Re: wanted: a script to try dictionary attacks against NOTES ID files

[jjore () imation com]

I'm responding to both messages at once.

The notes.id password is logically distinct from the HTTP password. That 
said, many notes users set the same password in both places. The HTTP 
password may be either salted or unsalted depending on whether the 
administrators have configured the server that way.

There are two *easy* ways to attack a HTTP password. Throw a dictionary at 
the @Password(string) function and compare this with the unsalted password 
from the address book. Alternatively, run a dictionary against a httpd and 
attempt to login that way. Obviously that will generate buckets of log 
messages. I hear that there's a crypto-analysis attack on the 
notes.id+httpd password but you'd have to be smarter than me to make it 
work.

Cracking a .id would be nicer since that may be done offline. In the 
absense of a regular scripted approach you could fake a machine out and 
run something that simulates a user moving the mouse and typing at the 
keyboard. While that'd be a pain and not particularly fast it'll be faster 
to setup than doing the password checking via the Notes API.

Joshua b. Jore

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/