Re: [NSE] Novell Universal password retriever

[Patrik Karlsson <patrik () cqure net>]

On May 28, 2011, at 7:01 AM, David Fifield wrote:

> On Sun, May 22, 2011 at 04:48:38PM +0200, Patrik Karlsson wrote:
> > Hi all,
> >
> > I'm attaching a script that attempts to retrieve a users universal password over LDAP.
> > In case the password policy permits administrators to retrieve user passwords ("Allow admin to retrieve passwords" 
> > is set in the password policy) this script can retrieve the password.
> >
> > "Universal Password enables advanced password policies, including extended 
> > characters in passwords, synchronization of passwords from eDirectory to
> > other systems, and a single password for all access to eDirectory."
> >
> > In order to test it, you need Novell eDirectory with a password policy set with the above option for the user you 
> > wish to recover the password.
> > The script relies on some changes to the LDAP library committed as r23230.
>
> I think this looks good, but can you provide documentation for these
> mysterious digit strings?
>
>        local reqname = ldap.encode( { _ldaptype = '80', "2.16.840.1.113719.1.39.42.100.13" } )
>        data = ldap.encode( { _ldaptype = '81', bin.pack("H", "308400000019020101") .. data } )
>        data = ldap.encode( { _ldaptype = '30', bin.pack("H", "020102") .. ldap.encode( { _ldaptype = '77', reqname .. 
> data } ) } )
>        if ( respname ~= "2.16.840.1.113719.1.39.42.100.14" ) then return end
>
> David Fifield

I've committed the script as r23415 where the above sections were re-written and slightly more documented.
The code is based on packet dumps and I tried to do some digging into BER encoding again, but didn't get as far as I 
hoped.

//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/