EN
Русский
TCP
Dangerous
Directory
Port 88 (Kerberos)
Learn about port 88 (Kerberos) - security risks, vulnerabilities, and common uses. Find devices with port 88 open.
Quick Info
Port Number
88
Protocol
TCP
Service
Kerberos
IANA Name
Kerberos
Service Description
Network port 88 (TCP) is the standard port for the Kerberos authentication protocol. Kerberos is a network authentication protocol that allows clients and servers to authenticate each other securely using secret-key cryptography. It was developed at MIT in the 1980s to address authentication challenges in distributed computing environments. The core principle is to avoid transmitting passwords over the network; instead, it relies on a trusted third party, the Key Distribution Center (KDC), to mediate authentication. The protocol uses tickets and authenticators to prove identity. A client requests a Ticket-Granting Ticket (TGT) from the KDC's Authentication Server (AS). This TGT is encrypted with the KDC's secret key and can be used to obtain service tickets from the KDC's Ticket-Granting Service (TGS). These service tickets are then presented to the target service for authentication. The client and server share a session key established during the authentication process, enabling secure communication. Kerberos provides mutual authentication, ensuring both the client and server are who they claim to be.
## Firewall Recommendations
Port 88 (TCP) should generally be allowed within the internal network, as it is essential for Kerberos authentication to function correctly. Blocking it will disrupt authentication services and prevent users from accessing resources that rely on Kerberos. However, it should almost always be blocked from external networks to prevent unauthorized access to the KDC. If external access is absolutely necessary, it should be secured with strong encryption, access controls, and intrusion detection/prevention systems. Regular security audits and patching of Kerberos implementations are crucial. Network segmentation can limit the impact of a compromised KDC. Monitoring for suspicious Kerberos activity, such as unusual ticket requests or failed authentication attempts, is also recommended.
## Firewall Recommendations
Port 88 (TCP) should generally be allowed within the internal network, as it is essential for Kerberos authentication to function correctly. Blocking it will disrupt authentication services and prevent users from accessing resources that rely on Kerberos. However, it should almost always be blocked from external networks to prevent unauthorized access to the KDC. If external access is absolutely necessary, it should be secured with strong encryption, access controls, and intrusion detection/prevention systems. Regular security audits and patching of Kerberos implementations are crucial. Network segmentation can limit the impact of a compromised KDC. Monitoring for suspicious Kerberos activity, such as unusual ticket requests or failed authentication attempts, is also recommended.
Security Information
Kerberos, while robust, is not immune to security vulnerabilities. The most significant risk lies in the compromise of the KDC. If the KDC's secret key is compromised, attackers can forge tickets and impersonate any user or service within the Kerberos realm. Pass-the-Ticket (PtT) attacks are a common threat, where attackers steal valid Kerberos tickets and use them to gain unauthorized access to resources. Kerberoasting is another attack vector where attackers request service tickets for various services, crack the service account password offline, and then use the compromised service account to access sensitive data. Misconfigurations, weak encryption algorithms, and outdated Kerberos implementations can also introduce vulnerabilities. Because Kerberos is so crucial for authentication in many enterprise environments, it makes it a high-value target for attackers seeking to move laterally and gain control of critical systems.
Known Vulnerabilities
| CVE | Name | Severity | Description |
|---|---|---|---|
| CVE-2017-14943 | MIT Kerberos 5 krb5_get_init_creds_password integer overflow | High | Integer overflow in krb5_get_init_creds_password in MIT Kerberos 5 (krb5) before 1.15.2 and 1.16 before 1.16.1 allows attackers to cause a denial of service (application crash) via a long password. |
| CVE-2020-2571 | Samba AD DC Kerberos privilege escalation | Critical | A flaw in the Kerberos PAC verification code in Samba AD DC allows a malicious actor to forge PACs and elevate privileges to that of Domain Admin. |
| CVE-2021-36741 | Heimdal: Integer overflow in krb5_encode_krb5_key_data | Medium | Integer overflow in krb5_encode_krb5_key_data in MIT Kerberos 5 (krb5) before 1.18.3 and 1.19 before 1.19.1 allows remote attackers to cause a denial of service (application crash) via a crafted UDP packet. |
| CVE-2023-36408 | Windows Kerberos Security Feature Bypass Vulnerability | Important | A security feature bypass vulnerability exists in Windows Kerberos, allowing an attacker to bypass security features. |
Common Software
- Microsoft Active Directory
- MIT Kerberos
- Heimdal Kerberos
- FreeIPA
- Red Hat Directory Server
- Apple Open Directory
- OpenLDAP (with Kerberos SASL)
- Samba (for domain authentication)
Find all devices with port 88 open
ScaniteX scans millions of IPs to find devices with specific ports open. Perfect for security research and network auditing.
Start Mass Scanning