While doing a security review the other day I came across Novell eDirectory running on Windows. It’s been a while since I looked at eDirectory and while it’s a lot of LDAP, the servers were also running the Netware Core Protocol (NCP). I noticed that there wasn’t any NCP support in Nmap so I decided that I would implement some basic support. I ended up writing a NCP library and the following two scripts:

• ncp-enum-users – enumerates eDirectory users
• ncp-serverinfo – lists some basic server information

The scripts should work against NCP running on both Netware, Linux and Windows. Here’s some sample output from both scripts:

| ncp-serverinfo:
|   Server name: LINUX-L84T
|   Tree Name: CQURE-TREE
|   OS Version: 5.70 (rev 7)
|   Product version: 6.50 (rev 7)
|   OS Language ID: 4
|   Addresses
|     10.0.200.33 524/udp
|     10.0.200.33 524/tcp
|   Mounts
|     SYS
|     ADMIN
|_    _ADMIN

| ncp-enum-users:
|   CN=admin.O=cqure
|   CN=cawi.OU=finance.O=cqure
|   CN=linux-l84tadmin.O=cqure
|   CN=nist.OU=hr.O=cqure
|   CN=novlxregd.O=cqure
|   CN=novlxsrvd.O=cqure
|   CN=OESCommonProxy_linux-l84t.O=cqure
|   CN=sasi.OU=hr.O=cqure
|_  CN=wwwrun.O=cqure

In addition to the NCP scripts I wrote a LDAP script (ldap-novell-getpass) that extract the plain-text password of a given user, in case the “Allow admin to retrieve passwords” option is enabled in the password policy. On success, the script returns the following result:

| ldap-novell-getpass:
|   Account: CN=patrik,OU=security,O=cqure
|_  Password: foobar

All of the scripts have been committed to Nmap and are available through subversion.

This entry was posted on Sunday, June 5th, 2011 at 3:52 pm and is filed under Nmap. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.