What is SNMP and LDAP Enumeration in Ethical Hacking? Tools, Ports, Commands, and Protection Guide

SNMP and LDAP enumeration are critical techniques in ethical hacking for gathering information about network devices and directory services. Learn the ports used, services exposed, common tools like snmpwalk and ldapsearch, command examples, risks, and how to defend against enumeration attacks.

  Ethical Hacking Techniques   Jun 19, 2025   13  Add to Reading List
What is SNMP and LDAP Enumeration in Ethical Hacking? Tools, Ports, Commands, and Protection Guide

Table of Contents

What Is Enumeration in Ethical Hacking?

Enumeration means collecting detailed information from a target system in a network. It helps ethical hackers find:

  • Usernames

  • Network shares

  • Services running

  • Devices and configurations

Two common types of enumeration used in cybersecurity are SNMP Enumeration and LDAP Enumeration. Let’s understand them one by one.

 What is SNMP Enumeration?

 SNMP stands for:

Simple Network Management Protocol

It is used to monitor and manage devices on a network like routers, switches, printers, and servers.

 Default Ports:

  • UDP 161 – For communication

  • UDP 162 – For receiving alerts (called "traps")

 Services Provided by SNMP:

  • Monitor network device health

  • Get device configuration details

  • Collect interface and routing info

  • Read system information like CPU, memory, OS

 Why Is SNMP Enumeration Important?

If not properly secured, SNMP can reveal sensitive information, including:

  • Device name and location

  • Network interfaces and IPs

  • ARP table

  • Routing table

  • Installed software

  • Uptime and performance data

 Tools Used for SNMP Enumeration

Tool Name Function
snmpwalk Retrieves all SNMP information from a device
snmpcheck Checks for SNMP misconfigurations
Nmap (with SNMP scripts) Scans and extracts SNMP data
SolarWinds SNMP Toolset GUI-based SNMP management
Metasploit SNMP modules Automates SNMP exploitation

 Example Commands

snmpwalk -v 2c -c public 192.168.1.1

  • -v 2c = SNMP version

  • -c public = Community string (like a password)

  • 192.168.1.1 = Target IP

 What is LDAP Enumeration?

LDAP stands for:

Lightweight Directory Access Protocol

It’s used to access and manage directory services like Active Directory in Windows environments.

 Default Port Numbers:

  • TCP 389 – Regular LDAP

  • TCP 636 – Secure LDAP (LDAPS)

 Services Provided by LDAP:

  • Store and retrieve user credentials

  • Maintain access control lists

  • Manage group policies

  • Directory lookups for users, printers, devices

 Why Is LDAP Enumeration Important?

LDAP servers often hold sensitive data like:

  • Username and password policies

  • Group membership

  • Domain structure

  • Email addresses

  • Computer and service accounts

 Tools Used for LDAP Enumeration

Tool Name Function
ldapsearch Queries directory info from LDAP servers
Nmap (LDAP scripts) Extracts LDAP data via script scanning
Metasploit Automates enumeration with built-in LDAP modules
AD Explorer GUI tool to view LDAP/AD data
LDAPAdmin Browse and edit LDAP directory

 Example Commands

ldapsearch -x -h 192.168.1.100 -b "dc=company,dc=com"

  • -x = Simple auth

  • -h = LDAP server IP

  • -b = Base domain to start searching

 Key Differences Between SNMP and LDAP Enumeration

Feature SNMP Enumeration LDAP Enumeration
Purpose Monitor network devices Access directory services
Port Used UDP 161 TCP 389
Target Routers, switches, servers Active Directory, users
Output Device info, configs, stats Usernames, groups, policies
Risk Info leakage if SNMP misconfigured Credential harvesting or privilege mapping

Risks of Unsecured SNMP and LDAP

If SNMP or LDAP is misconfigured:

  • Hackers can map the network

  • Extract user data without login

  • Create detailed attack plans

  • Perform privilege escalation

  • Launch credential-stuffing attacks

How to Protect SNMP and LDAP Services

Defense Method Description
Use complex community strings (SNMP) Avoid using "public" or "private"
Disable SNMP if not needed Remove unnecessary services
Enable SNMPv3 It provides authentication and encryption
Restrict access by IP Only allow trusted IPs
Secure LDAP with TLS (LDAPS) Protects data in transit
Monitor logs and alerts Detect suspicious LDAP/SNMP queries

✅ Summary Table

Feature SNMP LDAP
Full Form Simple Network Management Protocol Lightweight Directory Access Protocol
Common Port 161 389
Used For Device monitoring User/Directory management
Main Risk Info exposure User/group leaks
Popular Tool snmpwalk ldapsearch

 Final Thoughts

Both SNMP and LDAP enumeration are vital reconnaissance tools in ethical hacking. They reveal valuable information about an organization's infrastructure and users. Knowing how to use these tools—and how to protect against them—is key for every SOC analyst, red teamer, and cybersecurity student.

 FAQs 

What is SNMP enumeration?

SNMP enumeration is the process of gathering device and network information from systems that support the Simple Network Management Protocol.

What does SNMP stand for?

SNMP stands for Simple Network Management Protocol.

What is the default SNMP port?

The default port for SNMP is UDP 161.

What is LDAP enumeration?

LDAP enumeration is the method of extracting user, group, and policy data from directory services like Active Directory.

What does LDAP stand for?

LDAP stands for Lightweight Directory Access Protocol.

What is the default LDAP port?

The default port is TCP 389 for standard LDAP and 636 for secure LDAP (LDAPS).

What tools are used for SNMP enumeration?

Popular tools include snmpwalk, snmpcheck, Nmap SNMP scripts, and Metasploit modules.

What tools are used for LDAP enumeration?

Tools like ldapsearch, AD Explorer, Metasploit, and Nmap scripts are commonly used.

What is the purpose of SNMP enumeration in ethical hacking?

It helps ethical hackers collect device names, OS versions, interface configurations, and routing details.

Why is LDAP enumeration useful?

It reveals usernames, email addresses, domain structures, and group memberships, helping map out an organization's user hierarchy.

What is the SNMP community string?

A community string acts like a password; default strings like “public” or “private” should be changed.

What is snmpwalk?

Snmpwalk is a command-line tool used to query SNMP-enabled devices and retrieve structured data.

What is ldapsearch?

Ldapsearch is a command-line utility used to search for entries in an LDAP directory.

How does enumeration differ from scanning?

Scanning finds systems and services; enumeration digs deeper to extract system details.

Can SNMP enumeration be done without authentication?

Yes, if the community string is default or weak, SNMP data can be accessed without login.

What are the risks of SNMP enumeration?

It can lead to information leakage like network layout, device versions, and internal IPs.

How can SNMP enumeration be prevented?

Disable SNMP if not needed, use SNMPv3 with encryption, and restrict access using firewalls.

How can LDAP enumeration be blocked?

Secure LDAP with TLS, limit anonymous access, and audit Active Directory permissions regularly.

What type of data does LDAP reveal?

Usernames, passwords policies, computer accounts, email addresses, and domain details.

What is LDAPS?

LDAPS is the secure version of LDAP, using port 636 and encrypting data in transit.

Can Nmap scan for SNMP and LDAP?

Yes, Nmap supports SNMP and LDAP enumeration through NSE scripts.

What is the difference between SNMP and LDAP?

SNMP is used for network device management, while LDAP is used for directory and user data management.

Is enumeration legal?

Enumeration is legal only when performed during authorized penetration tests or with consent.

What kind of attacks use SNMP enumeration?

Attackers may use SNMP enumeration for reconnaissance and planning targeted exploits.

What is an SNMP trap?

It’s an alert sent from a device to a management system when a network event occurs, using port 162.

What does a sample ldapsearch command look like?

Example: ldapsearch -x -h 192.168.1.1 -b "dc=example,dc=com"

Can enumeration lead to privilege escalation?

Yes, gathering user or group info can help attackers plan privilege escalation attacks.

What is a base DN in LDAP?

The base DN (Distinguished Name) defines the starting point for LDAP searches in the directory tree.

Why should SNMPv3 be used?

SNMPv3 adds encryption, authentication, and better access control compared to SNMPv1 and v2c.

Are SNMP and LDAP still used today?

Yes, they are widely used in enterprise environments and need proper configuration to avoid security issues.

Join Our Upcoming Class!

Tags