Penetration Testing mailing list archives
Re: [PEN-TEST] Lotus Notes ID Files
From: Patrick Mueller <patrick () ETCSECURITY ORG>
Date: Fri, 20 Oct 2000 22:01:46 -0500
On Thu, 19 Oct 2000, Ansar Mohammed wrote:
It is common knowledge that the use of Lotus Notes ID files are a security risk.
They are a security risk in the sense that most users are not familiar with the concepts of PKI, and hence, may be careless with their ID files. Notes security is built around what is essentially a proprietary PKI. You must protect the private key (read: ID file), just as you would the private key in any other public-key crypto system (e.g. ssh, software-token PKI).
However, has anyone been able to decrypt these files yet to get the password. Even by brute force?
I am not aware of any available tools to brute force a Notes ID file. Many people ask (see USENET), but there are no tools. There is also a lack of information available on what crypto algo's Notes is using. This obscurity is surely partly to thank for the lack of tools, but if someone puts some work into it, the algo will surely go the way of other proprietary algo's (read: broken). As far as brute forcing, this is theoretically possible. By asking the question, one assumes that you already have the ID file. The method of the attack is what I'm not sure about. You *may* be able to use LotusScript to write this (I'm not a Notes coder). Or you may have to do some kind of windoze scripting to feed attempts straight into the Notes client itself. Depending on what you are trying to do, there may be another password that you can get. Look at the "http_password" field available in the records in the NAB. I believe that it is used to log into Domino servers via http, but I could be wrong (any Notes/Domino experts?). Anyway, the hash used to be very weak (read: XOR), but has been improved. Again, this algo is not disclosed (AFAIK), and anyway, doing dictionary based attacks on these hashes is another attack vector. Patrick Mueller
Current thread:
- [PEN-TEST] OT - How secure is an ISDN line? David Fox (Oct 18)
- Re: [PEN-TEST] OT - How secure is an ISDN line? Vitaly McLain (Oct 18)
- [PEN-TEST] Lotus Notes ID Files Ansar Mohammed (Oct 19)
- Re: [PEN-TEST] Lotus Notes ID Files Patrick Mueller (Oct 21)
- [PEN-TEST] Lotus Notes ID Files Ansar Mohammed (Oct 19)
- Re: [PEN-TEST] OT - How secure is an ISDN line? van der Kooij, Hugo (Oct 19)
- Re: [PEN-TEST] OT - How secure is an ISDN line? JLJ (Oct 19)
- Re: [PEN-TEST] OT - How secure is an ISDN line? Cold Fire (Oct 20)
- Re: [PEN-TEST] OT - How secure is an ISDN line? Peter Van Epp (Oct 20)
- Re: [PEN-TEST] OT - How secure is an ISDN line? van der Kooij, Hugo (Oct 20)
- Re: [PEN-TEST] OT - How secure is an ISDN line? Cold Fire (Oct 20)
- <Possible follow-ups>
- Re: [PEN-TEST] OT - How secure is an ISDN line? Clem Colman (Oct 19)
- Re: [PEN-TEST] OT - How secure is an ISDN line? Kris Carlier (Oct 19)
- Re: [PEN-TEST] OT - How secure is an ISDN line? van der Kooij, Hugo (Oct 20)
- Re: [PEN-TEST] OT - How secure is an ISDN line? Kris Carlier (Oct 19)
- Re: [PEN-TEST] OT - How secure is an ISDN line? Dunker, Noah (Oct 19)
- Re: [PEN-TEST] OT - How secure is an ISDN line? Knowledgebase i-Net Security (Oct 19)
(Thread continues...)
- Re: [PEN-TEST] OT - How secure is an ISDN line? Vitaly McLain (Oct 18)