HackTricks
Search…
Pentesting
Powered By GitBook
88tcp/udp - Pentesting Kerberos

Basic Information

Firstly, Kerberos is an authentication protocol, not authorization. In other words, it allows to identify each user, who provides a secret password, however, it does not validates to which resources or services can this user access. Kerberos is used in Active Directory. In this platform, Kerberos provides information about the privileges of each user, but it is responsability of each service to determine if the user has access to its resources.
Default Port: 88/tcp/udp
1
PORT STATE SERVICE
2
88/tcp open kerberos-sec
Copied!

To learn how to abuse Kerberos you should read the post about Active Directory.

More

Shodan

    port:88 kerberos

MS14-068

Simply stated, the vulnerability enables an attacker to modify an existing, valid, domain user logon token (Kerberos Ticket Granting Ticket, TGT, ticket) by adding the false statement that the user is a member of Domain Admins (or other sensitive group) and the Domain Controller (DC) will validate that (false) claim enabling attacker improper access to any domain (in the AD forest) resource on the network.
Kerberos Vulnerability in MS14-068 (KB3011780) Explained
Active Directory Security

HackTricks Automatic Commands

1
Protocol_Name: Kerberos #Protocol Abbreviation if there is one.
2
Port_Number: 88 #Comma separated if there is more than one.
3
Protocol_Description: AD Domain Authentication #Protocol Abbreviation Spelled out
4
5
Entry_1:
6
Name: Notes
7
Description: Notes for Kerberos
8
Note: |
9
Firstly, Kerberos is an authentication protocol, not authorization. In other words, it allows to identify each user, who provides a secret password, however, it does not validates to which resources or services can this user access.
10
Kerberos is used in Active Directory. In this platform, Kerberos provides information about the privileges of each user, but it is responsability of each service to determine if the user has access to its resources.
11
12
https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88
13
14
Entry_2:
15
Name: Pre-Creds
16
Description: Brute Force to get Usernames
17
Command: nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm="{Domain_Name}",userdb={Big_Userlist} {IP}
18
19
Entry_3:
20
Name: With Usernames
21
Description: Brute Force with Usernames and Passwords
22
Note: consider git clonehttps://github.com/ropnop/kerbrute.git ./kerbrute -h
23
24
Entry_4:
25
Name: With Creds
26
Description: Attempt to get a list of user service principal names
27
Command: GetUserSPNs.py -request -dc-ip {IP} active.htb/svc_tgs
Copied!
Last modified 2mo ago