Re: [PEN-TEST] Lotus Domino web

[Ari Weisz-Koves <aweisz () atwww com>]

Try to figure out if Domino is running as an ISAPI extension under IIS which
is pretty commonplace with Domino R5. If so, the IUSR_hostname account has
read/write privelages to the Domino data and application directories, which
would allow you to replace names.nsf with your own - containing your own
certificates. Plus, they may have Domino Webadmin running
(http://server/webadmin.nsf) - and that doesn't allow lockouts on brute
force attacks. Try accessing the names.nsf via a browser and see about brute
forcing an admin account so you can get at the certificates contained
inside, then spoof as a server from a Notes client if you can - local domain
servers will probably have full rights to everything.

Ari.

-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Jensen, Martin
Sent: Thursday, 21 December 2000 1:50 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] Lotus Domino web


Hi,
I need to do a security audit on an NT40 server with Lotus Domino R5 for web
with Quickplace on top - with the focus of the test being the Lotus Domino
and accompanying quickplace server.
Does anyone have any experience with auditing such an environment? I'm
fairly well into the domino server, but the quickplace aspect is new to me,
and since it's accessed through a webserver, I was hoping that there might
be an opening there?

Martin