LDAP Enumeration is a technique used to gather information from directory services—especially Active Directory—using the Lightweight Directory Access Protocol (LDAP). It’s a key step in penetration testing and ethical hacking during the reconnaissance phase.

🧠 What Is LDAP?

LDAP is a protocol used to access and manage directory services over a network. It operates on TCP port 389 and allows querying of hierarchical databases that store:

• User accounts
• Groups
• Computers
• Organizational units
• Email addresses
• Departmental info

🔍 What Is LDAP Enumeration?

LDAP enumeration involves querying the directory to extract:

• Usernames
• Group memberships
• Email addresses
• Computer names
• Domain structure
• Security policies

This helps attackers or auditors map the network, identify targets, and understand organizational structure.

🧪 Tools for LDAP Enumeration

Example using ldapsearch:

ldapsearch -x -h <IP_ADDRESS> -b "dc=example,dc=com"

Example using Nmap:

nmap -p 389 --script ldap-search <IP_ADDRESS>

⚠️ Risks of LDAP Enumeration

• Exposure of sensitive internal data
• Identification of valid usernames for brute-force attacks
• Mapping of network structure for lateral movement
• Potential for social engineering using harvested info

🛡️ How to Defend Against It

• Disable anonymous LDAP binds
• Use LDAP over SSL (LDAPS) on port 636
• Restrict LDAP access to trusted IPs
• Monitor and log LDAP queries
• Implement strong authentication and access controls

Preventing LDAP enumeration is crucial for protecting sensitive directory information—especially in environments using Active Directory. Here’s a breakdown of how to lock things down effectively:

🛡️ How to Prevent LDAP Enumeration

🔒 1. Disable Anonymous Binds

• Why: Anonymous binds allow unauthenticated users to query the directory.
• How: Configure your LDAP server to reject anonymous connections.
  • In Active Directory: Set Require LDAP Signing via Group Policy.
  • In OpenLDAP: Use disallow bind_anon in slapd.conf.

🔐 2. Use LDAP over SSL (LDAPS)

• Why: LDAPS encrypts traffic, preventing sniffing and man-in-the-middle attacks.
• How: Enable LDAPS on port 636 and install a valid SSL certificate.
  • Ensure clients are configured to use LDAPS instead of plain LDAP.

👥 3. Restrict Access Based on IP or Role

• Why: Limits who can query the directory.
• How:
  • Use firewalls to allow LDAP access only from trusted IP ranges.
  • Apply ACLs (Access Control Lists) to restrict which users/groups can perform queries.

🧾 4. Audit and Monitor LDAP Queries

• Why: Detect suspicious enumeration attempts.
• How:
  • Enable LDAP logging on your directory server.
  • Use SIEM tools to monitor for patterns like mass user or group queries.

🧱 5. Limit Information Exposure

• Why: Prevent attackers from gathering useful data.
• How:
  • Configure directory permissions so only authorized users can view sensitive attributes.
  • Avoid exposing fields like email, phone, department, or group membership unnecessarily.

🔑 6. Enforce Strong Authentication

• Why: Prevent unauthorized access.
• How:
  • Require secure credentials for LDAP access.
  • Use multi-factor authentication (MFA) where possible.

🧪 7. Test Your Defenses

• Why: Ensure your protections are working.
• How:
  • Use tools like ldapsearch, enum4linux, or nmap to simulate enumeration attempts.
  • Verify that unauthorized queries are blocked or limited.

✅ Summary Table