Find & dump misconfigured LDAP servers
LDAP (Lightweight Directory Access Protocol) is a protocol for accessing and managing directory services over a network.
389 is the default port without encryption, 636 is the encrypted default one.
It enables authentication, authorization, and information retrieval, commonly used for centralized user and resource management.
Anonymous binding in LDAP allows users to connect without authentication.
If left enabled, anyone can access directory information, posing security risks like data exposure or unauthorized queries.
It should be restricted to prevent leaks, especially in sensitive or enterprise environments.
SASL stands for Simple Authentication and Security Layer.
Fortunately, LDAP leave the hint of this in his banner response protocol SupportedSASLMechanisms
so i did a quick shodan research to find out hundreds of exposed LDAP servers.
"LDAP" "SupportedSASLMechanisms: ANONYMOUS" [*] shodan_results.png
A naming context in LDAP defines the root of a directory tree.
To query and dump all data, you need the correct naming context as the base DN (Distinguished Name) for searches. I wrote a simple bash script to dump all the data
#!/bin/bash
ldapsearch -x -H ldap://$1:$2 -s base -b "" "(objectClass=*)" "+" 2>/dev/null | \ # query the root for enumeration
awk '/^namingContexts:/ {print $2}' | \ # extract naming contexts from the response
xargs -I{} ldapsearch -H ldap://$1:$2 -x -b {} # use naming contexts to dump directory contents
# EXAMPLE USAGE: ./ldap_dump [ADDRESS] [PORT] > dump.txt
It just parses the naming contexts and performs an LDAP query to retrieve all directory entries.
But there's more
I knew Shodan don't show all results, so i choose Censys this time with the following query:
services.ldap.allows_anonymous_bind: true [*] censys_results.png
Indexing more than 70K results.
It's clearly a concerning number.
