Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] Novell Universal password retriever
From: David Fifield <david () bamsoftware com>
Date: Fri, 27 May 2011 22:01:20 -0700

On Sun, May 22, 2011 at 04:48:38PM +0200, Patrik Karlsson wrote:
Hi all,

I'm attaching a script that attempts to retrieve a users universal password over LDAP.
In case the password policy permits administrators to retrieve user passwords ("Allow admin to retrieve passwords" is 
set in the password policy) this script can retrieve the password.

"Universal Password enables advanced password policies, including extended 
characters in passwords, synchronization of passwords from eDirectory to
other systems, and a single password for all access to eDirectory."

In order to test it, you need Novell eDirectory with a password policy set with the above option for the user you 
wish to recover the password.
The script relies on some changes to the LDAP library committed as r23230.

I think this looks good, but can you provide documentation for these
mysterious digit strings?

        local reqname = ldap.encode( { _ldaptype = '80', "2.16.840.1.113719.1.39.42.100.13" } )
        data = ldap.encode( { _ldaptype = '81', bin.pack("H", "308400000019020101") .. data } )
        data = ldap.encode( { _ldaptype = '30', bin.pack("H", "020102") .. ldap.encode( { _ldaptype = '77', reqname .. 
data } ) } )
        if ( respname ~= "2.16.840.1.113719.1.39.42.100.14" ) then return end

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault