Port 88 – Kerberos

How to enumerate port 88 (Kerberos)


Kerberos is a protocol that is used for network authentication. Various versions are used by *nix and Windows. But if you notice a machine with port 88 (Kerberos ) open you can be fairly sure that it is a Domain Controller.
So, if you already have login credentials to any user of that domain you might be able to escalate that privilege.

Kerberos Domain User Enumeration (Nmap):

Nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm=’<domain>’,userdb=/root/Desktop/usernames.txt <IP>

Kerberos Domain User Enumeration (Python script):

Kerberos accounts enumeration taking advantage of AS-REQ.



  • Python 3
  • pip install asn1crypto
./Enum.py --file=/tmp/users --dcip= --domain=DOMAINNAME --port=88

Kerberos Domain User Enumeration (Metasploit):

use auxiliary/gather/kerberos_enumusers (Domain: test.local)
msf auxiliary(kerberos_enumusers) > set domain test.local
msf auxiliary(kerberos_enumusers) > set rhost
msf auxiliary(kerberos_enumusers) > set user_file /root/Desktop/users
msf auxiliary(kerberos_enumusers) > exploit

MS14-068 Microsoft Kerberos Checksum Validation Vulnerability:

This exploit enables an attacker to become a Domain Administrator with any user account.

Check if the target is vulnerable:


[email protected]:~/Responder# python FindSMB2UPTime.py
DC is up since: 2014-10-19 19:32:23
This DC is vulnerable to MS14-068



1 Comment
  1. Ahmed M. Elhebashi says

    Very interesting!!

Leave A Reply

Your email address will not be published.