • The web-admin HBAC Rule delegated access to mysql.westeros.local
  29. 29. Lab Recap: Lateral Movement • After entering the context of nginxadmin we can use SSH to move laterally throughout the environment • export KRB5CCNAME=/tmp/krb5cc_30920003 • ssh nginxadmin@mysql.westeros.local
  30. 30. CVE 2020-10747 • The authentication process established by default in FreeIPA will authenticate via the domain, and then establish a session for the local user corresponding to the domain user. • The ”User Administrators” privilege allows for new users to be created inside of FreeIPA • Thus creating a user named “root” inside of FreeIPA results in being able to authenticate as the local root (uid=0) account
  31. 31. RedHat official statement • Roles are used to classify permitted actions but are not used as a tool to implement privilege separation or to protect from privilege escalation. As a result, using privileges to gain additional privileges is not something considered unexpected. This bug has been rejected as a security flaw. Users with privileges should be reserved to trusted persons.
  32. 32. RedHat official statement • RedHat has retained the fixed pull request despite the CVE being revoked and the vulnerability being reclassified as “CLOSED NOTABUG” on https://bugzilla.redhat.com/show_bug.cgi?id=1810160.
  33. 33. Possible Attack Abuse Techniques • Long Living Tickets • kinit -r 14d -l 7d <user> • kinit -R <user> with the ticket loaded inside the renew window • Credential Storage Downgrade • /etc/krb5.conf is the configuration file that each host looks to when determining which location to store each ticket generated by the host. • default_ccache_name = KEYRING:persistent:%{uid} • Creating a Keytab • ipa-getkeytab -s ipa.westeros.local -p admin@WESTEROS.LOCAL -P -k /tmp/admin.keytab • With the right permissions it is possible to modify HBAC Rules, and Sudo Rules remotely. • This could enable lateral movement or privilege escalation.

More Related Content

Related Books

Free with a 30 day trial from Scribd

See all

×