Monthly Archives: June 2011

Using Nmap for pentesting eDirectory

While doing a security review the other day I came across Novell eDirectory running on Windows. It’s been a while since I looked at eDirectory and while it’s a lot of LDAP, the servers were also running the Netware Core Protocol (NCP). I noticed that there wasn’t any NCP support in Nmap so I decided that I would implement some basic support. I ended up writing a NCP library and the following two scripts:

  • ncp-enum-users – enumerates eDirectory users
  • ncp-serverinfo – lists some basic server information

The scripts should work against NCP running on both Netware, Linux and Windows. Here’s some sample output from both scripts:

In addition to the NCP scripts I wrote a LDAP script (ldap-novell-getpass) that extract the plain-text password of a given user, in case the “Allow admin to retrieve passwords” option is enabled in the password policy. On success, the script returns the following result:

All of the scripts have been committed to Nmap and are available through subversion.

Using Nmap to audit your MySQL database

I’ve been working on a Nmap script for auditing MySQL databases against the CIS 1.0.2 benchmark for a while. I haven’t committed it to subversion yet, but it’s available to download for anyone who feels up to testing it. While it isn’t perfect nor does it contain all CIS controls, it provides Nmap users with the possibility to quickly scan a database to see whether it complies with the CIS recommendations or not.

Continue reading