scripts/ldap-novell-getpass.nse


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139

local comm = require "comm"
local ldap = require "ldap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local table = require "table"

description = [[
Attempts to retrieve the Novell Universal Password for a user. You
must already have (and include in script arguments) the username and password for an eDirectory server
administrative account.
]]

---
-- Universal Password enables advanced password policies, including extended
-- characters in passwords, synchronization of passwords from eDirectory to
-- other systems, and a single password for all access to eDirectory.
--
-- In case the password policy permits administrators to retrieve user
-- passwords ("Allow admin to retrieve passwords" is set in the password
-- policy) this script can retrieve the password.
--
-- @args ldap-novell-getpass.account The name of the account to retrieve the
--       password for
-- @args ldap-novell-getpass.username The LDAP username to use when connecting
--       to the server
-- @args ldap-novell-getpass.password The LDAP password to use when connecting
--       to the server
--
-- @usage
-- nmap -p 636 --script ldap-novell-getpass --script-args \
-- 'ldap-novell-getpass.username="CN=admin,O=cqure", \
-- ldap-novell-getpass.password=pass1234, \
-- ldap-novell-getpass.account="CN=paka,OU=hr,O=cqure"'
--
-- @output
-- PORT    STATE SERVICE REASON
-- 636/tcp open  ldapssl syn-ack
-- | ldap-novell-getpass:
-- |   Account: CN=patrik,OU=security,O=cqure
-- |_  Password: foobar
--

-- Version 0.1
-- Created 05/11/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>


author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "safe"}


portrule = shortport.port_or_service({389,636}, {"ldap","ldapssl"})

local function fail (err) return stdnse.format_output(false, err) end

function action(host,port)

  local username = stdnse.get_script_args("ldap-novell-getpass.username")
  local password = stdnse.get_script_args("ldap-novell-getpass.password") or ""
  local account = stdnse.get_script_args("ldap-novell-getpass.account")

  if ( not(username) ) then
    return fail("No username was supplied (ldap-novell-getpass.username)")
  end
  if ( not(account) ) then
    return fail("No account was supplied (ldap-novell-getpass.account)")
  else
    -- do some basic account validation
    if ( not(account:match("^[Cc][Nn]=.*,") ) ) then
      return fail("The account argument should be specified as: \"CN=name,OU=orgunit,O=org\"")
    end
  end

  -- In order to discover what protocol to use (SSL/TCP) we need to send a
  -- few bytes to the server. An anonymous bind should do it
  local anon_bind = stdnse.fromhex( "300c020101600702010304008000" )
  local socket, _, opt = comm.tryssl( host, port, anon_bind, nil )
  if ( not(socket) ) then
    return fail("Failed to connect to LDAP server")
  end

  local status, errmsg = ldap.bindRequest( socket, {
    version = 3,
    username = username,
    password = password
  }
  )

  if ( not(status) ) then return errmsg end

  -- Start encoding the NMAS Get Password Request
  local NMASLDAP_GET_PASSWORD_REQUEST = "2.16.840.1.113719.1.39.42.100.13"
  local NMASLDAP_GET_PASSWORD_RESPONSE = "2.16.840.1.113719.1.39.42.100.14"
  -- Add a trailing zero to the account name
  local data = ldap.encode( account .. '\0' )

  -- The following section could do with more documentation
  -- It's based on packet dumps from the getpass utility available from Novell Cool Solutions
  -- encode the account name as a sequence
  data = ldap.encode( { _ldaptype = '30', stdnse.fromhex( "020101") .. data } )
  data = ldap.encode( { _ldaptype = '81', data } )
  data = ldap.encode( { _ldaptype = '80', NMASLDAP_GET_PASSWORD_REQUEST } ) .. data
  data = ldap.encode( { _ldaptype = '77', data } )

  -- encode the whole extended request as a sequence
  data = ldap.encode( { _ldaptype = '30', stdnse.fromhex( "020102") .. data } )

  status = socket:send(data)
  if ( not(status) ) then return fail("Failed to send request") end

  status, data = socket:receive()
  if ( not(status) ) then return data end
  socket:close()

  local response = ldap.decode(data)

  -- make sure the result code was a success
  local rescode = ( #response >= 2 ) and response[2]
  local respname = ( #response >= 5 ) and response[5]

  if ( rescode ~= 0 ) then
    local errmsg = ( #response >= 4 ) and response[4] or "An unknown error occurred"
    return fail(errmsg)
  end

  -- make sure we get a NMAS Get Password Response back from the server
  if ( respname ~= NMASLDAP_GET_PASSWORD_RESPONSE ) then return end

  local universal_pw = ( #response >= 6 and #response[6] >= 3 ) and response[6][3]

  if ( universal_pw ) then
    local output = {}
    table.insert(output, ("Account: %s"):format(account))
    table.insert(output, ("Password: %s"):format(universal_pw))
    return stdnse.format_output(true, output)
  else
    return fail("No password was found")
  end
end