Port 88 (TCP/UDP) – Kerberos

What runs on port 88?

Port 88 is the default for Kerberos, the network authentication protocol that underpins Active Directory. Every domain controller listens here to handle Authentication Service (AS) and Ticket-Granting Service (TGS) exchanges — issuing the ticket-granting tickets (TGTs) and service tickets that let users and computers prove their identity without sending passwords across the wire. It uses both UDP and TCP 88, falling back to TCP for large tickets.

Why it matters for security

Kerberos is the trust backbone of a Windows domain, so weaknesses here translate directly into domain compromise. Service tickets are encrypted with the target account's password hash, meaning any authenticated user can request tickets and crack weak passwords offline — no lockout, no logging on the target. And because the krbtgt account signs all tickets, an attacker who steals its hash can mint golden tickets that grant arbitrary access until the key is rotated.

How it's attacked

Kerberoasting requests TGS tickets for service accounts and cracks the RC4 or AES blobs offline to recover passwords. AS-REP roasting targets accounts that have pre-authentication disabled, harvesting crackable AS-REP responses. With the krbtgt hash an attacker forges golden tickets; with a service account hash, silver tickets. Stolen tickets are reused via pass-the-ticket.

Hardening checklist

Give every service account a long, random password — or better, a group Managed Service Account (gMSA) — so offline cracking fails. Require pre-authentication everywhere to kill AS-REP roasting. Rotate the krbtgt password (twice, with a gap) on a schedule and after any suspected compromise. Disable RC4 in favor of AES, and alert on bursts of TGS requests or encryption downgrades. The nmap script above enumerates valid principals on domains you are authorized to test.