636 LDAP

---

Notes

---

Alternative Ports
389 TCP (LDAP)
636 TCP (LDAPS over SSL)

Service Description
LDAP (Lightweight Directory Access Protocol) is used for directory services — typically Active Directory — to manage user accounts, permissions, and domain structure. TCP/389 is used for plaintext communication; TCP/636 provides LDAP over SSL.

Important

Many LDAP services allow anonymous read access, potentially exposing user, group, and domain metadata.

---

Attacks

---

Anonymous Enumeration
If allowed, unauthenticated queries can list users, computers, policies, and even password policy settings.

Weak Bind Authentication
If authentication is accepted without encryption (simple bind), credentials may be sent in cleartext.

Credential Reuse / Hash Extraction
Captured LDAP creds may work for SMB, RDP, VPN, or AD join rights.

---

Tools & Exploits

---

Enumeration

---

nmap
Script-based LDAP probing.

nmap -p389 --script ldap-rootdse,ldap-search,ldap-novell-base-dn <target>
nmap -p636 --script ssl-cert,ldap-rootdse,ldap-search <target>

ldapsearch
CLI for querying LDAP servers.

# Anonymous bind (LDAP)
ldapsearch -x -H ldap://<target> -b "dc=domain,dc=local"
 
# Authenticated bind (LDAP)
ldapsearch -x -H ldap://<target> -D "user@domain.local" -W -b "dc=domain,dc=local"
 
# Authenticated bind over LDAPS
ldapsearch -x -H ldaps://<target> -D "user@domain.local" -W -b "dc=domain,dc=local" -ZZ

Metasploit

use auxiliary/gather/ldap_query

ldapdomaindump
Python tool to dump AD structure from LDAP.

ldapdomaindump ldap://<target> -u "domain\\user" -p 'Password123'
ldapdomaindump ldaps://<target> -u "domain\\user" -p 'Password123'

crackmapexec

cme ldap <target> -u user -p pass --kdcHost <dc>
cme ldap <target> -u user -p pass --ssl

---

Exploitation or Post-Enum

---

Find High-Value Targets
Use ldapsearch or ldapdomaindump to extract:

• adminCount=1 users
• Group membership for Domain Admins, Enterprise Admins
• Password policy attributes

Gather Computer Objects / Hostnames

ldapsearch -x -H ldap://<target> -b "dc=domain,dc=local" "(objectClass=computer)"

Find Users with SPNs (Kerberoasting)

ldapsearch -x -H ldap://<target> -b "dc=domain,dc=local" "(servicePrincipalName=*)"

---

Wireshark Analysis Tips

---

Filters

tcp.port == 389 || tcp.port == 636
ldap

What to look for:

• BindRequest / BindResponse (check for success without auth)
• SearchRequest / SearchResultEntry structures
• Cleartext DN / credentials if TLS not enforced
• Encrypted payload with successful SSL negotiation (LDAPS)

---

References

---

• https://book.hacktricks.xyz/network-services-pentesting/389-ldap-pentesting
• https://ldapwiki.com/wiki/LDAP%20Query%20Examples
• https://github.com/dirkjanm/ldapdomaindump