Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] Novell Universal password retriever
From: Patrik Karlsson <patrik () cqure net>
Date: Sat, 28 May 2011 10:52:16 +0200

On May 28, 2011, at 7:01 AM, David Fifield wrote:

On Sun, May 22, 2011 at 04:48:38PM +0200, Patrik Karlsson wrote:
Hi all,

I'm attaching a script that attempts to retrieve a users universal password over LDAP.
In case the password policy permits administrators to retrieve user passwords ("Allow admin to retrieve passwords" 
is set in the password policy) this script can retrieve the password.

"Universal Password enables advanced password policies, including extended 
characters in passwords, synchronization of passwords from eDirectory to
other systems, and a single password for all access to eDirectory."

In order to test it, you need Novell eDirectory with a password policy set with the above option for the user you 
wish to recover the password.
The script relies on some changes to the LDAP library committed as r23230.

I think this looks good, but can you provide documentation for these
mysterious digit strings?

       local reqname = ldap.encode( { _ldaptype = '80', "2.16.840.1.113719." } )
       data = ldap.encode( { _ldaptype = '81', bin.pack("H", "308400000019020101") .. data } )
       data = ldap.encode( { _ldaptype = '30', bin.pack("H", "020102") .. ldap.encode( { _ldaptype = '77', reqname .. 
data } ) } )
       if ( respname ~= "2.16.840.1.113719." ) then return end

David Fifield

I've committed the script as r23415 where the above sections were re-written and slightly more documented.
The code is based on packet dumps and I tried to do some digging into BER encoding again, but didn't get as far as I 

Patrik Karlsson

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]