Service:
krb5kdc (Kerberos Key Distribution Center)
Protocol:
TCP / UDPPort:
88Used for:
Authentication service in Active Directory and UNIX environmentsWhy It’s Open
Kerberos is the backbone of authentication in Windows domains. It’s used to issue tickets for secure authentication without sending passwords over the network.
Common Risks
- Ticket Replay Attacks: If attackers steal a valid ticket, they can reuse it.
- Credential Stuffing: Misconfigured environments may allow brute force.
- TGT Abuse: Attackers with access can request forged tickets (Golden Ticket attack).
- Kerberoasting: Attackers can extract service ticket hashes for offline cracking.
Want to save time on reporting?
Let PentestPad generate, track, and export your reports - automatically.
Enumeration & Testing
Check if it’s open
nmap -sU -p 88nmap -p 88 --script=krb5-enum-users
kinit @Kerberos enum with Impacket
GetNPUsers.py / -no-pass -dc-ipKerberoasting with Rubeus (Windows)
Rubeus.exe kerberoastWhat to Look For
| Checkpoint | What it means |
|---|---|
| Null sessions allowed | Potential for info gathering |
| Weak service accounts | Vulnerable to kerberoasting |
| Clock skew | Can break Kerberos authentication |
Known Exploits
- CVE-2020-17049
A security feature bypass vulnerability in the Kerberos Key Distribution Center (KDC) allows attackers to forge service tickets via the “Bronze Bit” attack, potentially leading to unauthorized access.
Mitigation
- Enforce strong passwords for service accounts.
- Disable RC4 and other weak encryption types.
- Limit ticket lifetimes.
- Monitor for unusual ticket usage.
Real-Life Example
Kerberoasting has been a key method for lateral movement in real-world breaches. It requires only domain user access and no special privileges.
TL;DR
- Service: Kerberos (Authentication Protocol)
- Default Port: 88/TCP
- Risks: Authentication bypass, credential theft
- Mitigation: Apply patches, monitor authentication logs, enforce strong policies