Enumeration Techniques

Discover methods to enumerate users, hosts, groups, and access controls within FreeIPA environments.

Enumeration Topics

Navigate through different enumeration techniques

Hosts, Users & Groups

Important Note

In FreeIPA, hosts and users can be sorted into containers called "Host Groups" and "User Groups" respectively, similar to Organizational Units (OUs) in Active Directory.

Enumeration Methods

LDAP queries can be used to enumerate various objects in the FreeIPA directory:

Get all unauthenticated accessible data

ldapsearch -x

After authentication, get all users

kinit -kt /etc/krb5.keytab ldapsearch -Y gssapi -b "cn=users,cn=compat,dc=westeros,dc=local"

Get all hosts

ldapsearch -Y gssapi -b "cn=computers,cn=accounts,dc=westeros,dc=local"

Get all host groups

ldapsearch -Y gssapi -b "cn=hostgroups,cn=accounts,dc=westeros,dc=local"

Get all user groups

ldapsearch -Y gssapi -b "cn=groups,cn=accounts,dc=westeros,dc=local"

Host-Based Access Control (HBAC) Rules

Host-Based Access Control (HBAC) rules define who has access to what within the FreeIPA environment. These access controls are similar to firewall rules that determine which users or groups can access which hosts or services.

Get all HBAC Rules

ldapsearch -Y gssapi -b "cn=hbac,dc=westeros,dc=local"

Security Insight

When enumerating HBAC rules, look for overly permissive configurations that might allow unauthorized access. Pay special attention to rules that apply to sensitive hosts or services.

Sudo Rules

Sudo rules in FreeIPA are equivalent to HBAC rules but provide additional information such as sudoers options and "run as" permissions. These rules define which users can execute commands with elevated privileges on which hosts.

Get all Sudo Rules

ldapsearch -Y gssapi -b "cn=sudorules,cn=sudo,dc=westeros,dc=local"

Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) is a hierarchical way of organizing access to the data managed by FreeIPA. It consists of roles, privileges, and permissions that define what actions users can perform within the FreeIPA environment.

Get all roles

ldapsearch -Y gssapi -b "cn=roles,cn=accounts,dc=westeros,dc=local"

Penetration Testing Tip

When enumerating RBAC, focus on identifying users with administrative roles or excessive privileges. These accounts are prime targets for privilege escalation and lateral movement within the environment.