Re: Remotely hacking Novell ?

[Ed Reed <ereed () novell com>]

In-Reply-To: <20020703165000.24033.qmail () bsd ultra-secure de>

> It also has 427/tcp and 524/tcp open (well, nmap says) - are there any 
tools 
> that can enumerate more information from the server through these ports - 
if 
> at all ?
> I assume, these are Novell-specific ports. 


427 is not Novell specific - it's the Server Location Protocol (see
ftp://ftp.isi.edu/in-notes/rfc2608.txt for the IETF RFC text).  However,
Novell does use it as the registration/advertisement protocol to
replace SAP for clients to find servers at NDS login time (NCP/IP).

Since it's a multicast protocol, generally, or broadcast locally, it has 
very little use being exposed on an external network, at least the way 
Novell uses it.  Even clients logging in over NCP/IP (the 524 port, above) 
can't use it over the WAN unless multicast routing is enabled (I've seen 
that on some European ISPs, but haven't noticed it very often), or perhaps 
SLP forwarding.  Such clients generally have to provide the ip address (or 
DNS name) of a server in the tree the user wants to log into.

Come to think of it, I didn't even know it was a TCP protocol...yep, 
there's a TCP mode for handling large SLP messages.

Regards,
Ed Reed

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/