FreeIPA is the open source answer to Active Directory, bringing the functionality of Kerberos and centralized management to the unix world. This talk will dive into the background of FreeIPA, how to attack it, and its parallels to traditional Active Directory. We will cover the FreeIPA equivalents of credential abuse, discovery, and lateral movement, highlighting the similarities and differences from traditional Active Directory tradecraft. This will culminate in multiple real-world demos showing how chains of abuse, previously accessible only in Windows environments, are now possible in the unix realm, providing a new medium for offensive research into Kerberos and LDAP environments.

1. FreeIPA: Attacking the Active
Directory of Linux

2. /usr/bin/whoami
● Julian Catrambone (@n0pe_sled)
● Senior Consultant at SpecterOps
● Reformed Red Teamer
● IPA enthusiast
2

3. What is FreeIPA?
• Unix Open-Source Active Directory Alternative
• Full LDAP directory Infrastructure backed by MIT Kerberos
• Implements Dogtag certificate management system, allowing for
multi-factor authentication
• Integration into the standard Unix auth processes via SSSD

4. Why do we care?
• FreeIPA is used pervasively in order to manage a large variety of
cloud resources.
• Interesting new medium for common active directory and kerberos
based attacks.
• A lot of the attack primitives may able to other Unix based systems
tied into Active Directory.

5. https://blog.cloudflare.com/introducing-flan-scan/

6. Our Lab

7. Situational
Awareness
Credential
Abuse
Domain
Enumeration
Lateral
Movement

8. Situational Awareness
• How can we identify that a host is enrolled in a Domain, and
specifically FreeIPA?

9. Situational Awareness
There are a few key indicators that a Linux host has been enrolled in a
Domain. They ultimately consist of various binaries, files, and
environment variables.
• Default Kerberos Configuration Files
• /etc/krb5.conf
• /etc/krb5.keytab
• /tmp/krb5cc_*
• Default FreeIPA Configuration Files
• /etc/ipa/*
• ~/.cache/ipa/schema/*
• ~/.cache/ipa/servers/*

10. Situational Awareness
• Kerberos Environmental
Variables
• KRB5CCNAME
• KRB5_KTNAME
• KRB5_CONFIG
• KRB5_KDC_PROFILE
• KRB5RCACHETYPE
• KRB5CACHEDIR
• KRB5_TRACE
• KRB5_CLIENT_KTNAME
• KPROP_PORT
• Kerberos Binaries
• kdestroy
• kinit
• klist
• kpasswd
• ksu
• kswitch
• kvno
• FreeIPA Binaries
• ipa
• ipa-certupdate
• ipa-client-automount
• ipa-client-configure-first
• ipa-client-install
• ipa-getcert
• ipa-getkeytab
• ipa-join
• ipa-rmkeytab

12. Situational
Awareness
Credential
Abuse
Domain
Enumeration
Lateral
Movement

13. Credential Abuse
Kerberos tickets in FreeIPA are very similar to tickets in active
directory. The main difference is in how they are utilized, and stored.
They can be stored in the Following ways:
• CCACHE Ticket Files
• KeyTab Files
• Inside of the Unix Keyring

14. Credential Abuse: CCACHE Tickets
CCACHE Tickets are binaries that contain the credential material
required to authenticate. By default these files are stored in c:tmp
with (0600) permissions.

15. Credential Abuse: CCACHE Tickets
In order to use a CCACHE Ticket the following must be true:
• The current user context has read access to the file
• The ticket is not expired
• The host OS is enrolled in the domain, or has right configuration
files
If all of those conditions are meet the ticket can be used in the current
session by setting the KRB5CCNAME environment variable

16. Credential Abuse: Keytabs
Keytabs are permanent binary credential files. Once created they do
not require a password to authenticate. However they are restricted
to specific principals.

17. https://github.com/its-a-feature/KeytabParser

18. Credential Abuse: Unix Keyring
The keyring lives inside of the kernel, and gives administrators more
inherent controls over the retrieval and use of stored tickets. Tickets
can be scoped in the following different ways:
1. KEYRING:name
2. KEYRING:process:name
3. KEYRING:thread:name
4. KEYRING:session:name
5. KEYRING:persistent:uidnumber
6. KEYRING:user:<name>

19. Credential Abuse: Unix Keyring

20. Credential Abuse: Unix Keyring
https://github.com/TarlogicSecurity/tickey

21. Situational
Awareness
Credential
Abuse
Domain
Enumeration
Lateral
Movement

22. Domain Enumeration
FreeIPA mimic’s a lot of traditional Active Directory’s functionality with
some caveats. Let’s briefly talk about some of the different objects,
and how they interact with each other.

23. Domain Enumeration: Users/Hosts
Hosts in FreeIPA correspond to the individual systems attached to the
domain. Similarly, users are the users in the domain. With the IPA
binary you can search all of the hosts/users on the domain with the
following commands:
• ipa host-find
• ipa host-show <hostname> --all
• ipa user-find
• ipa user-show <user> --all

25. Domain Enumeration:
Hosts and Users may have the following controls set to control
authentication, and privilege escalation:
• HBAC Rules: Host Based Access Control Rules
• ipa hbacrule-find
• ipa hbacrule-show <ruleset> --all
• SUDO Rules: Rules controlling who can execute Sudo, and which
commands that user can execute
• ipa sudorules-find
• ipa sudorules-show <ruleset> --all

27. Situational
Awareness
Credential
Abuse
Domain
Enumeration
Lateral
Movement

28. Lateral Movement
• HBAC Rules show us which hosts
specific users inside the
environment can authenticate to
• Inside of FreeIPA environments
SSH is configured by default to
allow Kerberos authentication

30. Lets Recap : Situational Awareness
• Identified several configuration files, and binaries
• /etc/krb5.conf
• /etc/ipa/ca.crt
• /usr/bin/ipa
• /usr/sbin/ipa*
• /usr/bin/k*

31. Lab Recap: Credential Abuse
• Identified a valid Kerberos TGT in a CCACHE file
• /tmp/krb5cc_30920003
• Set the KRB5CCNAME environment variable to that TGT
• export KRB5CCNAME=/tmp/krb5cc_30920003
• Validated the ticket with klist
• klist /tmp/krb5cc_30920003

32. Lab Recap: Domain Enumeration
• Grabbed the user information for nginxadmin
• ipa user-show --all nginxadmin
• Identified they were a member of the web-admin HBAC Rule
• ipa hbacrule-show --all web-admin
• The web-admin HBAC Rule delegated access to
mysql.westeros.local

33. Lab Recap: Lateral Movement
• After entering the context of nginxadmin we can use SSH to move
laterally throughout the environment
• export KRB5CCNAME=/tmp/krb5cc_30920003
• ssh nginxadmin@mysql.westeros.local

35. CVE 2020-10747
• The authentication process established by default in FreeIPA will
authenticate via the domain, and then establish a session for the
local user corresponding to the domain user.
• The ”User Administrators” privilege allows for new users to be
created inside of FreeIPA
• Thus creating a user named “root” inside of FreeIPA results in being
able to authenticate as the local root (uid=0) account

37. RedHat official statement
• Roles are used to classify permitted actions but are not used as a
tool to implement privilege separation or to protect from privilege
escalation. As a result, using privileges to gain additional privileges
is not something considered unexpected. This bug has been rejected
as a security flaw. Users with privileges should be reserved to
trusted persons.

38. RedHat official statement
• RedHat has retained the fixed pull request despite the CVE being
revoked and the vulnerability being reclassified as “CLOSED
NOTABUG”
on https://bugzilla.redhat.com/show_bug.cgi?id=1810160.

39. Possible Attack Abuse Techniques
• Long Living Tickets
• kinit -r 14d -l 7d <user>
• kinit -R <user> with the ticket loaded inside the renew window
• Credential Storage Downgrade
• /etc/krb5.conf is the configuration file that each host looks to when determining which
location to store each ticket generated by the host.
• default_ccache_name = KEYRING:persistent:%{uid}
• Creating a Keytab
• ipa-getkeytab -s ipa.westeros.local -p admin@WESTEROS.LOCAL -P -k /tmp/admin.keytab
• With the right permissions it is possible to modify HBAC Rules, and Sudo Rules
remotely.
• This could enable lateral movement or privilege escalation.