Service:
kpasswd
Protocol:
TCP/UDPPort:
464Used for:
Kerberos password changing serviceWhy It’s Open
Port 464 is used by Kerberos Password Change Protocol (kpasswd), which allows users to change their Kerberos passwords securely. This service is commonly found in Windows Active Directory environments and Unix/Linux systems using Kerberos authentication. It’s critical for enterprise identity management and security.
Common Risks
- Password policy bypass
Vulnerabilities may allow circumvention of password complexity requirements - Brute force attacks
Attackers may attempt to guess user credentials - Protocol vulnerabilities
Flaws in Kerberos implementation can lead to authentication bypass - User enumeration
Service responses may reveal valid usernames - Denial of service
Account lockout through repeated failed attempts - Man-in-the-middle
Unencrypted communications may expose credentials - Privilege escalation
Compromised service may grant administrative access
Want to save time on reporting?
Let PentestPad generate, track, and export your reports - automatically.
Enumeration & Testing
Service Detection:
nmap -sV -p 464Kerberos Service Enumeration:
nmap -p88,464 --script krb5-enum-users --script-args krb5-enum-users.realm=DOMAIN.COMPassword Change Testing:
kpasswd username@DOMAIN.COM nc -u 464What to Look For
| Checkpoint | What it means |
|---|---|
| Service version | Identify Kerberos implementation and patch level |
| Password policy enforcement | Check if strong password requirements are enforced |
| Account lockout policy | Verify failed attempt limits and lockout duration |
| Encryption in transit | Ensure communications are properly encrypted |
| User enumeration protection | Verify service doesn’t reveal valid usernames |
Mitigation
- Implement strong password policies
Enforce complexity requirements and regular password changes - Configure account lockout
Set appropriate failed attempt limits and lockout duration - Use secure encryption
Ensure all Kerberos communications are encrypted - Monitor authentication logs
Log all password change attempts and authentication events - Network segmentation
Restrict access to Kerberos services to trusted networks - Regular security updates
Keep Kerberos implementations patched - Disable unnecessary features
Remove unused authentication mechanisms
TL;DR
- Port 464 = Kerberos Password Change service
- Protocol: TCP/UDP
- Used for: Kerberos password changing service
- Security focus: Critical authentication infrastructure requiring strong security controls
Known CVEs and Exploits
- CVE‑2020‑1472 – Zerologon vulnerability allowing domain privilege escalation
- CVE‑2021‑42287 – sAMAccountName spoofing vulnerability in Active Directory
- CVE‑2022‑37967 – Kerberos authentication bypass in Windows Kerberos KDC
- CVE‑2014‑6271 – Shellshock vulnerability affecting Kerberos implementations