HIGH: Open LDAP Report

DESCRIPTION LAST UPDATED: 2023-12-15

DEFAULT SEVERITY LEVEL: HIGH

This report identifies hosts that have an LDAP instance running on port 389/UDP that are accessible on the Internet.

These hosts are often Active Directory servers. In addition to allowing for an ~60x amplification vector, the data disclosed by the server could reveal large amounts of information about the network that the server resides on.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page..

Filename(s): scan_ldap_udp

Fields

timestamp

Time that the IP was probed in UTC+0
severity

Severity level
ip

The IP address of the device in question
protocol

Protocol that the response came on (always UDP)
port

Port that the response came from (389/UDP)
hostname

Reverse DNS name of the device in question
tag

Will always be ldap-udp
asn

ASN of where the device in question resides
geo

Country where the device in question resides
region

State / Province / Administrative region where the device in question resides
city

City in which the device in question resides
naics

North American Industry Classification System Code
hostname_source

Hostname source
response_size

The size of the response (without UDP headers)
configuration_naming_context

Distinguished name of the root of the configuration naming context of the domain controller
current_time

The current system time on the domain controller
default_naming_context

Distinguished name of the default naming context of the domain controller
dns_host_name

DNS address of the domain controller
domain_controller_functionality

Integer indicating the functional level of the domain controller
domain_functionality

Integer indicating the functional level of the domain
ds_service_name

Distinguished name of the nTDSDSA object for the domain controller
forest_functionality

Integer indicating the functional level of the forest
highest_committed_usn

The update sequence number of the domain controller
is_global_catalog_ready

Boolean value indicating if this DC is a global catalog that has completed at least one synchronization of its global catalog data with its replication partners
is_synchronized

Boolean value indicating if the DC has completed at least one synchronization with its replication partners
ldap_service_name

The LDAP service name for the LDAP server on the domain controller
naming_contexts

Multivalued set of distinguished names
root_domain_naming_context

The distinguished name of the root domain naming context
schema_naming_context

The distinguished name of the root of the schema naming context
server_name

The distinguished name of the server object
subschema_subentry

The distinguished name for the location of the subSchema object where the classes and attributes in the directory are defined
supported_capabilities

A multivalued set of OIDs specifying the capabilities supported by the domain controller
supported_control

A multivalued set of OIDs specifying the LDAP controls supported by the domain controller
supported_ldap_policies

A multivalued set of strings specifying the LDAP administrative query policies supported by the domain controller
supported_ldap_version

Set of integers specifying the versions of LDAP supported by the domain controller
supported_sasl_mechanisms

A multivalued set of strings specifying the security mechanisms supported for SASL negotiation
amplification

Amplification factor (This amplification is is based solely on the payload size sent and payload size received)
sector

Sector of the IP in question

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","response_size","configuration_naming_context","current_time","default_naming_context","dns_host_name","domain_controller_functionality","domain_functionality","ds_service_name","forest_functionality","highest_committed_usn","is_global_catalog_ready","is_synchronized","ldap_service_name","naming_contexts","root_domain_naming_context","schema_naming_context","server_name","subschema_subentry","supported_capabilities","supported_control","supported_ldap_policies","supported_ldap_version","supported_sasl_mechanisms","amplification","sector"
"2010-02-10 00:00:00",high,192.168.0.1,udp,389,node01.example.com,ldap-udp,64512,ZZ,Region,City,0,,2942,"CN=Configuration,DC=ad,DC=example,DC=com",20231125002513.0Z,"DC=ad,DC=example,DC=com",node01.example.com,7,7,"CN=Configuration,DC=ad,DC=example,DC=com",7,14571539,TRUE,TRUE,node01.example.com,"DC=ad,DC=example,DC=com|CN=Configuration,DC=example,DC=com|CN=Schema,CN=Configuration,DC=example,DC=com","DC=example,DC=com","CN=Schema,CN=Configuration,DC=example,DC=com","CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com","CN=Aggregate,CN=Schema,CN=Configuration,DC=example,DC=com",1.2.840.113556.1.4.800|1.2.840.113556.1.4.1670|1.2.840.113556.1.4.1791|1.2.840.113556.1.4.1935|1.2.840.113556.1.4.2080|1.2.840.113556.1.4.2237,1.2.840.113556.1.4.319|1.2.840.113556.1.4.801|1.2.840.113556.1.4.473|1.2.840.113556.1.4.528|1.2.840.113556.1.4.417|1.2.840.113556.1.4.619|1.2.840.113556.1.4.841|1.2.840.113556.1.4.529|1.2.840.113556.1.4.805|1.2.840.113556.1.4.521|1.2.840.113556.1.4.970|1.2.840.113556.1.4.1338|1.2.840.113556.1.4.474|1.2.840.113556.1.4.1339|1.2.840.113556.1.4.1340|1.2.840.113556.1.4.1413|2.16.840.1.113730.3.4.9|2.16.840.1.113730.3.4.10|1.2.840.113556.1.4.1504|1.2.840.113556.1.4.1852|1.2.840.113556.1.4.802|1.2.840.113556.1.4.1907|1.2.840.113556.1.4.1948|1.2.840.113556.1.4.1974|1.2.840.113556.1.4.1341|1.2.840.113556.1.4.2026|1.2.840.113556.1.4.2064|1.2.840.113556.1.4.2065|1.2.840.113556.1.4.2066|1.2.840.113556.1.4.2090|1.2.840.113556.1.4.2205|1.2.840.113556.1.4.2204|1.2.840.113556.1.4.2206|1.2.840.113556.1.4.2211|1.2.840.113556.1.4.2239|1.2.840.113556.1.4.2255|1.2.840.113556.1.4.2256|1.2.840.113556.1.4.2309|1.2.840.113556.1.4.2330|1.2.840.113556.1.4.2354,MaxPoolThreads|MaxPercentDirSyncRequests|MaxDatagramRecv|MaxReceiveBuffer|InitRecvTimeout|MaxConnections|MaxConnIdleTime|MaxPageSize|MaxBatchReturnMessages|MaxQueryDuration|MaxDirSyncDuration|MaxTempTableSize|MaxResultSetSize|MinResultSets|MaxResultSetsPerConn|MaxNotificationPerConn|MaxValRange|MaxValRangeTransitive|ThreadMemoryLimit|SystemMemoryLimitPercent,3|2,GSSAPI|GSS-SPNEGO|EXTERNAL|DIGEST-MD5,56.58,
"2010-02-10 00:00:01",high,192.168.0.2,udp,389,node02.example.com,ldap-udp,64512,ZZ,Region,City,0,ptr,2320,"CN=Configuration,DC=ad,DC=example,DC=com",20231125002522.0Z,"DC=ad,DC=example,DC=com",node02.example.com,2,0,"CN=Configuration,DC=ad,DC=example,DC=com",0,4509553,TRUE,TRUE,node02.example.com,"DC=ad,DC=example,DC=com|CN=Configuration,DC=example,DC=com|CN=Schema,CN=Configuration,DC=example,DC=com","DC=example,DC=com","CN=Schema,CN=Configuration,DC=example,DC=com","CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com","CN=Aggregate,CN=Schema,CN=Configuration,DC=example,DC=com",1.2.840.113556.1.4.800|1.2.840.113556.1.4.1670|1.2.840.113556.1.4.1791,1.2.840.113556.1.4.319|1.2.840.113556.1.4.801|1.2.840.113556.1.4.473|1.2.840.113556.1.4.528|1.2.840.113556.1.4.417|1.2.840.113556.1.4.619|1.2.840.113556.1.4.841|1.2.840.113556.1.4.529|1.2.840.113556.1.4.805|1.2.840.113556.1.4.521|1.2.840.113556.1.4.970|1.2.840.113556.1.4.1338|1.2.840.113556.1.4.474|1.2.840.113556.1.4.1339|1.2.840.113556.1.4.1340|1.2.840.113556.1.4.1413|2.16.840.1.113730.3.4.9|2.16.840.1.113730.3.4.10|1.2.840.113556.1.4.1504|1.2.840.113556.1.4.1852|1.2.840.113556.1.4.802|1.2.840.113556.1.4.1907|1.2.840.113556.1.4.1948,MaxPoolThreads|MaxDatagramRecv|MaxReceiveBuffer|InitRecvTimeout|MaxConnections|MaxConnIdleTime|MaxPageSize|MaxQueryDuration|MaxTempTableSize|MaxResultSetSize|MaxNotificationPerConn|MaxValRange|ThreadMemoryLimit|SystemMemoryLimitPercent,3|2,GSSAPI|GSS-SPNEGO|EXTERNAL|DIGEST-MD5,44.62,"Communications, Service Provider, and Hosting Service"
"2010-02-10 00:00:02",high,192.168.0.3,udp,389,node03.example.com,ldap-udp,64512,ZZ,Region,City,0,ptr,2891,"CN=Configuration,DC=ad,DC=example,DC=com",20231125003020.0Z,"DC=ad,DC=example,DC=com",node03.example.com,6,6,"CN=Configuration,DC=ad,DC=example,DC=com",3,1866678,TRUE,TRUE,node03.example.com,"DC=ad,DC=example,DC=com|CN=Configuration,DC=example,DC=com|CN=Schema,CN=Configuration,DC=example,DC=com","DC=example,DC=com","CN=Schema,CN=Configuration,DC=example,DC=com","CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com","CN=Aggregate,CN=Schema,CN=Configuration,DC=example,DC=com",1.2.840.113556.1.4.800|1.2.840.113556.1.4.1670|1.2.840.113556.1.4.1791|1.2.840.113556.1.4.1935|1.2.840.113556.1.4.2080|1.2.840.113556.1.4.2237,1.2.840.113556.1.4.319|1.2.840.113556.1.4.801|1.2.840.113556.1.4.473|1.2.840.113556.1.4.528|1.2.840.113556.1.4.417|1.2.840.113556.1.4.619|1.2.840.113556.1.4.841|1.2.840.113556.1.4.529|1.2.840.113556.1.4.805|1.2.840.113556.1.4.521|1.2.840.113556.1.4.970|1.2.840.113556.1.4.1338|1.2.840.113556.1.4.474|1.2.840.113556.1.4.1339|1.2.840.113556.1.4.1340|1.2.840.113556.1.4.1413|2.16.840.1.113730.3.4.9|2.16.840.1.113730.3.4.10|1.2.840.113556.1.4.1504|1.2.840.113556.1.4.1852|1.2.840.113556.1.4.802|1.2.840.113556.1.4.1907|1.2.840.113556.1.4.1948|1.2.840.113556.1.4.1974|1.2.840.113556.1.4.1341|1.2.840.113556.1.4.2026|1.2.840.113556.1.4.2064|1.2.840.113556.1.4.2065|1.2.840.113556.1.4.2066|1.2.840.113556.1.4.2090|1.2.840.113556.1.4.2205|1.2.840.113556.1.4.2204|1.2.840.113556.1.4.2206|1.2.840.113556.1.4.2211|1.2.840.113556.1.4.2239|1.2.840.113556.1.4.2255|1.2.840.113556.1.4.2256,MaxPoolThreads|MaxPercentDirSyncRequests|MaxDatagramRecv|MaxReceiveBuffer|InitRecvTimeout|MaxConnections|MaxConnIdleTime|MaxPageSize|MaxBatchReturnMessages|MaxQueryDuration|MaxTempTableSize|MaxResultSetSize|MinResultSets|MaxResultSetsPerConn|MaxNotificationPerConn|MaxValRange|MaxValRangeTransitive|ThreadMemoryLimit|SystemMemoryLimitPercent,3|2,GSSAPI|GSS-SPNEGO|EXTERNAL|DIGEST-MD5,55.60,

Our 135 Report Types

« Back to Network Reporting