SlideShare a Scribd company logo

FreeIPA - Attacking the Active Directory of Linux

Download as PPTX, PDF
J
Julian Catrambone

FreeIPA is the open source answer to Active Directory, bringing the functionality of Kerberos and centralized management to the unix world. This talk will dive into the background of FreeIPA, how to attack it, and its parallels to traditional Active Directory. We will cover the FreeIPA equivalents of credential abuse, discovery, and lateral movement, highlighting the similarities and differences from traditional Active Directory tradecraft. This will culminate in multiple real-world demos showing how chains of abuse, previously accessible only in Windows environments, are now possible in the unix realm, providing a new medium for offensive research into Kerberos and LDAP environments.

Technology
1 of 40
FreeIPA: Attacking the Active Directory of Linux
/usr/bin/whoami ● Julian Catrambone (@n0pe_sled) ● Senior Consultant at SpecterOps ● Reformed Red Teamer ● IPA enthusiast 2
What is FreeIPA? • Unix Open-Source Active Directory Alternative • Full LDAP directory Infrastructure backed by MIT Kerberos • Implements Dogtag certificate management system, allowing for multi-factor authentication • Integration into the standard Unix auth processes via SSSD
Why do we care? • FreeIPA is used pervasively in order to manage a large variety of cloud resources. • Interesting new medium for common active directory and kerberos based attacks. • A lot of the attack primitives may able to other Unix based systems tied into Active Directory.
https://blog.cloudflare.com/introducing-flan-scan/
Our Lab
Situational Awareness Credential Abuse Domain Enumeration Lateral Movement
Situational Awareness • How can we identify that a host is enrolled in a Domain, and specifically FreeIPA?
Situational Awareness There are a few key indicators that a Linux host has been enrolled in a Domain. They ultimately consist of various binaries, files, and environment variables. • Default Kerberos Configuration Files • /etc/krb5.conf • /etc/krb5.keytab • /tmp/krb5cc_* • Default FreeIPA Configuration Files • /etc/ipa/* • ~/.cache/ipa/schema/* • ~/.cache/ipa/servers/*
Situational Awareness • Kerberos Environmental Variables • KRB5CCNAME • KRB5_KTNAME • KRB5_CONFIG • KRB5_KDC_PROFILE • KRB5RCACHETYPE • KRB5CACHEDIR • KRB5_TRACE • KRB5_CLIENT_KTNAME • KPROP_PORT • Kerberos Binaries • kdestroy • kinit • klist • kpasswd • ksu • kswitch • kvno • FreeIPA Binaries • ipa • ipa-certupdate • ipa-client-automount • ipa-client-configure-first • ipa-client-install • ipa-getcert • ipa-getkeytab • ipa-join • ipa-rmkeytab
Situational Awareness Credential Abuse Domain Enumeration Lateral Movement
Credential Abuse Kerberos tickets in FreeIPA are very similar to tickets in active directory. The main difference is in how they are utilized, and stored. They can be stored in the Following ways: • CCACHE Ticket Files • KeyTab Files • Inside of the Unix Keyring
Credential Abuse: CCACHE Tickets CCACHE Tickets are binaries that contain the credential material required to authenticate. By default these files are stored in c:tmp with (0600) permissions.
Credential Abuse: CCACHE Tickets In order to use a CCACHE Ticket the following must be true: • The current user context has read access to the file • The ticket is not expired • The host OS is enrolled in the domain, or has right configuration files If all of those conditions are meet the ticket can be used in the current session by setting the KRB5CCNAME environment variable
Credential Abuse: Keytabs Keytabs are permanent binary credential files. Once created they do not require a password to authenticate. However they are restricted to specific principals.
https://github.com/its-a-feature/KeytabParser
Credential Abuse: Unix Keyring The keyring lives inside of the kernel, and gives administrators more inherent controls over the retrieval and use of stored tickets. Tickets can be scoped in the following different ways: 1. KEYRING:name 2. KEYRING:process:name 3. KEYRING:thread:name 4. KEYRING:session:name 5. KEYRING:persistent:uidnumber 6. KEYRING:user:<name>
Credential Abuse: Unix Keyring
Credential Abuse: Unix Keyring https://github.com/TarlogicSecurity/tickey
Situational Awareness Credential Abuse Domain Enumeration Lateral Movement
Domain Enumeration FreeIPA mimic’s a lot of traditional Active Directory’s functionality with some caveats. Let’s briefly talk about some of the different objects, and how they interact with each other.
Domain Enumeration: Users/Hosts Hosts in FreeIPA correspond to the individual systems attached to the domain. Similarly, users are the users in the domain. With the IPA binary you can search all of the hosts/users on the domain with the following commands: • ipa host-find • ipa host-show <hostname> --all • ipa user-find • ipa user-show <user> --all
Domain Enumeration: Hosts and Users may have the following controls set to control authentication, and privilege escalation: • HBAC Rules: Host Based Access Control Rules • ipa hbacrule-find • ipa hbacrule-show <ruleset> --all • SUDO Rules: Rules controlling who can execute Sudo, and which commands that user can execute • ipa sudorules-find • ipa sudorules-show <ruleset> --all
Situational Awareness Credential Abuse Domain Enumeration Lateral Movement
Lateral Movement • HBAC Rules show us which hosts specific users inside the environment can authenticate to • Inside of FreeIPA environments SSH is configured by default to allow Kerberos authentication
Lets Recap : Situational Awareness • Identified several configuration files, and binaries • /etc/krb5.conf • /etc/ipa/ca.crt • /usr/bin/ipa • /usr/sbin/ipa* • /usr/bin/k*
Lab Recap: Credential Abuse • Identified a valid Kerberos TGT in a CCACHE file • /tmp/krb5cc_30920003 • Set the KRB5CCNAME environment variable to that TGT • export KRB5CCNAME=/tmp/krb5cc_30920003 • Validated the ticket with klist • klist /tmp/krb5cc_30920003
Lab Recap: Domain Enumeration • Grabbed the user information for nginxadmin • ipa user-show --all nginxadmin • Identified they were a member of the web-admin HBAC Rule • ipa hbacrule-show --all web-admin • The web-admin HBAC Rule delegated access to mysql.westeros.local
Lab Recap: Lateral Movement • After entering the context of nginxadmin we can use SSH to move laterally throughout the environment • export KRB5CCNAME=/tmp/krb5cc_30920003 • ssh nginxadmin@mysql.westeros.local
CVE 2020-10747 • The authentication process established by default in FreeIPA will authenticate via the domain, and then establish a session for the local user corresponding to the domain user. • The ”User Administrators” privilege allows for new users to be created inside of FreeIPA • Thus creating a user named “root” inside of FreeIPA results in being able to authenticate as the local root (uid=0) account
RedHat official statement • Roles are used to classify permitted actions but are not used as a tool to implement privilege separation or to protect from privilege escalation. As a result, using privileges to gain additional privileges is not something considered unexpected. This bug has been rejected as a security flaw. Users with privileges should be reserved to trusted persons.
RedHat official statement • RedHat has retained the fixed pull request despite the CVE being revoked and the vulnerability being reclassified as “CLOSED NOTABUG” on https://bugzilla.redhat.com/show_bug.cgi?id=1810160.
Possible Attack Abuse Techniques • Long Living Tickets • kinit -r 14d -l 7d <user> • kinit -R <user> with the ticket loaded inside the renew window • Credential Storage Downgrade • /etc/krb5.conf is the configuration file that each host looks to when determining which location to store each ticket generated by the host. • default_ccache_name = KEYRING:persistent:%{uid} • Creating a Keytab • ipa-getkeytab -s ipa.westeros.local -p admin@WESTEROS.LOCAL -P -k /tmp/admin.keytab • With the right permissions it is possible to modify HBAC Rules, and Sudo Rules remotely. • This could enable lateral movement or privilege escalation.
FreeIPA - Attacking the Active Directory of Linux

Recommended

(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
Thomas Graf
 
OpenvSwitch Deep Dive
OpenvSwitch Deep DiveOpenvSwitch Deep Dive
OpenvSwitch Deep Dive
rajdeep
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatz
Benjamin Delpy
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
Docker Networking Deep Dive
Docker Networking Deep DiveDocker Networking Deep Dive
Docker Networking Deep Dive
Docker, Inc.
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 

Recommended

(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
Thomas Graf
 
OpenvSwitch Deep Dive
OpenvSwitch Deep DiveOpenvSwitch Deep Dive
OpenvSwitch Deep Dive
rajdeep
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatz
Benjamin Delpy
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
Docker Networking Deep Dive
Docker Networking Deep DiveDocker Networking Deep Dive
Docker Networking Deep Dive
Docker, Inc.
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityCilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Thomas Graf
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
Apache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXApache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOX
Abhishek Mallick
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
Top 10 F5 iRules to migrate to a modern load balancing platform
Top 10 F5 iRules to migrate to a modern load balancing platformTop 10 F5 iRules to migrate to a modern load balancing platform
Top 10 F5 iRules to migrate to a modern load balancing platform
Avi Networks
 
Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조
Seung-Hoon Baek
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
Will Schroeder
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
Will Schroeder
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
Douglas Bienstock
 
Deploying IPv6 on OpenStack
Deploying IPv6 on OpenStackDeploying IPv6 on OpenStack
Deploying IPv6 on OpenStack
Vietnam Open Infrastructure User Group
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Andy Robbins
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
Nikhil Mittal
 
Deep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingDeep dive into Kubernetes Networking
Deep dive into Kubernetes Networking
Sreenivas Makam
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
Will Schroeder
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
CJ Cullen
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load Balancing
NGINX, Inc.
 
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
Cloudera, Inc.
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environment
David Rowe
 

More Related Content

What's hot

Top 10 F5 iRules to migrate to a modern load balancing platform
Top 10 F5 iRules to migrate to a modern load balancing platformTop 10 F5 iRules to migrate to a modern load balancing platform
Top 10 F5 iRules to migrate to a modern load balancing platform
Avi Networks
 

What's hot (20)

ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityCilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
 
Apache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXApache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOX
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Top 10 F5 iRules to migrate to a modern load balancing platform
Top 10 F5 iRules to migrate to a modern load balancing platformTop 10 F5 iRules to migrate to a modern load balancing platform
Top 10 F5 iRules to migrate to a modern load balancing platform
 
Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
 
Deploying IPv6 on OpenStack
Deploying IPv6 on OpenStackDeploying IPv6 on OpenStack
Deploying IPv6 on OpenStack
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
 
Deep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingDeep dive into Kubernetes Networking
Deep dive into Kubernetes Networking
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load Balancing
 

Similar to FreeIPA - Attacking the Active Directory of Linux

BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Risk Management for Data: Secured and Governed
Risk Management for Data: Secured and GovernedRisk Management for Data: Secured and Governed
Risk Management for Data: Secured and Governed
Cloudera, Inc.
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 
From Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With KubernetesFrom Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With Kubernetes
Shikha Srivastava
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
Brandon Arvanaghi
 

Similar to FreeIPA - Attacking the Active Directory of Linux (20)

Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environment
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Attacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin JoisAttacking and Defending Kubernetes - Nithin Jois
Attacking and Defending Kubernetes - Nithin Jois
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
 
Hadoop Security: Overview
Hadoop Security: OverviewHadoop Security: Overview
Hadoop Security: Overview
 
Dockers zero to hero
Dockers zero to heroDockers zero to hero
Dockers zero to hero
 
Security tools
Security toolsSecurity tools
Security tools
 
Risk Management for Data: Secured and Governed
Risk Management for Data: Secured and GovernedRisk Management for Data: Secured and Governed
Risk Management for Data: Secured and Governed
 
Secure Hadoop clusters on Windows platform
Secure Hadoop clusters on Windows platformSecure Hadoop clusters on Windows platform
Secure Hadoop clusters on Windows platform
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
 
From Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With KubernetesFrom Containerized Application to Secure and Scaling With Kubernetes
From Containerized Application to Secure and Scaling With Kubernetes
 
Securing Spark Applications by Kostas Sakellis and Marcelo Vanzin
Securing Spark Applications by Kostas Sakellis and Marcelo VanzinSecuring Spark Applications by Kostas Sakellis and Marcelo Vanzin
Securing Spark Applications by Kostas Sakellis and Marcelo Vanzin
 
Securing Your Apache Spark Applications
Securing Your Apache Spark ApplicationsSecuring Your Apache Spark Applications
Securing Your Apache Spark Applications
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Encrypt your volumes with barbican open stack 2018
Encrypt your volumes with barbican open stack 2018Encrypt your volumes with barbican open stack 2018
Encrypt your volumes with barbican open stack 2018
 
Linux privesc.pptx
Linux privesc.pptxLinux privesc.pptx
Linux privesc.pptx
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker Security
 

Recently uploaded

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
CzechDreamin
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 

Recently uploaded (20)

Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 

FreeIPA - Attacking the Active Directory of Linux

  • 1. FreeIPA: Attacking the Active Directory of Linux
  • 2. /usr/bin/whoami ● Julian Catrambone (@n0pe_sled) ● Senior Consultant at SpecterOps ● Reformed Red Teamer ● IPA enthusiast 2
  • 3. What is FreeIPA? • Unix Open-Source Active Directory Alternative • Full LDAP directory Infrastructure backed by MIT Kerberos • Implements Dogtag certificate management system, allowing for multi-factor authentication • Integration into the standard Unix auth processes via SSSD
  • 4. Why do we care? • FreeIPA is used pervasively in order to manage a large variety of cloud resources. • Interesting new medium for common active directory and kerberos based attacks. • A lot of the attack primitives may able to other Unix based systems tied into Active Directory.
  • 8. Situational Awareness • How can we identify that a host is enrolled in a Domain, and specifically FreeIPA?
  • 9. Situational Awareness There are a few key indicators that a Linux host has been enrolled in a Domain. They ultimately consist of various binaries, files, and environment variables. • Default Kerberos Configuration Files • /etc/krb5.conf • /etc/krb5.keytab • /tmp/krb5cc_* • Default FreeIPA Configuration Files • /etc/ipa/* • ~/.cache/ipa/schema/* • ~/.cache/ipa/servers/*
  • 10. Situational Awareness • Kerberos Environmental Variables • KRB5CCNAME • KRB5_KTNAME • KRB5_CONFIG • KRB5_KDC_PROFILE • KRB5RCACHETYPE • KRB5CACHEDIR • KRB5_TRACE • KRB5_CLIENT_KTNAME • KPROP_PORT • Kerberos Binaries • kdestroy • kinit • klist • kpasswd • ksu • kswitch • kvno • FreeIPA Binaries • ipa • ipa-certupdate • ipa-client-automount • ipa-client-configure-first • ipa-client-install • ipa-getcert • ipa-getkeytab • ipa-join • ipa-rmkeytab
  • 11.
  • 13. Credential Abuse Kerberos tickets in FreeIPA are very similar to tickets in active directory. The main difference is in how they are utilized, and stored. They can be stored in the Following ways: • CCACHE Ticket Files • KeyTab Files • Inside of the Unix Keyring
  • 14. Credential Abuse: CCACHE Tickets CCACHE Tickets are binaries that contain the credential material required to authenticate. By default these files are stored in c:tmp with (0600) permissions.
  • 15. Credential Abuse: CCACHE Tickets In order to use a CCACHE Ticket the following must be true: • The current user context has read access to the file • The ticket is not expired • The host OS is enrolled in the domain, or has right configuration files If all of those conditions are meet the ticket can be used in the current session by setting the KRB5CCNAME environment variable
  • 16. Credential Abuse: Keytabs Keytabs are permanent binary credential files. Once created they do not require a password to authenticate. However they are restricted to specific principals.
  • 18. Credential Abuse: Unix Keyring The keyring lives inside of the kernel, and gives administrators more inherent controls over the retrieval and use of stored tickets. Tickets can be scoped in the following different ways: 1. KEYRING:name 2. KEYRING:process:name 3. KEYRING:thread:name 4. KEYRING:session:name 5. KEYRING:persistent:uidnumber 6. KEYRING:user:<name>
  • 20. Credential Abuse: Unix Keyring https://github.com/TarlogicSecurity/tickey
  • 22. Domain Enumeration FreeIPA mimic’s a lot of traditional Active Directory’s functionality with some caveats. Let’s briefly talk about some of the different objects, and how they interact with each other.
  • 23. Domain Enumeration: Users/Hosts Hosts in FreeIPA correspond to the individual systems attached to the domain. Similarly, users are the users in the domain. With the IPA binary you can search all of the hosts/users on the domain with the following commands: • ipa host-find • ipa host-show <hostname> --all • ipa user-find • ipa user-show <user> --all
  • 24.
  • 25. Domain Enumeration: Hosts and Users may have the following controls set to control authentication, and privilege escalation: • HBAC Rules: Host Based Access Control Rules • ipa hbacrule-find • ipa hbacrule-show <ruleset> --all • SUDO Rules: Rules controlling who can execute Sudo, and which commands that user can execute • ipa sudorules-find • ipa sudorules-show <ruleset> --all
  • 26.
  • 28. Lateral Movement • HBAC Rules show us which hosts specific users inside the environment can authenticate to • Inside of FreeIPA environments SSH is configured by default to allow Kerberos authentication
  • 29.
  • 30. Lets Recap : Situational Awareness • Identified several configuration files, and binaries • /etc/krb5.conf • /etc/ipa/ca.crt • /usr/bin/ipa • /usr/sbin/ipa* • /usr/bin/k*
  • 31. Lab Recap: Credential Abuse • Identified a valid Kerberos TGT in a CCACHE file • /tmp/krb5cc_30920003 • Set the KRB5CCNAME environment variable to that TGT • export KRB5CCNAME=/tmp/krb5cc_30920003 • Validated the ticket with klist • klist /tmp/krb5cc_30920003
  • 32. Lab Recap: Domain Enumeration • Grabbed the user information for nginxadmin • ipa user-show --all nginxadmin • Identified they were a member of the web-admin HBAC Rule • ipa hbacrule-show --all web-admin • The web-admin HBAC Rule delegated access to mysql.westeros.local
  • 33. Lab Recap: Lateral Movement • After entering the context of nginxadmin we can use SSH to move laterally throughout the environment • export KRB5CCNAME=/tmp/krb5cc_30920003 • ssh nginxadmin@mysql.westeros.local
  • 34.
  • 35. CVE 2020-10747 • The authentication process established by default in FreeIPA will authenticate via the domain, and then establish a session for the local user corresponding to the domain user. • The ”User Administrators” privilege allows for new users to be created inside of FreeIPA • Thus creating a user named “root” inside of FreeIPA results in being able to authenticate as the local root (uid=0) account
  • 36.
  • 37. RedHat official statement • Roles are used to classify permitted actions but are not used as a tool to implement privilege separation or to protect from privilege escalation. As a result, using privileges to gain additional privileges is not something considered unexpected. This bug has been rejected as a security flaw. Users with privileges should be reserved to trusted persons.
  • 38. RedHat official statement • RedHat has retained the fixed pull request despite the CVE being revoked and the vulnerability being reclassified as “CLOSED NOTABUG” on https://bugzilla.redhat.com/show_bug.cgi?id=1810160.
  • 39. Possible Attack Abuse Techniques • Long Living Tickets • kinit -r 14d -l 7d <user> • kinit -R <user> with the ticket loaded inside the renew window • Credential Storage Downgrade • /etc/krb5.conf is the configuration file that each host looks to when determining which location to store each ticket generated by the host. • default_ccache_name = KEYRING:persistent:%{uid} • Creating a Keytab • ipa-getkeytab -s ipa.westeros.local -p admin@WESTEROS.LOCAL -P -k /tmp/admin.keytab • With the right permissions it is possible to modify HBAC Rules, and Sudo Rules remotely. • This could enable lateral movement or privilege escalation.