Penetration Testing mailing list archives
Re: Lotus Notes Server
From: AdamT <adwulf () gmail com>
Date: Fri, 9 Jun 2006 10:46:14 +0100
Seconded. If you can get at port 1352/tcp (the notes protocol), it's possible they've got their .id files stored as part of their directory, in which case you just need to know the name of a user, and it will give you their .id file. You'll have to brute force the password though. I've been to one place where 1352 was open from the outside world, all .id files were stored in the directory, and EVERY .id file was REQUIRED BY POLICY to be kept with the same two letter password. Like shooting fish.... NB: The .id file password will (in most cases) be different to the password they'd use to authenticate to a domino web page or mail service. The username for http, smtp, pop3 services and suchlike will usually be along the lines of Firstname Lastname, but it's possible to change that. All the information about the notes directory can be found in a file called names.nsf, and if you want to see which databases are on the server, look for catalog.nsf (not all databases will be listed - mailboxes, for example generally aren't). Mailboxes (mail databases) are usually found somewhere like /mail/jbloggs.nsf - and you can likely point your browser at that file and attempt to authenticate. Also - Check some of their web servers for domino - especially if they're running R4, and if you end up with a url that looks like /filename.nsf?(insert lots of junk here) - try cutting it back to the .nsf file and see what you can get. Also try changing the bit of the URL that says OpenDocument to EditDocument. I once found a large IT consultancy's job vacancies page allowed you to see and edit the details of rival candidates, as well as add in 'HR comments' on them. They changed that to an 'email us your CV' link pretty quick. If you have access to their file servers, have a look out for .id files in there, as many Notes admins like to keep a backup copy of all .id files for all users, usually with the same default password. I'd be tempted to call their helpdesk, explain that you're new here and you don't know what your notes ID password has been set top. 9 times out of 10, it'll be the same password the rest of the org uses as the initial password when .ids are created - so the helpdesk staff don't even need to look you up, they already *know* the password will be set to 'welcome2acme' or somesuch, and will just tell you in order to get you off the phone and increase their calltime stats. On 08/06/06, Michael Gargiullo <mgargiullo () pvtpt com> wrote:
A copy of the lotus client -----Original Message----- From: 09Sparky () gmail com [mailto:09Sparky () gmail com] Sent: Thursday, June 08, 2006 8:45 AM To: pen-test () securityfocus com Subject: Lotus Notes Server Can anyone give me some insight as to what I should expect to see when I do an internal assessment/pentest agains a Lotus Notes Server? Any help like what I should be looking for, what is common and any special tools used aside from nmap, nessus, etc.
-- AdamT "A casual stroll through the lunatic asylum shows that faith does not prove anything." - Nietzsche ------------------------------------------------------------------------------ This List Sponsored by: CenzicConcerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------
Current thread:
- Lotus Notes Server 09Sparky (Jun 08)
- Re: Lotus Notes Server Fransman Lucien (Jun 08)
- Re: Lotus Notes Server Tim (Jun 08)
- <Possible follow-ups>
- RE: Lotus Notes Server Michael Gargiullo (Jun 08)
- Re: Lotus Notes Server AdamT (Jun 09)
- Re: Lotus Notes Server kapil assudani (Jun 10)
- Re: Lotus Notes Server AdamT (Jun 09)