Tag Archives: edirectory

Using Nmap for pentesting eDirectory

While doing a security review the other day I came across Novell eDirectory running on Windows. It’s been a while since I looked at eDirectory and while it’s a lot of LDAP, the servers were also running the Netware Core Protocol (NCP). I noticed that there wasn’t any NCP support in Nmap so I decided that I would implement some basic support. I ended up writing a NCP library and the following two scripts:

  • ncp-enum-users – enumerates eDirectory users
  • ncp-serverinfo – lists some basic server information

The scripts should work against NCP running on both Netware, Linux and Windows. Here’s some sample output from both scripts:

In addition to the NCP scripts I wrote a LDAP script (ldap-novell-getpass) that extract the plain-text password of a given user, in case the “Allow admin to retrieve passwords” option is enabled in the password policy. On success, the script returns the following result:

All of the scripts have been committed to Nmap and are available through subversion.