Port 389 (TCP/UDP) – LDAP

What runs on port 389?

Port 389 is the default for LDAP (Lightweight Directory Access Protocol), the query protocol that reads and writes the directory. In Windows environments that directory is Active Directory: every domain controller exposes LDAP on 389 so clients, applications, and administrators can look up users, groups, computers, service principal names, and the access-control structure of the domain. By default this traffic is cleartext.

Why it matters for security

LDAP is the map of an Active Directory environment, so read access alone is powerful — attackers use it to enumerate every account, group membership, and privilege relationship. Worse, plain 389 is unencrypted, exposing simple-bind passwords to network sniffing, and many directories still permit anonymous binds. LDAP is also a prime relay target: coerced NTLM authentication relayed to LDAP can be used to grant rights or add a computer for RBCD-based escalation.

How it's attacked

Tools like BloodHound query LDAP to enumerate users, groups, SPNs (for Kerberoasting targeting), and dangerous ACLs across the whole domain. Where anonymous bind is allowed, this needs no credentials at all. Captured NTLM authentication is relayed to LDAP to modify directory objects, and cleartext simple-bind credentials are sniffed straight off the wire.

Hardening checklist

Move clients to LDAPS (636) or StartTLS and stop accepting cleartext simple binds. Enforce LDAP signing and channel binding on domain controllers to defeat relay. Disable anonymous binds. Restrict port 389 to trusted management networks and alert on bulk or unusual query patterns that signal directory enumeration. The nmap scripts above read the RootDSE and run a directory search on systems you are authorized to test.