Why It's Open

LDAP is widely used in enterprise networks for user lookups, authentication, and service discovery — especially in Active Directory environments.

Common Risks

Cleartext Transmission: LDAP by default sends usernames and passwords in the clear.
Anonymous Binds: Can allow unauthenticated data queries.
Injection Attacks: Poorly filtered queries can lead to LDAP injection.

__CTA_DEMO__

Enumeration & Testing

Ldapsearch check

nmap -p 389 -sV <target-ip>

ldapsearch -x -h <target-ip> -b "dc=example,dc=com"

What to Look For

Checkpoint	What it means
Anonymous bind allowed	Unauthenticated user enumeration
No LDAPS (636)	Unencrypted credentials in transit
Misconfigured ACLs	Data exposure or privilege escalation

Known Exploits

CVE-2017-8563 - LDAP Signing and Channel Binding Vulnerability
A security update that introduces the LdapEnforceChannelBinding registry setting to enhance the security of LDAP authentication over SSL/TLS. Without this setting, LDAP servers are susceptible to man-in-the-middle (MITM) attacks due to the lack of channel
Affected Systems: Windows Server 2008 and later versions, Windows 7, Windows 8.1, Windows 10
Impact: Potential for credential theft and unauthorized access through MITM attacks.
🔗 Microsoft Advisory
CVE-2019-1040 - NTLM Tampering Vulnerability
A vulnerability in Microsoft's NTLM authentication protocol that allows attackers to bypass the Message Integrity Check (MIC) protection. This enables credential relay attacks, particularly against services like LDAP, leading to potential unauthorized
Affected Systems: Multiple versions of Microsoft WindowsMicrosoft Support
Impact: Enables attackers to relay NTLM authentication sessions, potentially leading to unauthorized access and privilege escalation.
🔗 NVD Entry
CVE-2020-1472 - Netlogon Elevation of Privilege Vulnerability ("Zerologon")
An elevation of privilege vulnerability in the Netlogon Remote Protocol (MS-NRPC) that allows an unauthenticated attacker to establish a secure channel to a domain controller, potentially leading to domain compromise.
Affected Systems: Windows Server 2008 R2 and later versions
Impact: Allows attackers to gain domain administrator access, leading to complete domain compromise.
🔗 NVD Entry
🔗 Microsoft Security Blog
CVE-2022-0918 - 389 Directory Server Denial of Service Vulnerability
A vulnerability in the 389 Directory Server that allows an unauthenticated attacker with network access to the LDAP port to cause a denial of service by sending a specially crafted message, leading to a segmentation fault and crash of the slapd process.
Affected Systems: 389 Directory Server versions prior to the fix
Impact: Remote denial of service, leading to potential disruption of directory services.
🔗 NVD Entry
CVE-2018-14648 - 389 Directory Server CPU Consumption Vulnerability
A flaw in the 389 Directory Server where a specially crafted search query could lead to excessive CPU consumption in the do_search() function.
Affected Systems: 389 Directory Server versions prior to the fix
Impact: Potential denial of service due to resource exhaustion.
🔗 NVD Entry

Mitigation

Use LDAPS (port 636) or StartTLS.
Disable anonymous binds.
Apply strict access control lists.
Sanitize LDAP queries in applications.

Real-World Example

Internal pentesters often use LDAP enumeration to discover domain structure, user accounts, and groups - especially when anonymous bind is allowed.

TL;DR

Service: LDAP (Lightweight Directory Access Protocol)
Default Port: 389
Risks: Credential interception, unauthorized access
Mitigation: Use LDAPS (port 636), enforce secure bindings

Port Map & Exploitation

A practical guide to network ports, common services running, and techniques used to perform a port exploit during real-world penetration tests.