=========================
== Eduardo Robles Site ==
=========================
Hola Mundo 🌮

Ansible for Cybersecurity Work - Part 2

Learning to Authenticate

WinRM has 2 componets: Communication and Authentication. Like with SSH, you establish a connection then you authenticate on the endpoint. In the previous post I wrote about setting up WinRM Listener over HTTPS. Now we have to setup Authentication luckily Windows offers serveral options for Authentication. But keep in mind not all are secure nor are supported with the type of account you would like to use. In other words if you want to authenticate with Kerberos forget about using a Local Account.

WinRM Authentication

WinRM authentication is the method used when authenticating against a Windows endpoint. Bascially, how you will logging into the computer remotely? WinRM offers several methods here is a break down from the Ansible documentation.

https://docs.ansible.com/ansible/latest/os_guide/windows_winrm.html#id3

OptionLocal AccountAD AccountCredential DelegationHTTP Encryption
BasicYNNN
CertificateYNNN
KerberosNYYY
NTLMYYNY
CredSSPYYYY

Using Certificate Authentication

Setting the following variable will let Ansible know which authentication method to use. ansibible_winrm_transport: ex. ansible_winrm_transport: certificate

Generating a certificate with ADCS

This is just for a quick demonstration on how on a local machine you can request a certificate from ADCS and the use it with Ansible.

  • Certlm

    Personal > Certificates > Request New Certificate - Chose a certifcate

Mapping Cert to User

New-Item -Path WSMan:\localhost\ClientCertificate `
    -Subject "$username@localhost" `
    -URI * `
    -Issuer $thumbprint `
    -Credential $credential `
    -Force

Exporting the Certificate for the Ansible Control Node

  • Place the CA Certificate and Client key/cert on the Ansible Control Node

    openssl pkcs12 -in windows-host-cert.pfx -clcerts -nokeys -out client-cert.pem
openssl pkcs12 -in windows-host-cert.pfx -nocerts -nodes -out client-key.pem

Using Kerberos Authentication

Setting the following variable will let Ansible know which authentication method to use. ansible_winrm_transport: ex. ansible_wirm_transport: kerberos

Install Kerberos on Ubuntu

sudo apt-get install python3-dev libkrb5-dev krb5-user

You will need a few configurations for the local Kerberos install. Luckily they are not too crazy, but highly important. sudo emacs -nw /etc/krb5.conf or sudo nano /etc/krb5.conf

Kerberos Default Configuration

Below is an example configuration for Kerberos. It’s super complicated but essentially you need to set your realms to match the AD environment. Pro tip: be sure DNS is configured and working correctly in your environment or else Kerberos becomes a nightmare.

[libdefaults]
        default_realm = myorg.LOCAL

# The following krb5.conf variables are only for MIT Kerberos.
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
        fcc-mit-ticketflags = true

[realms]
        ATHENA.MIT.EDU = {
                kdc = kerberos.mit.edu
                kdc = kerberos-1.mit.edu
                kdc = kerberos-2.mit.edu:88
                admin_server = kerberos.mit.edu
                default_domain = mit.edu
        }
        ZONE.MIT.EDU = {
                kdc = casio.mit.edu
                kdc = seiko.mit.edu
                admin_server = casio.mit.edu
        }
        CSAIL.MIT.EDU = {
                admin_server = kerberos.csail.mit.edu
                default_domain = csail.mit.edu
        }
        IHTFP.ORG = {
                kdc = kerberos.ihtfp.org
                admin_server = kerberos.ihtfp.org
        }
        1TS.ORG = {
                kdc = kerberos.1ts.org
                admin_server = kerberos.1ts.org
        }
        ANDREW.CMU.EDU = {
                admin_server = kerberos.andrew.cmu.edu
                default_domain = andrew.cmu.edu
        }
        CS.CMU.EDU = {
                kdc = kerberos-1.srv.cs.cmu.edu
                kdc = kerberos-2.srv.cs.cmu.edu
                kdc = kerberos-3.srv.cs.cmu.edu
                admin_server = kerberos.cs.cmu.edu
        }
        DEMENTIA.ORG = {
                kdc = kerberos.dementix.org
                kdc = kerberos2.dementix.org
                admin_server = kerberos.dementix.org
        }
        stanford.edu = {
                kdc = krb5auth1.stanford.edu
                kdc = krb5auth2.stanford.edu
                kdc = krb5auth3.stanford.edu
                master_kdc = krb5auth1.stanford.edu
                admin_server = krb5-admin.stanford.edu
                default_domain = stanford.edu
        }
        UTORONTO.CA = {
                kdc = kerberos1.utoronto.ca
                kdc = kerberos2.utoronto.ca
                kdc = kerberos3.utoronto.ca
                admin_server = kerberos1.utoronto.ca
                default_domain = utoronto.ca
        }

[domain_realm]
        .mit.edu = ATHENA.MIT.EDU
        mit.edu = ATHENA.MIT.EDU
        .media.mit.edu = MEDIA-LAB.MIT.EDU
        media.mit.edu = MEDIA-LAB.MIT.EDU
        .csail.mit.edu = CSAIL.MIT.EDU
        csail.mit.edu = CSAIL.MIT.EDU
        .whoi.edu = ATHENA.MIT.EDU
        whoi.edu = ATHENA.MIT.EDU
        .stanford.edu = stanford.edu
        .slac.stanford.edu = SLAC.STANFORD.EDU
        .toronto.edu = UTORONTO.CA
        .utoronto.ca = UTORONTO.CA

You can get a Kerberos ticket by running to following command. kinit myuseraccnt.local You can view a list of the current tickets issued by kerberos with this command. klist

Conclusion

When chosing an Authentication method for WinRM I would recommend Kerberos. Kerberos is by far a better and more secure option than Basic or NTLM authentication. Luckily, you can use CredSSP or Certificates if you are hestitant to use Kerberos. Overall the Authentication part of WinRM is much easier even if you chose Kerberos. But if you do not configure it correctly, you will never be able to login into a workstation remotely with Ansible. Moreover if you chose a less secure method do not use it in production.

Thank You

If you enjoyed or found any of the content on my site helpful, you can buy me a cup of coffee or send some bitcoin âš¡ so I can continue to bring you amazing content for free!

You can Buy Me A Coffee

Tip with some Sats

Tip Some Sats âš¡

Setup

  • Keyboard: Keyboardio Atreus (JWICk Ultimate Black Linear)
  • Mouse: MX Master (Original)
  • Emacs (WSL term)