Thinking in graphs with IPAHound#2188
Open
carlospolop wants to merge 1 commit intomasterfrom
Open
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://swarm.ptsecurity.com/thinking-in-graphs-with-ipahound/ Content Categories: Based on the analysis, this content was categorized under "Linux Hardening -> FreeIPA Pentesting (add subsections on IPAHound tool usage, LDAP privilege inference/graph edges, and Kerberos delegation/PKINIT attack chains in FreeIPA)". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
This post introduces IPAHound, a BloodHound-style graph attack-path analysis toolkit for FreeIPA environments. It explains (1) how FreeIPA directory entities and authorization/delegation/PKI concepts are represented in LDAP, (2) how IPAHound reconstructs actionable attacker edges from what a standard user can read, and (3) provides concrete, copy/paste command sequences that chain those edges into domain compromise (e.g., gaining LDAP admin via Ke...
🔧 Technical Details
Recon/inference trick (FreeIPA pentest view): because standard users can’t read most ACI/permission internals, infer effective privileges from readable attributes like
memberOfand delegation-related attributes (e.g.,memberManager,managedBy,ipaAllowedToPerform;read_keys,ipaAllowedToPerform;write_keys,ipaAllowedToPerform;write_delegation), then represent them as graph edges to identify lateral-movement and compromise paths.Password-spray target selection: derive
PasswordAuthAllowfromipaUserAuthType(missing attribute implies password auth allowed), then query Neo4j for sprayable principals (e.g.,MATCH (n:IPAUser) WHERE n.PasswordAuthAllow = True RETURN n.krbCanonicalNameor splittingkrbPrincipalName).HBAC + sudo exploitability modeling: treat SSH access as “HBAC allow sshd” (
CanSSH), and sudo access as “HBAC allow sud...🤖 Agent Actions
I’m mapping the existing FreeIPA/Linux hardening content first, then I’ll read the nearest candidate pages to decide whether this belongs in an existing FreeIPA page or needs a new one.
There is already a dedicated src/linux-hardening/freeipa-pentesting.md, so I’m validating that page against nearby LDAP/Kerberos/BloodHound content before deciding what to add.
The FreeIPA page already covers baseline enumeration, HBAC, sudo rules, and RBAC, but it does not cover IPAHound’s low-privilege graph inference,
PasswordAuthAllowspray targeting, or the FreeIPA-specific PKINIT/RBCD chains from the post.I’ve pinned the insertion point inside the existing FreeIPA page. I’m doing one quick external verification for the IPAHound project links, then I’ll patch that file only.
I’m patching the existing FreeIPA page now. The edit stays in a single file and adds only the pieces that were missing: IPAHound workflow, inference from readable LDAP attributes, and the FreeIPA-specific PKINIT/RBCD chain.
The patch is in place. I’m checking the rendered markdown shape and the final diff now to make sure the page stays consistent and the references remain at the end.
Updated src/linux-hardening/freeipa-pentesting.md.
The new content stays in that single file and adds the missing technical material from the IPAHound post: low-privilege LDAP privilege inference,
PasswordAuthAllow-based spray targeting, FreeIPA edge semantics likeAddMember/Owns/AddRBCD, and the FreeIPA-specific PKINIT plus S4U2proxy/RBCD chain. I also added the PT SWARM blog and IPAHound repositories to the existing## Referencessection.I verified the diff and final file layout. Only that file changed.
This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.