Reconnaissance Techniques

Initial information gathering techniques to identify FreeIPA deployments and their components.

Reconnaissance Topics

Navigate through different reconnaissance techniques

Network Discovery

The first step in penetration testing a FreeIPA deployment is to identify potential FreeIPA servers on the network. This involves scanning for hosts running specific services associated with FreeIPA.

Port Scanning

FreeIPA servers typically run several services on specific ports. Scanning for these ports can help identify potential FreeIPA servers.

Scan common FreeIPA ports with service version detection

nmap -sV -p 80,443,389,636,88,464,53 <target_ip>

Use LDAP-specific Nmap scripts to gather information

nmap -sV --script="ldap* and not brute" <target_ip>

Key FreeIPA Ports:

80/443 - Web UI
389/636 - LDAP/LDAPS
88/464 - Kerberos
53 - DNS
123 - NTP
749 - Kerberos Admin

Network Range Scanning

When the exact location of FreeIPA servers is unknown, scanning network ranges can help identify potential targets.

Scan a network range for hosts with port 389 (LDAP) open

nmap -p 389 192.168.1.0/24

Perform a more comprehensive scan of potential FreeIPA servers

nmap -p 389,636,88,464,53,80,443 -oA freeipa_scan 192.168.1.0/24

Diagram showing the process of network scanning to identify FreeIPA servers

DNS Enumeration

DNS enumeration can reveal valuable information about the FreeIPA infrastructure without directly interacting with the servers. FreeIPA uses DNS SRV records to advertise services.

Find LDAP servers via DNS SRV records

dig SRV _ldap._tcp.<domain>

Find Kerberos KDC via DNS SRV records

dig SRV _kerberos._tcp.<domain>

Find Kerberos password change service

dig SRV _kpasswd._tcp.<domain>

Find Kerberos admin service

dig SRV _kerberos-adm._tcp.<domain>

DNS Enumeration Tip

DNS enumeration is a passive reconnaissance technique that doesn't generate suspicious traffic to the target servers. It's an excellent first step in identifying FreeIPA infrastructure.

Zone Transfer Attempts

Although rarely successful in modern environments, attempting a zone transfer can sometimes reveal valuable information about the domain.

Attempt a zone transfer

dig axfr <domain> @<dns_server>

Service Identification

Once potential FreeIPA servers are identified, the next step is to confirm their role and gather more information about the services they're running.

LDAP Service Identification

LDAP is a core component of FreeIPA. Identifying and gathering information from LDAP services can provide valuable insights.

Get the base naming contexts of the LDAP server

ldapsearch -x -h <target_ip> -b "" -s base

Check if anonymous binds are allowed

ldapsearch -x -h <target_ip> -b "dc=example,dc=com" -s sub "(objectClass=*)" | head

LDAP Identification Tip:

FreeIPA LDAP servers typically have naming contexts that include "cn=accounts" and "cn=schema". The presence of these contexts can help confirm that the server is running FreeIPA.

Kerberos Service Identification

Kerberos is used for authentication in FreeIPA. Confirming the presence of Kerberos services can help identify FreeIPA servers.

Check if Kerberos is running on the server

nmap -p 88 -sV <target_ip>

Attempt to get a list of Kerberos realms

kinit -C <target_ip>

Diagram showing the core services in a FreeIPA deployment

Web Interface Analysis

FreeIPA provides a web interface for administration. Analyzing this interface can reveal information about the FreeIPA deployment, including version information.

Identify web technologies used by the FreeIPA web interface

whatweb https://<target_ip>

Retrieve the FreeIPA web interface and look for version information

curl -k https://<target_ip>/ipa/ui/

Check for the presence of the FreeIPA API

curl -k https://<target_ip>/ipa/session/json

Screenshot Analysis

Taking screenshots of the web interface can help document the environment and identify potential vulnerabilities.

Take a screenshot of the web interface using cutycapt

cutycapt --url=https://<target_ip> --out=freeipa_screenshot.png

Example FreeIPA login page

Example FreeIPA dashboard (after authentication)

Web Interface Analysis Tip:

The FreeIPA web interface often reveals version information in the page source or HTTP headers. This information can be used to identify known vulnerabilities in specific versions of FreeIPA.

Was this helpful?

Provide Feedback

Help us improve our FreeIPA penetration testing guide

Was this content helpful?

Helpful

Not Helpful

Additional Comments (Optional)