fdsf

1. local bin = require "bin"
2. local comm = require "comm"
3. local ldap = require "ldap"
4. local shortport = require "shortport"
5. local stdnse = require "stdnse"
6. local table = require "table"
7.  
8. description = [[
9. Attempts to retrieve the Novell Universal Password for a user. You
10. must already have (and include in script arguments) the username and password for an eDirectory server
11. administrative account.
12. ]]
13.  
14. ---
15. -- Universal Password enables advanced password policies, including extended
16. -- characters in passwords, synchronization of passwords from eDirectory to
17. -- other systems, and a single password for all access to eDirectory.
18. --
19. -- In case the password policy permits administrators to retrieve user
20. -- passwords ("Allow admin to retrieve passwords" is set in the password
21. -- policy) this script can retrieve the password.
22. --
23. -- @args ldap-novell-getpass.account The name of the account to retrieve the
24. -- password for
25. -- @args ldap-novell-getpass.username The LDAP username to use when connecting
26. -- to the server
27. -- @args ldap-novell-getpass.password The LDAP password to use when connecting
28. -- to the server
29. --
30. -- @usage
31. -- nmap -p 636 --script ldap-novell-getpass --script-args \
32. -- 'ldap-novell-getpass.username="CN=admin,O=cqure", \
33. -- ldap-novell-getpass.password=pass1234, \
34. -- ldap-novell-getpass.account="CN=paka,OU=hr,O=cqure"'
35. --
36. -- @output
37. -- PORT STATE SERVICE REASON
38. -- 636/tcp open ldapssl syn-ack
39. -- | ldap-novell-getpass:
40. -- | Account: CN=patrik,OU=security,O=cqure
41. -- |_ Password: foobar
42. --
43.  
44. -- Version 0.1
45. -- Created 05/11/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
46.  
47.  
48. author = "Patrik Karlsson"
49. license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
50. categories = {"discovery", "safe"}
51.  
52.  
53. portrule = shortport.port_or_service({389,636}, {"ldap","ldapssl"})
54.  
55. function action(host,port)
56.  
57. local username = stdnse.get_script_args("ldap-novell-getpass.username")
58. local password = stdnse.get_script_args("ldap-novell-getpass.password") or ""
59. local account = stdnse.get_script_args("ldap-novell-getpass.account")
60.  
61. if ( not(username) ) then
62. return "\n ERROR: No username was supplied (ldap-novell-getpass.username)"
63. end
64. if ( not(account) ) then
65. return "\n ERROR: No account was supplied (ldap-novell-getpass.account)"
66. else
67. -- do some basic account validation
68. if ( not(account:match("^[Cc][Nn]=.*,") ) ) then
69. return "\n ERROR: The account argument should be specified as:\n" ..
70. " \"CN=name,OU=orgunit,O=org\""
71. end
72. end
73.  
74. -- In order to discover what protocol to use (SSL/TCP) we need to send a
75. -- few bytes to the server. An anonymous bind should do it
76. local anon_bind = bin.pack("H", "300c020101600702010304008000" )
77. local socket, _, opt = comm.tryssl( host, port, anon_bind, nil )
78. if ( not(socket) ) then
79. return "\n ERROR: Failed to connect to LDAP server"
80. end
81.  
82. local status, errmsg = ldap.bindRequest( socket, {
83. version = 3,
84. username = username,
85. password = password
86. }
87. )
88.  
89. if ( not(status) ) then return errmsg end
90.  
91. -- Start encoding the NMAS Get Password Request
92. local NMASLDAP_GET_PASSWORD_REQUEST = "2.16.840.1.113719.1.39.42.100.13"
93. local NMASLDAP_GET_PASSWORD_RESPONSE = "2.16.840.1.113719.1.39.42.100.14"
94. -- Add a trailing zero to the account name
95. local data = ldap.encode( account .. '\0' )
96.  
97. -- The following section could do with more documentation
98. -- It's based on packet dumps from the getpass utility available from Novell Cool Solutions
99. -- encode the account name as a sequence
100. data = ldap.encode( { _ldaptype = '30', bin.pack("H", "020101") .. data } )
101. data = ldap.encode( { _ldaptype = '81', data } )
102. data = ldap.encode( { _ldaptype = '80', NMASLDAP_GET_PASSWORD_REQUEST } ) .. data
103. data = ldap.encode( { _ldaptype = '77', data } )
104.  
105. -- encode the whole extended request as a sequence
106. data = ldap.encode( { _ldaptype = '30', bin.pack("H", "020102") .. data } )
107.  
108. status = socket:send(data)
109. if ( not(status) ) then return "ERROR: Failed to send request" end
110.  
111. status, data = socket:receive()
112. if ( not(status) ) then return data end
113. socket:close()
114.  
115. local _, response = ldap.decode(data)
116.  
117. -- make sure the result code was a success
118. local rescode = ( #response >= 2 ) and response[2]
119. local respname = ( #response >= 5 ) and response[5]
120.  
121. if ( rescode ~= 0 ) then
122. local errmsg = ( #response >= 4 ) and response[4] or "An unknown error occured"
123. return "\n ERROR: " .. errmsg
124. end
125.  
126. -- make sure we get a NMAS Get Password Response back from the server
127. if ( respname ~= NMASLDAP_GET_PASSWORD_RESPONSE ) then return end
128.  
129. local universal_pw = ( #response >= 6 and #response[6] >= 3 ) and response[6][3]
130.  
131. if ( universal_pw ) then
132. local output = {}
133. table.insert(output, ("Account: %s"):format(account))
134. table.insert(output, ("Password: %s"):format(universal_pw))
135. return stdnse.format_output(true, output)
136. else
137. return "\n ERROR: No password was found"
138. end
139. end