Nmap can expose LDAP in seconds. Lightweight Directory Access Protocol runs on port 389 by default. It holds authentication, authorization, and directory data — the keys to the kingdom. Whether you’re auditing infrastructure or probing a new network, Nmap’s precision with LDAP scanning makes it essential.
Run a simple command to start:
nmap -p 389 --script ldap-rootdse <target>
This checks the RootDSE entry, revealing vendor, version, and supported capabilities without logging in. For deeper analysis, Nmap’s ldap-search script can pull user, group, and schema entries. Use flags wisely. Limit queries to avoid triggering alerts or lockouts on production systems.
Common Nmap LDAP scripts:
ldap-search — dumps directory data.ldap-brute — tests authentication with a username list.ldap-novell-getpass — retrieves Novell eDirectory passwords when misconfigured.
Combine LDAP scanning with Nmap’s timing and host discovery options to map large networks quickly:
nmap -p 389 -T4 -Pn --script ldap-search <targets>
Security teams should verify encryption. LDAP without TLS sends credentials in cleartext. Nmap can detect StartTLS support with the ldap-starttls script. If absent, mark it as a high-priority fix.
Misconfigured LDAP is a direct line to sensitive data. Nmap doesn’t just find open ports — it shows what those ports reveal. Regular scanning and immediate remediation reduce risk.
Test your own LDAP targets. See how quickly vulnerabilities surface. Deploy a live environment and run Nmap against it without wasting hours on setup. Go to hoop.dev and watch it happen in minutes.