I recently finished writing three Metasploit modules for capturing passwords for VNC, SQL Server and DB2 (and other DRDA based databases). Being new to the Metasploit project (from a development perspective), Ruby and Git I can honestly say it was a challenge. I probably spent more time understanding Git and Ruby than implementing the actual network services. Having contributed a lot of “client” scripts to the Nmap project I decided it was time to implement some server components and the Metasploit project seemed to be a good option. All in all, it was a fun project and the review process went very smoothly and the modules were merged quickly.

In terms of the modules, they’re pretty straight forward;

• vnc.rb allows capturing challenge/response pairs for authentication suitable to send to JTR
• mssql.rb allows capturing both NTLM challenge/response authentication and the weaker “encoded” passwords
• drda.rb allows capturing and decoding EBDIC encoded username and passwords

I have a few more modules I hope to implement ones I finish some other stuff I’m currently working on.

Be sure to get it at http://nmap.org/6 !

I’ve just committed an updated version of the TNS library to Nmap, adding support for running Oracle database queries from Nmap scripts. I’ve put a considerable amount of work into trying to understand how the protocol works, due to the lack of documentation, and think that I’ve finally succeeded.

In addition I’ve posted two new scripts to the nmap-dev mailing list that make use of this new functionality:

• oracle-query – runs a given query against the Oracle database server and returns the results
• oracle-hash-dump – dumps the password hashes from an Oracle database server

In case you have the possibility to test this new code against Oracle 10g and 11g, please let me know how it works out. I’ll hopefully commit the two scripts to Nmap within the next few days.

Thank’s to some great effort put into the smb libraries by the folks over at nmap-dev, porting mbenum to Nmap wasn’t as hard as I’ve imagined. A first version has been committed to subversion a while ago but I forgot to publish this blog post at the time. Feel free to try it out! If you haven’t used mbenum before it’s a tool that allows you to get a good picture of a network by querying a single system.

Mbenum or the Nmap script smb-mbenum relies on being able to query the master browser for a particular domain or workgroup. You can find the master browser by sending a netbios query for the __MSBROWSE__  name. The Nmap script broadcast-netbios-master-browser can be used to identify the master browser for your broadcast domain by sending a netbios query to the broadcast address.

While doing a security review the other day I came across Novell eDirectory running on Windows. It’s been a while since I looked at eDirectory and while it’s a lot of LDAP, the servers were also running the Netware Core Protocol (NCP). I noticed that there wasn’t any NCP support in Nmap so I decided that I would implement some basic support. I ended up writing a NCP library and the following two scripts:

• ncp-enum-users – enumerates eDirectory users
• ncp-serverinfo – lists some basic server information

The scripts should work against NCP running on both Netware, Linux and Windows. Here’s some sample output from both scripts:

| ncp-serverinfo:
|   Server name: LINUX-L84T
|   Tree Name: CQURE-TREE
|   OS Version: 5.70 (rev 7)
|   Product version: 6.50 (rev 7)
|   OS Language ID: 4
|   Addresses
|     10.0.200.33 524/udp
|     10.0.200.33 524/tcp
|   Mounts
|     SYS
|     ADMIN
|_    _ADMIN

| ncp-enum-users:
|   CN=admin.O=cqure
|   CN=cawi.OU=finance.O=cqure
|   CN=linux-l84tadmin.O=cqure
|   CN=nist.OU=hr.O=cqure
|   CN=novlxregd.O=cqure
|   CN=novlxsrvd.O=cqure
|   CN=OESCommonProxy_linux-l84t.O=cqure
|   CN=sasi.OU=hr.O=cqure
|_  CN=wwwrun.O=cqure

In addition to the NCP scripts I wrote a LDAP script (ldap-novell-getpass) that extract the plain-text password of a given user, in case the “Allow admin to retrieve passwords” option is enabled in the password policy. On success, the script returns the following result:

| ldap-novell-getpass:
|   Account: CN=patrik,OU=security,O=cqure
|_  Password: foobar

All of the scripts have been committed to Nmap and are available through subversion.