Lightweight Directory Access Protocol (LDAP) is a protocol used for accessing and managing directory information services.

It's commonly associated with Active Directory and openldap, which are directory, e.g. databases optimized for read-heavy access.

🐊️ Ports: 389 (TCP)

πŸ”₯ LDAP communications are not encrypted.

πŸ”’ There is a secure version called LDAPS (port 636, over SSL/TLS).

LDAP is derived from the X.500 standards. Messages exchanged between LDAP clients and servers are encoded using ASN.1.

A simple unencoded LDAP message:

cn=John Doe,ou=Users,dc=example,dc=com

LDAP Pentester Notes ☠️


You can use ldapsearch to find database entries.

$ ldapsearch -H ldap://ldap.example.com:389 -D "cn=admin,dc=example,dc=com" -w password -b "dc=example,dc=com" "(cn=John Doe)"
  • -H: use a custom socket
  • -D/-w: specify authentication data
  • -x: use basic authentication
  • -b: indicate the root of the search

About LDAP syntax:

  • * refers to "any"
  • () is used to group an expression
  • &/| are respectively the logical 'AND' and 'OR'

LDAP Injection

attacking_common_applications ldap_injection_authentication

Web applications using LDAP may be vulnerable to LDAP injection. These two expressions are always true: (cn=*) and (objectClass=*).

The most basic authentication bypass is * and * that authenticates as the first user found.