Re: Remotely hacking Novell ?

[Forrest Rae <forrest.rae () code-lab com>]

Hello,

If TCP port 524 is open, and the [PUBLIC] object has browse rights to 
the NDS tree, then enumerating information is possible.

Simple Nomad's Advisory on this issue:
http://razor.bindview.com/publish/advisories/adv_novellleak.html

The tool for enumerating information from TCP port 524:
http://razor.bindview.com/tools/files/ncpquery-1.2.tgz

SAP Types that can be used with NCP Query:
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10050864.htm

I also wrote a presentation on a Nessus plugin I authored that retrieves 
the Netware server name and NDS tree name from a Netware server via TCP 
port 524.  The presentation touches some NCP protocol basics.

http://forrest.rae.nu/presentations/nds-nasl/html/

I've never touch a Novonyx web server, sorry.

-Forrest

On Wednesday 03 July 2002 11:50, Rainer Duffner wrote:
> Hi,
>
> I have found some Novell-server during a pentest (in fact, the site
> is a pretty much a complete Novell-Shop, minus things like Citrix).
>
> Anyway, there's a webserver with some Novonyx (remember that ?)
> Sample-Files and there's an LDAP-Server that exports what looks like
> part of the NDS (minus passwords, but some email-addresses).
>
> It also has 427/tcp and 524/tcp open (well, nmap says) - are there
> any tools that can enumerate more information from the server through
> these ports - if at all ?
> I assume, these are Novell-specific ports.
>
> Finally: does pandora only work locally ?
>
>
> cheers,
> Rainer


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/