Notes HTTP password (was: Re: wanted: a script to try dictionary attacks against NOTES ID files)

[miguel.dilaj () pharma novartis com]

Hello people

The discussion on Notes ID bring something to my mind.
Some time ago people of Trust Factory showed a tool named 'sesame' to brute
force/dictionary attack of hashed Notes HTTP passwords in a Black Hat
convention. The algorythm used is a variant of RSA MD4 (without salt, so
each password gives only 1 hash). People of Trust Factory didn't release
sesame to the public.
Is there any other tool to attack those passwords? I take into account the
fact that people tends to use the same password in many places, Notes HTTP
password, Notes login, net login, etc. All tools I know are able to attack
standard MD4 with salt, not the Notes variant.
Best regards,

Miguel Dilaj



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/