Tag Archives: pentest

Using Nmap for pentesting eDirectory

While doing a security review the other day I came across Novell eDirectory running on Windows. It’s been a while since I looked at eDirectory and while it’s a lot of LDAP, the servers were also running the Netware Core Protocol (NCP). I noticed that there wasn’t any NCP support in Nmap so I decided that I would implement some basic support. I ended up writing a NCP library and the following two scripts:

  • ncp-enum-users – enumerates eDirectory users
  • ncp-serverinfo – lists some basic server information

The scripts should work against NCP running on both Netware, Linux and Windows. Here’s some sample output from both scripts:

In addition to the NCP scripts I wrote a LDAP script (ldap-novell-getpass) that extract the plain-text password of a given user, in case the “Allow admin to retrieve passwords” option is enabled in the password policy. On success, the script returns the following result:

All of the scripts have been committed to Nmap and are available through subversion.

Nmap 5.50 is out

Nmap 5.50 is out, make sure to check it out. It contains a lot of new NSE stuff, including support for broadcast, pre- and post-rules and most of the scripts I, and many others, have created during the last year. For more information check out the official post http://seclists.org/nmap-hackers/2011/0

Inspect it is hiring

My employer (Inspect it) is hiring in Stockholm (Sweden). Inspect it is looking for people that currently work with IT- and information-security or have a strong desire to do so. Applicants should have experience within one or more of the following areas:

– Penetration- and Application-security testing
– Application & System security reviews
– Incident response and IT-forensics
– Security training

If your interested or have any questions contact me directly or send an e-mail to jobs[at]inspectit[dot]se

dns-service-discovery nmap script

I just posted a new Nmap script that uses the DNS Service Discovery protocol to enumerate information from a remote host. The script queries the Multicast DNS Service/Bonjour/ZeroConf for a list of services and then queries each service for additional information. The results are decoded and presented in a list similar to the one below. Systems that are known to ship with this service active include Apple OS X, Ubuntu and many printers.

The script is available over at the Nmap script page and should be run like this:

Here’s some sample output:

5353/udp open zeroconf
| dns-service-discovery:
|   Service: _workstation._tcp.local
|     Answers: 5
|       _workstation._tcp.local PTR IN
|         name: _workstation._tcp.local
|       patrik-laptop [08:00:aa:bb:cc:dd]._workstation._tcp.local TXT IN
|       patrik-laptop [08:00:aa:bb:cc:dd]._workstation._tcp.local SRV IN
|         priority: 0
|         weight: 0
|         port: 9
|         target: patrik-laptop.local
|       patrik-laptop.local AAAA IN
|         addr: fe80:0:0:0:a00:27ff:aabb:ccdd
|       patrik-laptop.local A IN
|_        addr:

VoIPTK version 0.2

While testing another IP PBX product I found some bugs in my applications that I have now fixed. While fixing these bugs I also finished some additional changes that I have been working on. I also added an additional method of determining if an account is valid or not that I found while testing the other PBX product.

More details are available under the VoIPTK page.