LDAP Anonymous Login Unauthenticated Access Scanner

LDAP (Lightweight Directory Access Protocol) is widely used for accessing and maintaining distributed directory information services over a network. Many enterprise applications and systems, including Microsoft Active Directory, use LDAP for authentication, authorization, and directory queries. Organizations rely on LDAP to manage user credentials, group memberships, and other identity-related metadata. This scanner checks whether the LDAP service permits anonymous binding, which is a login method without providing credentials. If not correctly secured, anonymous bind can expose sensitive directory entries such as usernames, organizational structure, or email addresses. LDAP should be properly configured to restrict access where anonymity is not required.

Anonymous bind is a mechanism in LDAP that allows users to connect without authenticating. While intended for environments requiring public access to directory information, it poses a significant risk if sensitive data is accessible. Improper configuration may result in information disclosure, facilitating attacks like user enumeration or privilege escalation. This vulnerability often results from legacy configurations or inadequate access control policies. Detecting anonymous bind capability helps administrators secure their directory services. Limiting anonymous access is a standard best practice to prevent unauthorized insights into directory contents.

The scanner connects to the LDAP service on the target host and attempts an authentication request using empty credentials. If the connection is successful and access to metadata is granted, the server is considered to allow anonymous login. This behavior is detected by evaluating the success flag in the response from the LDAP bind attempt. The detection method uses a JavaScript-based module to establish a client session, configure upgrade settings, and collect directory metadata upon successful connection. Such access may provide insights into directory structure or user information. The result is flagged when the LDAP server does not reject unauthenticated access.

If a malicious actor exploits this issue, they could enumerate users, groups, or other sensitive directory information. This reconnaissance can aid in subsequent attacks such as brute-force authentication, phishing campaigns, or lateral movement. Furthermore, attackers may identify privileged accounts or outdated structures for targeted attacks. Exposure of internal schema or attribute mappings can reveal operational details about the organization. Even limited directory information can aid in social engineering. In regulated environments, such exposure may also result in non-compliance.

REFERENCES

• https://ldap.com/ldapv3-wire-protocol-reference-bind/#anonymous
• https://docs.projectdiscovery.io/templates/protocols/javascript/modules/ldap.Client#getadgroups