0

Macos has open port 88 by default. Is it possible to check validity of the password via this port from Linux and how? If the vncserver is active, it is possible to know also the username (by connecting to it with vncviewer) what would make brute forcing easier. Does openssh on macos has something built-in to prevent bruteforcing, assuming it is also enabled?

user210038
  • 9
  • 1
  • Is VNC running on that port? – schroeder Jun 12 '19 at 12:25
  • On port 88 there's some kerberos, on 5900 vnc and on 22 ssh, but only 88 is enabled by default, but 5900 and 22 are very often enabled and accessible on my LAN. – user210038 Jun 12 '19 at 12:26
  • Ok, so what you are really asking is if you can attempt to brute force the local account by using port 88, and VNC and SSH are just some sample methods you were thinking about? – schroeder Jun 12 '19 at 12:29
  • I think you are assuming that macos has a kerberos server enabled by default - what you are seeing is a client. – schroeder Jun 12 '19 at 12:35
  • Oh that's explain why it is enabled by default, but shouldnt it be enabled only for local LAN? It is accessible from internet, if having public ip address. That's because firewall is switched off by default on macos. – user210038 Jun 12 '19 at 12:42
  • 1
    if your machine has a public IP, then the Internet is your LAN :) – schroeder Jun 12 '19 at 12:45

1 Answers1

2

Yes, this is possible.

Kerberos runs on port 88 on macOS. Kerberos by default has no protections against brute forcing. Submitting an enormous volume of password authentication requests to Kerberos is possible, though to be honest such a thing is useless unless your password is incredibly poor. Kerberos does allow authentication against any user account on the machine so you should consider both the security of your account as well as all your users.

Kerberos is enabled on macOS when you enable File Sharing or VNC to facilitate automatic authentication using your Apple ID on other machines you own. It's a pretty nifty feature. That being said, you should not allow connections to Kerberos from outside your network

Allison
  • 3,975
  • 2
  • 13
  • 19