Skip to content
PortsDB

Port reference

Port 3268 (TCP) – LDAP Global Catalog

Active Directory Global Catalog — a forest-wide, partial-attribute LDAP index served by domain controllers.

tcpRegisteredCommonly attacked

Default state

Open on Active Directory domain controllers that hold the Global Catalog role. Internal to the AD environment.

Common attacks

  • Forest-wide user, group, and computer enumeration over LDAP
  • Anonymous or low-privilege binds leaking directory data
  • Reconnaissance for attack paths (BloodHound-style collection)
  • Credential harvesting via attributes and weak LDAP/cleartext binds

Hardening

  • Use the TLS Global Catalog port 3269 (LDAPS) and require signing/channel binding
  • Disable anonymous LDAP binds; restrict who can read sensitive attributes
  • Never expose 3268/3269 to the internet; segment and firewall domain controllers
  • Monitor for bulk LDAP queries and BloodHound-style enumeration
  • Apply least privilege and tier admin accounts in AD

nmap snippet

nmap -p3268 --script ldap-rootdse,ldap-search <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 3268?

Port 3268 is the TCP port for the Active Directory Global Catalog (GC), served over LDAP by domain controllers holding the GC role. Where standard LDAP on port 389 is scoped to a single domain, the Global Catalog provides a forest-wide, partial-attribute index of every object across all domains in the forest. Its TLS-protected twin is port 3269 (LDAPS), mirroring 389/636.

Why it matters for security

The Global Catalog is a goldmine for reconnaissance: a single authenticated (or worse, anonymous) query can enumerate users, groups, and computers across the entire forest. That makes 3268 a prime target for attack-path mapping and credential discovery. If LDAP signing and channel binding aren't enforced, binds can also be relayed or downgraded.

How it's attacked

Attackers perform forest-wide enumeration over the GC to inventory accounts and trust relationships — the data behind BloodHound-style attack-path analysis. Anonymous or low-privilege binds can leak directory data directly, and attribute values sometimes expose credentials or hints. Weak or cleartext binds enable relay and harvesting.

Hardening checklist

Prefer the TLS Global Catalog on 3269 and require LDAP signing and channel binding. Disable anonymous binds and restrict who can read sensitive attributes. Never expose 3268/3269 to the internet; segment and firewall domain controllers and monitor for bulk LDAP queries. Apply least privilege and tiered admin in AD. The nmap scripts above read the RootDSE and run LDAP searches on hosts you are authorized to test.

Related ports

Port 389Port 636Port 3269Port 88Port 445

Frequently asked questions

What is the difference between port 389 and port 3268?
Port 389 is standard LDAP scoped to a single domain. Port 3268 is the Global Catalog — a forest-wide, partial-attribute index across all domains. Their TLS equivalents are 636 and 3269.
Why is the Global Catalog a recon target?
It lets a single query enumerate users, groups, and computers across the entire forest. Attackers use it (e.g. BloodHound) to map attack paths, so anonymous binds and over-broad read access are dangerous.