50 lines
1.7 KiB
Markdown
50 lines
1.7 KiB
Markdown
# checker-kerberos
|
|
|
|
happyDomain checker that audits a Kerberos realm from its DNS records.
|
|
|
|
Starting from the realm name (or from the SRV records grouped under the
|
|
`abstract.Kerberos` service), the checker performs a series of
|
|
**anonymous probes** — and an optional **authenticated round-trip** when
|
|
credentials are supplied — to give a complete picture of the realm's
|
|
availability and security posture.
|
|
|
|
## What gets checked
|
|
|
|
- SRV layout — `_kerberos._tcp.`, `_kerberos._udp.`,
|
|
`_kerberos-master._tcp.`, `_kerberos-adm._tcp.`, `_kpasswd._tcp.`,
|
|
`_kpasswd._udp.`.
|
|
- Forward resolution of every SRV target (A + AAAA).
|
|
- TCP reachability of each KDC/kadmin/kpasswd host.
|
|
- UDP reachability of the KDC via a real AS-REQ.
|
|
- Anonymous AS-REQ probe: realm confirmation, supported enctypes
|
|
(from `ETYPE-INFO2`), PKINIT hint (`PA-PK-AS-REQ`), clock skew.
|
|
- Weak enctype detection (DES / RC4).
|
|
- Optional authenticated round-trip when `principal` and `password`
|
|
are supplied: TGT acquisition then TGS-REQ for `targetService`.
|
|
|
|
The HTML report surfaces the most common misconfigurations with a
|
|
direct remediation hint:
|
|
|
|
| Failure | Hint |
|
|
| --- | --- |
|
|
| No SRV records | publish `_kerberos._tcp.REALM. SRV …` |
|
|
| SRV target DNS failure | add A/AAAA for the target |
|
|
| Port 88 unreachable | open TCP+UDP 88 inbound |
|
|
| Clock skew > max | run ntpd/chrony |
|
|
| Weak enctypes only | switch to `aes256-cts-hmac-sha1-96` |
|
|
| Wrong realm in reply | fix `default_realm` / realm config |
|
|
| AS-REP roasting exposure | enable `requires_preauth` |
|
|
|
|
## Build
|
|
|
|
```sh
|
|
make # standalone binary
|
|
make plugin # shared object for happyDomain
|
|
make docker # container image
|
|
```
|
|
|
|
## Run
|
|
|
|
```sh
|
|
./checker-kerberos -listen :8080
|
|
```
|