Port 88 – Kerberos

How to enumerate port 88 (Kerberos)

1

Kerberos is a protocol that is used for network authentication. Various versions are used by *nix and Windows. But if you notice a machine with port 88 (Kerberos ) open you can be fairly sure that it is a Domain Controller.
So, if you already have login credentials to any user of that domain you might be able to escalate that privilege.

Kerberos Domain User Enumeration (Nmap):

Nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm=’<domain>’,userdb=/root/Desktop/usernames.txt <IP>

Kerberos Domain User Enumeration (Python script):

Kerberos accounts enumeration taking advantage of AS-REQ.

https://github.com/QAX-A-Team/KerberosUserEnum

Requirements:

  • Python 3
  • pip install asn1crypto
./Enum.py --file=/tmp/users --dcip=192.168.1.101 --domain=DOMAINNAME --port=88

Kerberos Domain User Enumeration (Metasploit):

use auxiliary/gather/kerberos_enumusers (Domain: test.local)
msf auxiliary(kerberos_enumusers) > set domain test.local
msf auxiliary(kerberos_enumusers) > set rhost 192.168.1.101
msf auxiliary(kerberos_enumusers) > set user_file /root/Desktop/users
msf auxiliary(kerberos_enumusers) > exploit

MS14-068 Microsoft Kerberos Checksum Validation Vulnerability:

This exploit enables an attacker to become a Domain Administrator with any user account.

Check if the target is vulnerable:

https://github.com/SpiderLabs/Responder/blob/master/tools/FindSMB2UPTime.py

[email protected]:~/Responder# python FindSMB2UPTime.py 192.168.1.101
DC is up since: 2014-10-19 19:32:23
This DC is vulnerable to MS14-068

Exploits:

https://www.rapid7.com/db/modules/auxiliary/admin/kerberos/ms14_068_kerberos_checksum

https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek
1 Comment
  1. Ahmed M. Elhebashi says

    Very interesting!!

Leave A Reply

Your email address will not be published.