UDP Dangerous Directory

Port 88 (Kerberos)

Learn about port 88 (Kerberos) - security risks, vulnerabilities, and common uses. Find devices with port 88 open.

Quick Info

Port Number

Protocol

UDP

Service

Kerberos

IANA Name

Kerberos

Service Description

UDP port 88 is the standard port for Kerberos authentication services. Kerberos is a network authentication protocol that uses secret-key cryptography to provide strong authentication for client/server applications. It allows clients and servers to prove their identity to each other in a secure manner, preventing eavesdropping and replay attacks. The protocol was developed at MIT in the 1980s and has become a widely adopted standard for authentication in distributed systems, particularly within Microsoft Windows domains and other enterprise environments.

At a technical level, Kerberos relies on a trusted third party, the Key Distribution Center (KDC), which runs on a Kerberos server. The KDC comprises two main components: the Authentication Server (AS) and the Ticket Granting Server (TGS). When a client requests access to a network service, it first authenticates with the AS to obtain a Ticket-Granting Ticket (TGT). This TGT is then presented to the TGS to request a service ticket for the specific service the client wants to access. The service ticket allows the client to authenticate directly with the target service, bypassing the need for repeated authentication with the KDC. The AS and TGS listen on port 88, responding to authentication requests from clients.

## Firewall Recommendations

UDP port 88 should generally be allowed only from trusted networks or hosts that require Kerberos authentication. Blocking this port would prevent clients from authenticating to the Kerberos KDC, effectively disabling access to network services that rely on Kerberos. Within a firewall, restrict access to port 88 to only the necessary hosts, such as domain controllers or Kerberos servers. Implement strong access controls and regularly monitor network traffic for suspicious activity related to Kerberos authentication. Ensure that the Kerberos KDC is properly secured and protected from unauthorized access. Keep the Kerberos implementation up to date with the latest security patches to mitigate known vulnerabilities. Consider using intrusion detection and prevention systems to detect and block malicious traffic targeting port 88.

Security Information

Kerberos, while a strong authentication protocol, is not immune to security risks. Common attack vectors include password guessing attacks, where attackers attempt to guess user passwords to obtain TGTs. Golden Ticket attacks involve compromising the Kerberos KDC itself or obtaining the Kerberos encryption key (krbtgt) allowing attackers to forge TGTs for any user, granting them unrestricted access to the network. Silver Ticket attacks involve compromising a specific service's key, allowing attackers to forge service tickets for that particular service. The protocol is vulnerable to replay attacks if proper time synchronization isn't maintained. Attackers may target port 88 to intercept authentication requests and attempt to extract credentials or exploit vulnerabilities in the Kerberos implementation. Misconfigurations, weak encryption algorithms, and lack of proper auditing can also increase the risk of successful attacks.

Known Vulnerabilities

CVE	Name	Severity	Description
CVE-2017-14943	MIT Kerberos 5 Vulnerability	Medium	MIT Kerberos 5 (aka krb5) before 1.15.4 and 1.16 before 1.16.1 has a NULL pointer dereference in krb5_klog_syslog in klog.c.
CVE-2021-37750	MIT Kerberos 5 Vulnerability	Medium	MIT Kerberos 5 (krb5) before 1.18.3 and 1.19 before 1.19.1 has a KDC crash related to an attempted duplicate entry in the global policy cache.