HIGH: Open LDAP TCP Report

DESCRIPTION LAST UPDATED: 2023-12-15

DEFAULT SEVERITY LEVEL: HIGH

This report identifies hosts that have an LDAP instance running on port 389/TCP that are accessible on the Internet.

These hosts are often Active Directory servers. The data disclosed by the server could reveal large amounts of information about the network that the server resides on.

Items in the report that have no LDAP responses filled are most likely to be OpenLDAP instances, which use a different schema than Active Directory servers.

You can view LDAP TCP scan reports on our Dashboard by selecting source “scan + scan6” and the “ldap-tcp” tag.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page..

Filename(s): scan_ldap_tcp, scan6_ldap_tcp

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the response came on (always TCP)
  • port
    Port that the response came from (389/TCP)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Will always be ldap-tcp
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • size
    The size of the response (without headers)
  • configuration_naming_context
    Distinguished name of the root of the configuration naming context of the domain controller
  • current_time
    The current system time on the domain controller
  • default_naming_context
    Distinguished name of the default naming context of the domain controller
  • dns_host_name
    DNS address of the domain controller
  • domain_controller_functionality
    Integer indicating the functional level of the domain controller
  • domain_functionality
    Integer indicating the functional level of the domain
  • ds_service_name
    Distinguished name of the nTDSDSA object for the domain controller
  • forest_functionality
    Integer indicating the functional level of the forest
  • highest_committed_usn
    The update sequence number of the domain controller
  • is_global_catalog_ready
    Boolean value indicating if this DC is a global catalog that has completed at least one synchronization of its global catalog data with its replication partners
  • is_synchronized
    Boolean value indicating if the DC has completed at least one synchronization with its replication partners
  • ldap_service_name
    The LDAP service name for the LDAP server on the domain controller
  • naming_contexts
    Multivalued set of distinguished names
  • root_domain_naming_context
    The distinguished name of the root domain naming context
  • schema_naming_context
    The distinguished name of the root of the schema naming context
  • server_name
    The distinguished name of the server object
  • subschema_subentry
    The distinguished name for the location of the subSchema object where the classes and attributes in the directory are defined
  • supported_capabilities
    A multivalued set of OIDs specifying the capabilities supported by the domain controller
  • supported_control
    A multivalued set of OIDs specifying the LDAP controls supported by the domain controller
  • supported_ldap_policies
    A multivalued set of strings specifying the LDAP administrative query policies supported by the domain controller
  • supported_ldap_version
    Set of integers specifying the versions of LDAP supported by the domain controller
  • supported_sasl_mechanisms
    A multivalued set of strings specifying the security mechanisms supported for SASL negotiation
  • amplification
    Amplification factor (This amplification is is based solely on the payload size sent and payload size received)
  • handshake
    The highest SSL handshake that could be negotiated (TLSv1.2, TLSv1.1, TLSv1.0, SSLv3)
  • cipher_suite
    The highest CipherSuite that was able to be negotiated
  • cert_length
    Certificate Key Length (1024 bit, 2048 bit, et cetera)
  • subject_common_name
    The Common Name (CN) of the SSL certificate
  • issuer_common_name
    The Common Name (CN) of the entity that signed the SSL certificate
  • cert_issue_date
    Date when the SSL certificate became valid
  • cert_expiration_date
    Date when the SSL certificate expires
  • sha1_fingerprint
    SHA1 fingerprint of the SSL certificate
  • cert_serial_number
    Serial number embedded in the SSL certificate
  • ssl_version
    SSL Version number
  • signature_algorithm
    Algorithm used to sign the SSL certificate
  • key_algorithm
    Algorithm used by the key
  • subject_organization_name
    Organization Name (O) of the SSL certificate
  • subject_organization_unit_name
    Organization Unit Name (OU) of the SSL certificate
  • subject_country
    Country Name (C) of the SSL certificate
  • subject_state_or_province_name
    State or Province Name (ST) of the SSL certificate
  • subject_locality_name
    Locality Name (L) of the SSL certificate
  • subject_street_address
    Street address of the SSL certificate
  • subject_postal_code
    Postal code of the SSL certificate
  • subject_surname
    Surname (SN) of the SSL certificate
  • subject_given_name
    Given name (GN) of the SSL certificate
  • subject_email_address
    Email address of the SSL certificate
  • subject_business_category
    Business category of the SSL certificate
  • subject_serial_number
    Serial number of the SSL certificate
  • issuer_organization_name
    Organization name (O) of the entity that signed the SSL certificate
  • issuer_organization_unit_name
    Organization unit name (OU) of the entity that signed the SSL certificate
  • issuer_country
    Country name (C) of the entity that signed the SSL certificate
  • issuer_state_or_province_name
    State or Province name (ST) of the entity that signed the SSL certificate
  • issuer_locality_name
    Locality name (L) of the entity that signed the SSL certificate
  • issuer_street_address
    Street address of the entity that signed the SSL certificate
  • issuer_postal_code
    Postal code of the entity that signed the SSL certificate
  • issuer_surname
    Surname (SN) of the entity that signed the SSL certificate
  • issuer_given_name
    Given name (GN) of the entity that signed the SSL certificate
  • issuer_email_address
    Email address of the entity that signed the SSL certificate
  • issuer_business_category
    Business category of the entity that signed the SSL certificate
  • issuer_serial_number
    Serial number of the entity that signed the SSL certificate
  • sector
    Sector the device belongs to
  • sha256_fingerprint
    SHA256 fingerprint of the SSL certificate
  • sha512_fingerprint
    SHA512 fingerprint of the SSL certificate
  • md5_fingerprint
    MD5 fingerprint of the SSL certificate
  • cert_valid
    Is the SSL certificate valid or not (Y/N)
  • self_signed
    Is the SSL certificate self-signed (Y/N)
  • cert_expired
    Is the SSL certificate expired (Y/N)
  • validation_level
    The validation level of the SSL certificate: EV, OV, or unknown
  • auth_tls_response
    Response when a TLS authentication attempt is made
  • auth_ssl_response
    Response when a SSL authentication attempt is made (attempted only if the TLS Auth attempt fails)
  • tlsv13_support
    Is TLS v1.3 supported?
  • tlsv13_cipher
    TLS v1.3 cipher
  • jarm
    JARM hash
  • device_vendor
    The identified device vendor
  • device_type
    Device classification (for example, router, firewall, nas, video-system etc)
  • device_model
    The identified device model
  • device_version
    Device version, if any
  • device_sector
    Sector of the device in question (consumer, enterprise, industrial)

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","response_size","configuration_naming_context","current_time","default_naming_context","dns_host_name","domain_controller_functionality","domain_functionality","ds_service_name","forest_functionality","highest_committed_usn","is_global_catalog_ready","is_synchronized","ldap_service_name","naming_contexts","root_domain_naming_context","schema_naming_context","server_name","subschema_subentry","supported_capabilities","supported_control","supported_ldap_policies","supported_ldap_version","supported_sasl_mechanisms","amplification","handshake","cipher_suite","cert_length","subject_common_name","issuer_common_name","cert_issue_date","cert_expiration_date","sha1_fingerprint","cert_serial_number","ssl_version","signature_algorithm","key_algorithm","subject_organization_name","subject_organization_unit_name","subject_country","subject_state_or_province_name","subject_locality_name","subject_street_address","subject_postal_code","subject_surname","subject_given_name","subject_email_address","subject_business_category","subject_serial_number","issuer_organization_name","issuer_organization_unit_name","issuer_country","issuer_state_or_province_name","issuer_locality_name","issuer_street_address","issuer_postal_code","issuer_surname","issuer_given_name","issuer_email_address","issuer_business_category","issuer_serial_number","sector","sha256_fingerprint","sha512_fingerprint","md5_fingerprint","cert_valid","self_signed","cert_expired","validation_level","auth_tls_response","auth_ssl_response","tlsv13_support","tlsv13_cipher","jarm","device_vendor","device_type","device_model","device_version","device_sector"
"2010-02-10 00:00:00",high,192.168.0.1,tcp,389,node01.example.com,ldap-tcp,64512,ZZ,Region,City,0,ptr,,"CN=Configuration,DC=ad,DC=example,DC=com",20231125010820.0Z,"DC=ad,DC=example,DC=com",node01.example.com,7,7,"CN=Configuration,DC=ad,DC=example,DC=com",7,94573,TRUE,TRUE,node01.example.com,"DC=ad,DC=example,DC=com|CN=Configuration,DC=example,DC=com|CN=Schema,CN=Configuration,DC=example,DC=com","DC=example,DC=com","CN=Schema,CN=Configuration,DC=example,DC=com","CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com","CN=Aggregate,CN=Schema,CN=Configuration,DC=example,DC=com",1.2.840.113556.1.4.8001.2.840.113556.1.4.1670|1.2.840.113556.1.4.1791|1.2.840.113556.1.4.1935|1.2.840.113556.1.4.2080|1.2.840.113556.1.4.2237,1.2.840.113556.1.4.3191.2.840.113556.1.4.801|1.2.840.113556.1.4.473|1.2.840.113556.1.4.528|1.2.840.113556.1.4.417|1.2.840.113556.1.4.619|1.2.840.113556.1.4.841|1.2.840.113556.1.4.529|1.2.840.113556.1.4.805|1.2.840.113556.1.4.521|1.2.840.113556.1.4.970|1.2.840.113556.1.4.1338|1.2.840.113556.1.4.474|1.2.840.113556.1.4.1339|1.2.840.113556.1.4.1340|1.2.840.113556.1.4.1413|2.16.840.1.113730.3.4.9|2.16.840.1.113730.3.4.10|1.2.840.113556.1.4.1504|1.2.840.113556.1.4.1852|1.2.840.113556.1.4.802|1.2.840.113556.1.4.1907|1.2.840.113556.1.4.1948|1.2.840.113556.1.4.1974|1.2.840.113556.1.4.1341|1.2.840.113556.1.4.2026|1.2.840.113556.1.4.2064|1.2.840.113556.1.4.2065|1.2.840.113556.1.4.2066|1.2.840.113556.1.4.2090|1.2.840.113556.1.4.2205|1.2.840.113556.1.4.2204|1.2.840.113556.1.4.2206|1.2.840.113556.1.4.2211|1.2.840.113556.1.4.2239|1.2.840.113556.1.4.2255|1.2.840.113556.1.4.2256|1.2.840.113556.1.4.2309,MaxPoolThreadsMaxPercentDirSyncRequests|MaxDatagramRecv|MaxReceiveBuffer|InitRecvTimeout|MaxConnections|MaxConnIdleTime|MaxPageSize|MaxBatchReturnMessages|MaxQueryDuration|MaxDirSyncDuration|MaxTempTableSize|MaxResultSetSize|MinResultSets|MaxResultSetsPerConn|MaxNotificationPerConn|MaxValRange|MaxValRangeTransitive|ThreadMemoryLimit|SystemMemoryLimitPercent,32,GSSAPIGSS-SPNEGO|EXTERNAL|DIGEST-MD5,,,TLS_AES_256_GCM_SHA384,2048,example.com,example.com,"2012-11-14 11:18:27","2021-11-12 11:18:27",03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,B3F13DFBDBA2D8B2,,,rsaEncryption,,,ZZ,,,,,,,,,,,,,,,,,,,,,,"Communications, Service Provider, and Hosting Service",E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F,F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00,N,,Y,,,,,,,,,,,
"2010-02-10 00:00:01",high,192.168.0.2,tcp,389,node02.example.com,ldap-tcp,64512,ZZ,Region,City,0,ptr,,"CN=Configuration,DC=ad,DC=example,DC=com",20231125010920.0Z,"DC=ad,DC=example,DC=com",node02.example.com,7,7,"CN=Configuration,DC=ad,DC=example,DC=com",7,856350,TRUE,TRUE,node02.example.com,"DC=ad,DC=example,DC=com|CN=Configuration,DC=example,DC=com|CN=Schema,CN=Configuration,DC=example,DC=com","DC=example,DC=com","CN=Schema,CN=Configuration,DC=example,DC=com","CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com","CN=Aggregate,CN=Schema,CN=Configuration,DC=example,DC=com",1.2.840.113556.1.4.8001.2.840.113556.1.4.1670|1.2.840.113556.1.4.1791|1.2.840.113556.1.4.1935|1.2.840.113556.1.4.2080|1.2.840.113556.1.4.2237,1.2.840.113556.1.4.3191.2.840.113556.1.4.801|1.2.840.113556.1.4.473|1.2.840.113556.1.4.528|1.2.840.113556.1.4.417|1.2.840.113556.1.4.619|1.2.840.113556.1.4.841|1.2.840.113556.1.4.529|1.2.840.113556.1.4.805|1.2.840.113556.1.4.521|1.2.840.113556.1.4.970|1.2.840.113556.1.4.1338|1.2.840.113556.1.4.474|1.2.840.113556.1.4.1339|1.2.840.113556.1.4.1340|1.2.840.113556.1.4.1413|2.16.840.1.113730.3.4.9|2.16.840.1.113730.3.4.10|1.2.840.113556.1.4.1504|1.2.840.113556.1.4.1852|1.2.840.113556.1.4.802|1.2.840.113556.1.4.1907|1.2.840.113556.1.4.1948|1.2.840.113556.1.4.1974|1.2.840.113556.1.4.1341|1.2.840.113556.1.4.2026|1.2.840.113556.1.4.2064|1.2.840.113556.1.4.2065|1.2.840.113556.1.4.2066|1.2.840.113556.1.4.2090|1.2.840.113556.1.4.2205|1.2.840.113556.1.4.2204|1.2.840.113556.1.4.2206|1.2.840.113556.1.4.2211|1.2.840.113556.1.4.2239|1.2.840.113556.1.4.2255|1.2.840.113556.1.4.2256|1.2.840.113556.1.4.2309|1.2.840.113556.1.4.2330|1.2.840.113556.1.4.2354,MaxPoolThreadsMaxPercentDirSyncRequests|MaxDatagramRecv|MaxReceiveBuffer|InitRecvTimeout|MaxConnections|MaxConnIdleTime|MaxPageSize|MaxBatchReturnMessages|MaxQueryDuration|MaxDirSyncDuration|MaxTempTableSize|MaxResultSetSize|MinResultSets|MaxResultSetsPerConn|MaxNotificationPerConn|MaxValRange|MaxValRangeTransitive|ThreadMemoryLimit|SystemMemoryLimitPercent,32,GSSAPIGSS-SPNEGO|EXTERNAL|DIGEST-MD5,,,TLS_AES_256_GCM_SHA384,2048,example.com,example.com,"2012-11-14 11:18:27","2021-11-12 11:18:27",03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,B3F13DFBDBA2D8B2,,,rsaEncryption,,,ZZ,,,,,,,,,,,,,,,,,,,,,,,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F,F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00,N,,Y,,,,,,,,,,,
"2010-02-10 00:00:02",high,192.168.0.3,tcp,389,node03.example.com,ldap-tcp,64512,ZZ,Region,City,0,,,"CN=Configuration,DC=ad,DC=example,DC=com",20231125010814.0Z,"DC=ad,DC=example,DC=com",node03.example.com,7,7,"CN=Configuration,DC=ad,DC=example,DC=com",7,271897,TRUE,TRUE,node03.example.com,"DC=ad,DC=example,DC=com|CN=Configuration,DC=example,DC=com|CN=Schema,CN=Configuration,DC=example,DC=com","DC=example,DC=com","CN=Schema,CN=Configuration,DC=example,DC=com","CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com","CN=Aggregate,CN=Schema,CN=Configuration,DC=example,DC=com",1.2.840.113556.1.4.8001.2.840.113556.1.4.1670|1.2.840.113556.1.4.1791|1.2.840.113556.1.4.1935|1.2.840.113556.1.4.2080|1.2.840.113556.1.4.2237,1.2.840.113556.1.4.3191.2.840.113556.1.4.801|1.2.840.113556.1.4.473|1.2.840.113556.1.4.528|1.2.840.113556.1.4.417|1.2.840.113556.1.4.619|1.2.840.113556.1.4.841|1.2.840.113556.1.4.529|1.2.840.113556.1.4.805|1.2.840.113556.1.4.521|1.2.840.113556.1.4.970|1.2.840.113556.1.4.1338|1.2.840.113556.1.4.474|1.2.840.113556.1.4.1339|1.2.840.113556.1.4.1340|1.2.840.113556.1.4.1413|2.16.840.1.113730.3.4.9|2.16.840.1.113730.3.4.10|1.2.840.113556.1.4.1504|1.2.840.113556.1.4.1852|1.2.840.113556.1.4.802|1.2.840.113556.1.4.1907|1.2.840.113556.1.4.1948|1.2.840.113556.1.4.1974|1.2.840.113556.1.4.1341|1.2.840.113556.1.4.2026|1.2.840.113556.1.4.2064|1.2.840.113556.1.4.2065|1.2.840.113556.1.4.2066|1.2.840.113556.1.4.2090|1.2.840.113556.1.4.2205|1.2.840.113556.1.4.2204|1.2.840.113556.1.4.2206|1.2.840.113556.1.4.2211|1.2.840.113556.1.4.2239|1.2.840.113556.1.4.2255|1.2.840.113556.1.4.2256|1.2.840.113556.1.4.2309|1.2.840.113556.1.4.2330|1.2.840.113556.1.4.2354,MaxPoolThreadsMaxPercentDirSyncRequests|MaxDatagramRecv|MaxReceiveBuffer|InitRecvTimeout|MaxConnections|MaxConnIdleTime|MaxPageSize|MaxBatchReturnMessages|MaxQueryDuration|MaxDirSyncDuration|MaxTempTableSize|MaxResultSetSize|MinResultSets|MaxResultSetsPerConn|MaxNotificationPerConn|MaxValRange|MaxValRangeTransitive|ThreadMemoryLimit|SystemMemoryLimitPercent,32,GSSAPIGSS-SPNEGO|EXTERNAL|DIGEST-MD5,,,TLS_AES_256_GCM_SHA384,2048,example.com,example.com,"2012-11-14 11:18:27","2021-11-12 11:18:27",03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,B3F13DFBDBA2D8B2,,,rsaEncryption,,,ZZ,,,,,,,,,,,,,,,,,,,,,,,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F,F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00,N,,Y,,,,,,,,,,,

Our 131 Report Types

« Back to Network Reporting