Service:
msft-gc-ssl
Protocol:
TCPPort:
3269Used for:
Microsoft Active Directory Global Catalog over SSLWhy It’s Open
Port 3269 is used for Microsoft Active Directory Global Catalog over SSL/TLS (LDAP-GC-SSL). This secure service provides a centralized directory of all objects in a multi-domain Active Directory forest, enabling cross-domain object queries and authentication. Organizations rely on this port for secure domain operations including user authentication, resource location, and directory searches across complex enterprise environments. Unlike its unencrypted counterpart on port 3268, traffic on port 3269 is encrypted to protect sensitive directory information during transmission, making it essential for secure enterprise network operations.
Common Risks
- Kerberos vulnerabilities
Authentication protocol weaknesses leading to credential theft or forgery - LDAP injection
Malformed queries allowing manipulation of directory data or access controls - SSL/TLS misconfigurations
Outdated cipher suites or protocols enabling traffic interception - Directory information leakage
Excessive object attributes exposed through improper access controls - Authentication bypass
Security flaws allowing unauthorized access to directory services - Certificate validation issues
Improper validation enabling man-in-the-middle attacks - Privilege escalation
Exploitation of directory service flaws to gain elevated permissions - Forest trust vulnerabilities
Trust relationship exploitation between AD domains
Want to save time on reporting?
Let PentestPad generate, track, and export your reports - automatically.
Enumeration & Testing
Service Detection:
nmap -sV -p 3269 --script ldap-searchSSL/TLS Analysis:
sslscan :3269Anonymous LDAP Binding Test:
ldapsearch -H ldaps://:3269 -x -s base namingContextsUser Enumeration:
ldapsearch -H ldaps://:3269 -x -D "CN=user,DC=domain,DC=com" -w "password" -b "DC=domain,DC=com" "(objectClass=user)"Global Catalog Query:
ldapsearch -H ldaps://:3269 -x -D "CN=user,DC=domain,DC=com" -w "password" -b "DC=domain,DC=com" -s sub "(objectclass=*)" "*"Check Cipher Suites:
nmap --script ssl-enum-ciphers -p 3269What to Look For
| Checkpoint | What it means |
|---|---|
| Domain controller version | Identify Windows Server version and patch level for known vulnerabilities |
| Anonymous binding | Check if unauthenticated access to directory objects is possible |
| SSL/TLS version | Verify if secure versions (TLS 1.2+) are enforced and weak ciphers disabled |
| LDAP signing | Confirm if message signing is required to prevent MITM attacks |
| Certificate validation | Check for expired, self-signed, or improperly validated certificates |
| Excessive attribute disclosure | Identify if sensitive user/computer attributes are visible to regular users |
| Kerberos security settings | Evaluate Kerberos configuration for known attack vectors (e.g., Kerberoasting) |
| Forest trust configurations | Review trust relationships between domains that might be exploitable |
Mitigation
- Keep domain controllers updated
Apply latest security patches and updates - Enforce LDAPS only
Disable plain LDAP and require SSL/TLS - Implement TLS 1.2+ only
Disable older protocols and weak ciphers - Require LDAP signing
Prevent man-in-the-middle attacks - Use proper certificate management
Implement internal PKI with strong validation - Enforce strong password policies
Enable MFA for privileged accounts - Implement network segmentation
Limit Global Catalog access to required systems - Use Group Policy hardening
Protect domain controllers against common attacks - Restrict sensitive attributes
Implement proper directory ACLs - Audit directory access
Monitor changes to security-sensitive objects
TL;DR
- Port 3269 = Microsoft Global Catalog service over SSL
- Critical directory service containing domain object information
- High-value target for reconnaissance and credential harvesting
- Requires secure TLS configuration and strict access controls
- Authentication bypass and LDAP injection are common attack vectors
Known CVEs and Exploits
- CVE-2019-1040 – A vulnerability in Microsoft Windows that allowed bypassing LDAP signing requirements, enabling credential theft via man-in-the-middle attacks on LDAPS.
- CVE-2020-0665 – Active Directory forest trust vulnerability where misconfigured delegation allowed attackers to impersonate users and gain unauthorized access across domains.
- CVE-2022-26923 – A certificate privilege escalation vulnerability in Active Directory Certificate Services (AD CS), allowing domain compromise through certificate template abuse, impacting LDAP-based authentication flows.
- CVE-2022-29130 – LDAP Remote Code Execution vulnerability in Microsoft Windows when processing specially crafted requests; affected unpatched domain controllers using insecure MaxReceiveBuffer settings.
- CVE-2022-22012 – Another critical LDAP RCE affecting domain controllers with misconfigured buffer sizes; allowed unauthenticated attackers to execute code via LDAPS or LDAP requests.