Service:
Protocol:
TCP/UDPPort:
389Used for:
Directory lookups, authentication, and identity servicesWhy It’s Open
LDAP is widely used in enterprise networks for user lookups, authentication, and service discovery — especially in Active Directory environments.
Common Risks
- Cleartext Transmission: LDAP by default sends usernames and passwords in the clear.
- Anonymous Binds: Can allow unauthenticated data queries.
- Injection Attacks: Poorly filtered queries can lead to LDAP injection.
Want to save time on reporting?
Let PentestPad generate, track, and export your reports - automatically.
Enumeration & Testing
Ldapsearch check
nmap -p 389 -sV
ldapsearch -x -h -b "dc=example,dc=com"What to Look For
| Checkpoint | What it means |
|---|---|
| Anonymous bind allowed | Unauthenticated user enumeration |
| No LDAPS (636) | Unencrypted credentials in transit |
| Misconfigured ACLs | Data exposure or privilege escalation |
Known Exploits
- CVE-2017-8563 - LDAP Signing and Channel Binding Vulnerability
A security update that introduces the LdapEnforceChannelBinding registry setting to enhance the security of LDAP authentication over SSL/TLS. Without this setting, LDAP servers are susceptible to man-in-the-middle (MITM) attacks due to the lack of channel
Affected Systems: Windows Server 2008 and later versions, Windows 7, Windows 8.1, Windows 10
Impact: Potential for credential theft and unauthorized access through MITM attacks.
- CVE-2019-1040 - NTLM Tampering Vulnerability
A vulnerability in Microsoft’s NTLM authentication protocol that allows attackers to bypass the Message Integrity Check (MIC) protection. This enables credential relay attacks, particularly against services like LDAP, leading to potential unauthorized
Affected Systems: Multiple versions of Microsoft Windows Microsoft Support
Impact: Enables attackers to relay NTLM authentication sessions, potentially leading to unauthorized access and privilege escalation.
- CVE-2020-1472 - Netlogon Elevation of Privilege Vulnerability (“Zerologon”)
An elevation of privilege vulnerability in the Netlogon Remote Protocol (MS-NRPC) that allows an unauthenticated attacker to establish a secure channel to a domain controller, potentially leading to domain compromise.
Affected Systems: Windows Server 2008 R2 and later versions
Impact: Allows attackers to gain domain administrator access, leading to complete domain compromise.
- CVE-2022-0918 - 389 Directory Server Denial of Service Vulnerability
A vulnerability in the 389 Directory Server that allows an unauthenticated attacker with network access to the LDAP port to cause a denial of service by sending a specially crafted message, leading to a segmentation fault and crash of the slapd process.
Affected Systems: 389 Directory Server versions prior to the fix
Impact: Remote denial of service, leading to potential disruption of directory services.
- CVE-2018-14648 - 389 Directory Server CPU Consumption Vulnerability
A flaw in the 389 Directory Server where a specially crafted search query could lead to excessive CPU consumption in the do_search() function.
Affected Systems: 389 Directory Server versions prior to the fix
Impact: Potential denial of service due to resource exhaustion.
Mitigation
- Use LDAPS (port 636) or StartTLS.
- Disable anonymous binds.
- Apply strict access control lists.
- Sanitize LDAP queries in applications.
Real-World Example
Internal pentesters often use LDAP enumeration to discover domain structure, user accounts, and groups - especially when anonymous bind is allowed.
TL;DR
- Service: LDAP (Lightweight Directory Access Protocol)
- Default Port: 389
- Risks: Credential interception, unauthorized access
- Mitigation: Use LDAPS (port 636), enforce secure bindings