Skip to content

LDAPS Honeypot Enterprise Community

The LDAPS service emulates a Microsoft Active Directory LDAP server over TLS (port 636). Use it to catch LDAP enumeration and bind attempts over TLS.

Enterprise configuration

Configure from Trapsters → device → Services → LDAPS:

ParameterDescription
portTCP port (default 636)
levelAD domain functional level

Hostname and domain come from the device identity, same as LDAP.

Community configuration

json
"ldaps": [
  {
    "port": 636,
    "hostname": "DC01",
    "domain": "corp.local",
    "level": "WinThreshold",
    "key": "trapster/data/ssl/ldaps/key.pem",
    "certificate": "trapster/data/ssl/ldaps/certificate.pem"
  }
]

Parameters

All LDAP parameters apply, plus:

ParameterTypeDefaultDescription
keystringtrapster/data/ssl/ldaps/key.pemPEM private key path
certificatestringtrapster/data/ssl/ldaps/certificate.pemPEM certificate path

Trapster generates a self-signed certificate on startup with CN {hostname}.{domain} (for example DC01.corp.local).

What gets captured

Same events as LDAP: connection, bind/login attempts, and RootDSE queries - over TLS.

Pairing with breadcrumbs

From the LDAPS service row, click Generate breadcrumb to create a decoy password file or connection script. See Breadcrumbs.