FreeIPA Penetration Testing Cheat Sheet

Quick reference guide for commands and techniques used in FreeIPA penetration testing

Ethical Use Only

The commands and techniques described on this page are intended for ethical penetration testing only. Always ensure you have proper authorization before testing any system.

Network Discovery

Commands for discovering FreeIPA servers on the network

Scan common FreeIPA ports

nmap -sV -p 80,443,389,636,88,464,53 <target_ip>

Scan a network range for FreeIPA servers

nmap -p 389,636,88,464,53,80,443 -oA freeipa_scan 192.168.1.0/24

Use LDAP-specific Nmap scripts

nmap -sV --script="ldap* and not brute" <target_ip>

Check SSL/TLS configuration

nmap --script ssl-enum-ciphers -p 443,636 <target_ip>

DNS Enumeration

Commands for DNS-based reconnaissance

Find LDAP servers via DNS SRV records

dig SRV _ldap._tcp.<domain>

Find Kerberos KDC via DNS SRV records

dig SRV _kerberos._tcp.<domain>

Find Kerberos password change service

dig SRV _kpasswd._tcp.<domain>

Attempt a zone transfer

dig axfr <domain> @<dns_server>

Web Interface Analysis

Commands for analyzing the FreeIPA web interface

Identify web technologies

whatweb https://<target_ip>

Retrieve the FreeIPA web interface

curl -k https://<target_ip>/ipa/ui/

Check for the presence of the FreeIPA API

curl -k https://<target_ip>/ipa/session/json

Take a screenshot of the web interface

cutycapt --url=https://<target_ip> --out=freeipa_screenshot.png

Command Execution Tips

Authentication

Always ensure you have valid credentials before attempting to run authenticated commands. Use kinit to obtain Kerberos tickets or provide LDAP credentials with -D and -w flags.

Error Handling

If commands fail, check for typos in domain names, usernames, or passwords. Verify that you have network connectivity to the target and that required services are running.

Documentation

Always document your commands and their outputs during penetration testing. This documentation is essential for reporting findings and providing remediation recommendations.

Ethical Considerations

Only execute these commands on systems you have explicit permission to test. Always clean up after testing to return the environment to its original state.