Nmap LDAP Enumeration: Quick Scans for Critical Data

Nmap can expose LDAP in seconds. Lightweight Directory Access Protocol runs on port 389 by default. It holds authentication, authorization, and directory data — the keys to the kingdom. Whether you’re auditing infrastructure or probing a new network, Nmap’s precision with LDAP scanning makes it essential.

Run a simple command to start:

nmap -p 389 --script ldap-rootdse <target>

This checks the RootDSE entry, revealing vendor, version, and supported capabilities without logging in. For deeper analysis, Nmap’s ldap-search script can pull user, group, and schema entries. Use flags wisely. Limit queries to avoid triggering alerts or lockouts on production systems.

Common Nmap LDAP scripts:

• ldap-search — dumps directory data.
• ldap-brute — tests authentication with a username list.
• ldap-novell-getpass — retrieves Novell eDirectory passwords when misconfigured.

Combine LDAP scanning with Nmap’s timing and host discovery options to map large networks quickly:

nmap -p 389 -T4 -Pn --script ldap-search <targets>

Security teams should verify encryption. LDAP without TLS sends credentials in cleartext. Nmap can detect StartTLS support with the ldap-starttls script. If absent, mark it as a high-priority fix.

Misconfigured LDAP is a direct line to sensitive data. Nmap doesn’t just find open ports — it shows what those ports reveal. Regular scanning and immediate remediation reduce risk.

Test your own LDAP targets. See how quickly vulnerabilities surface. Deploy a live environment and run Nmap against it without wasting hours on setup. Go to hoop.dev and watch it happen in minutes.