Re: [PEN-TEST] Lotus Notes ID Files

[Patrick Mueller <patrick () ETCSECURITY ORG>]

On Thu, 19 Oct 2000, Ansar Mohammed wrote:
>       It is common knowledge that the use of Lotus Notes ID files are
> a security risk.

They are a security risk in the sense that most users are not familiar
with the concepts of PKI, and hence, may be careless with their ID files.
Notes security is built around what is essentially a proprietary PKI. You
must protect the private key (read: ID file), just as you would the
private key in any other public-key crypto system (e.g. ssh,
software-token PKI).


> However, has anyone been able to decrypt these files
> yet to get the password. Even by brute force?

I am not aware of any available tools to brute force a Notes ID file. Many
people ask (see USENET), but there are no tools. There is also a lack of
information available on what crypto algo's Notes is using. This obscurity
is surely partly to thank for the lack of tools, but if someone puts some
work into it, the algo will surely go the way of other proprietary algo's
(read: broken).

As far as brute forcing, this is theoretically possible. By asking the
question, one assumes that you already have the ID file. The method of the
attack is what I'm not sure about. You *may* be able to use LotusScript to
write this (I'm not a Notes coder). Or you may have to do some kind of
windoze scripting to feed attempts straight into the Notes client itself.

Depending on what you are trying to do, there may be another password that
you can get. Look at the "http_password" field available in the records in
the NAB. I believe that it is used to log into Domino servers via http,
but I could be wrong (any Notes/Domino experts?). Anyway, the hash used to
be very weak (read: XOR), but has been improved. Again, this algo is not
disclosed (AFAIK), and anyway, doing dictionary based attacks on these
hashes is another attack vector.


Patrick Mueller