Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Introducing a new tool to help pen-testers where there're Domino servers

From: miguel.dilaj () pharma novartis com
Date: Thu, 12 Dec 2002 01:13:28 +0100
Hi all

(I'm back here since a loooong time)

I faced sometimes the need to pen-test a network where there're Lotus 
Domino servers badly configured, that expose names.nsf to the world.
But this is usually of less help than it can be, because you can only 
gather information about the users, but you can only get the encrypted 
HTTP password for them (provided they HAVE an HTTP password, and the 
Domino version is not one of the latest, that didn't show the HTTP 
password field even when names.nsf is exposed).
Currently you've a couple tools available to crack those hashes, but 
they're Windows tools that need the Notes Client (at least nnotes.dll), 
and are awfully slow, because they use the encryption algorithm from 
nnotes.dll, and this algorithm has some delays on purpose, to avoid fast 
use of it while cracking.
Since Defcon the last year, the people of Trust Factory developed a tool 
named 'sesame' to crack the hashes, but it never become available to the 
public (so I don't really know if it uses nnotes.dll or not). I also know 
that there're some individuals that have such a tool, but are not willing 
to, for example, put it into the Tools section in SecurityFocus.
Well, let's go to the point. Together with a spanish friend of mine, we 
developed a tool named Lepton's Crack (after my friend's nickname), that 
can crack:

* Notes/Domino HTTP passwords (only Release 4, not the new ones used in 
R5/6)
* pure MD4
* pure MD5
* NT hashes (MD4/Unicode)

Using either:

* dictionary attack
* "intelligent permutations" on dictionary words attack
* "login mode" attack, that tries userID, userIDuserID, etc., as the 
password
* bruteforce attack

The tool has been released today, is under GPL, and you can get it at:

http://usuarios.lycos.es/reinob/

I'll put it into the Tools section of SecurityFocus in a couple days... 
currently I'm trying to make Domino admins in several forums aware of its 
existence ;-)
Hope you find it useful.
Kind regards,

Miguel Dilaj
a.k.a. Nekromancer


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: