TCP port 389 is the default port for LDAP (Lightweight Directory Access Protocol). The tester’s actions—performing an anonymous bind and querying directory contents with structured search filters to extract usernames and organizational information—are definitive indicators of LDAP enumeration. LDAP is commonly used for centralized directory services (including environments integrated with Active Directory via LDAP interfaces). If misconfigured to allow anonymous binds or overly permissive searches, an attacker can retrieve valuable identity and structure data.
The scenario describes obtaining usernames, departmental details, and organizational units (OUs). Those are typical LDAP directory attributes and containers. Enumerating them can directly support follow-on attack paths: building targeted password-spraying lists, crafting spear-phishing that references accurate internal roles, identifying privileged groups, and mapping the organization’s structure to prioritize high-value targets. Even without direct credential compromise, directory disclosure increases attacker effectiveness.
Why the other options are incorrect:
SMTP enumeration (A) focuses on email systems (e.g., VRFY/EXPN/RCPT TO behaviors) and typically uses TCP/25 or related mail ports, not 389.
DNS enumeration (B) involves querying DNS records (A/AAAA, MX, NS, TXT, zone transfers) and does not involve directory binds or LDAP filters.
NTP enumeration (D) relates to time services (UDP/123) and provides timing/monlist-style information, not user/OU directory attributes.
Because the service is on TCP/389 and the technique involves binds and directory searches, the correct classification is C. LDAP Enumeration.
