FreeIPA - Attacking the Active Directory of Linux
- 1. FreeIPA: Attacking the Active Directory of Linux
- 2. /usr/bin/whoami ● Julian Catrambone (@n0pe_sled) ● Senior Consultant at SpecterOps ● Reformed Red Teamer ● IPA enthusiast 2
- 3. What is FreeIPA? • Unix Open-Source Active Directory Alternative • Full LDAP directory Infrastructure backed by MIT Kerberos • Implements Dogtag certificate management system, allowing for multi-factor authentication • Integration into the standard Unix auth processes via SSSD
- 4. Why do we care? • FreeIPA is used pervasively in order to manage a large variety of cloud resources. • Interesting new medium for common active directory and kerberos based attacks. • A lot of the attack primitives may able to other Unix based systems tied into Active Directory.
- 6. Our Lab
- 8. Situational Awareness • How can we identify that a host is enrolled in a Domain, and specifically FreeIPA?
- 9. Situational Awareness There are a few key indicators that a Linux host has been enrolled in a Domain. They ultimately consist of various binaries, files, and environment variables. • Default Kerberos Configuration Files • /etc/krb5.conf • /etc/krb5.keytab • /tmp/krb5cc_* • Default FreeIPA Configuration Files • /etc/ipa/* • ~/.cache/ipa/schema/* • ~/.cache/ipa/servers/*
- 10. Situational Awareness • Kerberos Environmental Variables • KRB5CCNAME • KRB5_KTNAME • KRB5_CONFIG • KRB5_KDC_PROFILE • KRB5RCACHETYPE • KRB5CACHEDIR • KRB5_TRACE • KRB5_CLIENT_KTNAME • KPROP_PORT • Kerberos Binaries • kdestroy • kinit • klist • kpasswd • ksu • kswitch • kvno • FreeIPA Binaries • ipa • ipa-certupdate • ipa-client-automount • ipa-client-configure-first • ipa-client-install • ipa-getcert • ipa-getkeytab • ipa-join • ipa-rmkeytab
- 13. Credential Abuse Kerberos tickets in FreeIPA are very similar to tickets in active directory. The main difference is in how they are utilized, and stored. They can be stored in the Following ways: • CCACHE Ticket Files • KeyTab Files • Inside of the Unix Keyring
- 14. Credential Abuse: CCACHE Tickets CCACHE Tickets are binaries that contain the credential material required to authenticate. By default these files are stored in c:tmp with (0600) permissions.
- 15. Credential Abuse: CCACHE Tickets In order to use a CCACHE Ticket the following must be true: • The current user context has read access to the file • The ticket is not expired • The host OS is enrolled in the domain, or has right configuration files If all of those conditions are meet the ticket can be used in the current session by setting the KRB5CCNAME environment variable
- 16. Credential Abuse: Keytabs Keytabs are permanent binary credential files. Once created they do not require a password to authenticate. However they are restricted to specific principals.
- 18. Credential Abuse: Unix Keyring The keyring lives inside of the kernel, and gives administrators more inherent controls over the retrieval and use of stored tickets. Tickets can be scoped in the following different ways: 1. KEYRING:name 2. KEYRING:process:name 3. KEYRING:thread:name 4. KEYRING:session:name 5. KEYRING:persistent:uidnumber 6. KEYRING:user:<name>
- 19. Credential Abuse: Unix Keyring
- 20. Credential Abuse: Unix Keyring https://github.com/TarlogicSecurity/tickey
- 22. Domain Enumeration FreeIPA mimic’s a lot of traditional Active Directory’s functionality with some caveats. Let’s briefly talk about some of the different objects, and how they interact with each other.
- 23. Domain Enumeration: Users/Hosts Hosts in FreeIPA correspond to the individual systems attached to the domain. Similarly, users are the users in the domain. With the IPA binary you can search all of the hosts/users on the domain with the following commands: • ipa host-find • ipa host-show <hostname> --all • ipa user-find • ipa user-show <user> --all
- 25. Domain Enumeration: Hosts and Users may have the following controls set to control authentication, and privilege escalation: • HBAC Rules: Host Based Access Control Rules • ipa hbacrule-find • ipa hbacrule-show <ruleset> --all • SUDO Rules: Rules controlling who can execute Sudo, and which commands that user can execute • ipa sudorules-find • ipa sudorules-show <ruleset> --all
- 28. Lateral Movement • HBAC Rules show us which hosts specific users inside the environment can authenticate to • Inside of FreeIPA environments SSH is configured by default to allow Kerberos authentication
- 30. Lets Recap : Situational Awareness • Identified several configuration files, and binaries • /etc/krb5.conf • /etc/ipa/ca.crt • /usr/bin/ipa • /usr/sbin/ipa* • /usr/bin/k*
- 31. Lab Recap: Credential Abuse • Identified a valid Kerberos TGT in a CCACHE file • /tmp/krb5cc_30920003 • Set the KRB5CCNAME environment variable to that TGT • export KRB5CCNAME=/tmp/krb5cc_30920003 • Validated the ticket with klist • klist /tmp/krb5cc_30920003
- 32. Lab Recap: Domain Enumeration • Grabbed the user information for nginxadmin • ipa user-show --all nginxadmin • Identified they were a member of the web-admin HBAC Rule • ipa hbacrule-show --all web-admin • The web-admin HBAC Rule delegated access to mysql.westeros.local
- 33. Lab Recap: Lateral Movement • After entering the context of nginxadmin we can use SSH to move laterally throughout the environment • export KRB5CCNAME=/tmp/krb5cc_30920003 • ssh nginxadmin@mysql.westeros.local
- 35. CVE 2020-10747 • The authentication process established by default in FreeIPA will authenticate via the domain, and then establish a session for the local user corresponding to the domain user. • The ”User Administrators” privilege allows for new users to be created inside of FreeIPA • Thus creating a user named “root” inside of FreeIPA results in being able to authenticate as the local root (uid=0) account
- 37. RedHat official statement • Roles are used to classify permitted actions but are not used as a tool to implement privilege separation or to protect from privilege escalation. As a result, using privileges to gain additional privileges is not something considered unexpected. This bug has been rejected as a security flaw. Users with privileges should be reserved to trusted persons.
- 38. RedHat official statement • RedHat has retained the fixed pull request despite the CVE being revoked and the vulnerability being reclassified as “CLOSED NOTABUG” on https://bugzilla.redhat.com/show_bug.cgi?id=1810160.
- 39. Possible Attack Abuse Techniques • Long Living Tickets • kinit -r 14d -l 7d <user> • kinit -R <user> with the ticket loaded inside the renew window • Credential Storage Downgrade • /etc/krb5.conf is the configuration file that each host looks to when determining which location to store each ticket generated by the host. • default_ccache_name = KEYRING:persistent:%{uid} • Creating a Keytab • ipa-getkeytab -s ipa.westeros.local -p admin@WESTEROS.LOCAL -P -k /tmp/admin.keytab • With the right permissions it is possible to modify HBAC Rules, and Sudo Rules remotely. • This could enable lateral movement or privilege escalation.