- Go 98.4%
- Makefile 0.9%
- Dockerfile 0.7%
| checker | ||
| plugin | ||
| .gitignore | ||
| Dockerfile | ||
| go.mod | ||
| go.sum | ||
| LICENSE | ||
| main.go | ||
| Makefile | ||
| NOTICE | ||
| README.md | ||
checker-kerberos
happyDomain checker that audits a Kerberos realm from its DNS records.
Starting from the realm name (or from the SRV records grouped under the
abstract.Kerberos service), the checker performs a series of
anonymous probes, and an optional authenticated round-trip when
credentials are supplied, to give a complete picture of the realm's
availability and security posture.
What gets checked
- SRV layout,
_kerberos._tcp.,_kerberos._udp.,_kerberos-master._tcp.,_kerberos-adm._tcp.,_kpasswd._tcp.,_kpasswd._udp.. - Forward resolution of every SRV target (A + AAAA).
- TCP reachability of each KDC/kadmin/kpasswd host.
- UDP reachability of the KDC via a real AS-REQ.
- Anonymous AS-REQ probe: realm confirmation, supported enctypes
(from
ETYPE-INFO2), PKINIT hint (PA-PK-AS-REQ), clock skew. - Weak enctype detection (DES / RC4).
- Optional authenticated round-trip when
principalandpasswordare supplied: TGT acquisition then TGS-REQ fortargetService.
The HTML report surfaces the most common misconfigurations with a direct remediation hint:
| Failure | Hint |
|---|---|
| No SRV records | publish _kerberos._tcp.REALM. SRV … |
| SRV target DNS failure | add A/AAAA for the target |
| Port 88 unreachable | open TCP+UDP 88 inbound |
| Clock skew > max | run ntpd/chrony |
| Weak enctypes only | switch to aes256-cts-hmac-sha1-96 |
| Wrong realm in reply | fix default_realm / realm config |
| AS-REP roasting exposure | enable requires_preauth |
Rules
| Code | Description | Severity |
|---|---|---|
kerberos.srv_present |
Verifies that at least one _kerberos._tcp / _kerberos._udp SRV record is published for the realm. | CRITICAL |
kerberos.kdc_reachable |
Verifies that at least one KDC endpoint (TCP/UDP 88) accepts a connection. | CRITICAL |
kerberos.as_probe |
Verifies that the anonymous AS-REQ probe received a sane reply (KRB-ERROR or AS-REP). | CRITICAL |
kerberos.realm_match |
Verifies the KDC answers for the expected realm name. | CRITICAL |
kerberos.preauth_required |
Flags KDCs that return an AS-REP without requiring pre-authentication (AS-REP roasting exposure). | WARNING |
kerberos.clock_skew |
Verifies the KDC clock is within tolerance of the checker's clock. | CRITICAL |
kerberos.enctypes |
Reviews the encryption types advertised by the KDC, flagging DES/RC4-only configurations. | CRITICAL |
kerberos.kadmin_reachable |
Flags kadmin endpoints that are published via SRV but not reachable. | WARNING |
kerberos.kpasswd_reachable |
Flags kpasswd endpoints that are published via SRV but not reachable. | WARNING |
kerberos.auth_tgt |
Verifies the supplied principal/password can obtain a TGT (only runs when credentials are supplied). | CRITICAL |
kerberos.auth_tgs |
Verifies a TGS-REQ succeeds for the supplied target service (only runs when credentials and targetService are supplied). | WARNING |
Build
make # standalone binary
make plugin # shared object for happyDomain
make docker # container image
Run
./checker-kerberos -listen :8080
Deployment
The HTTP listener has no built-in authentication or rate-limiting, and
will issue DNS queries and Kerberos AS-REQ / TGS-REQ exchanges against
whatever realm and KDCs the caller asks for. When a principal and
password are supplied, those credentials are forwarded to the target
KDC over the network as part of an authenticated round-trip. It is
meant to run on a trusted network, reachable only by the happyDomain
instance that drives it. Restrict access via a reverse proxy with
authentication, a network ACL, or by binding the listener to a private
interface; do not expose it directly to the public internet.