Re: Domino testing

["A Plasmoid" <skinodo () gmail com>]

Thanks so much all of you for your suggestions.

I figured out the "remove the colon" bit a while back.. and found that
the file cldbdir.nsf varies between servers...

I have found that there are really five IP addresses with domino
servers on them. One seems to be a cluster controller, two seem to be
cluster members, and two seem to be completely different.

However, the cldbdir.nsf file seems to be the same on the cluster
controller, and its two nodes. On these servers there is only a single
file called anything like  mail presented in the cldbdir.nsf.

That said, the cldbdir.nsf file on the other two contain all of the
information from the cluster but I've also now found hundreds of email
boxes like mail/xyz01234.nsf - and when I browse to them (from the
default view), I see the box is titled "Some Name" which is very nice
- so I can enumerate the users. But, how can I be sure that the mail
users are "authorized" in names.nsf - or does that go without saying?

Is there a way to get group membership information?
Thanks again!

I very much appreciate all the help


BTW, I've also found that one can access the same file like a thousand
ways (if it isn't acl'd in the first place):

http://server/names.nsf
http://server\names.nsf
http://server/98127634764534
http://server\98127634764534
http://server/%6eames.nsf
http://server/__98127634764534.nsf
ad nauseum

Some of the documentation I've stumbled across makes it seem as though
one has to be very very careful to ensure that each and every
iteration is accounted for when setting acls - this seems to be a lot
of work.  Then again, the documentation seems to be eons old (circa
2004) so maybe things have changed since then ;)

Ciao

On 7/23/07, Chris.McGinley () sungard com <Chris.McGinley () sungard com> wrote:
> If cldbdir.nsf contains the names of mail databases, then you should be able to see the mail database title, file name, 
> and replica ID. The file name can be entered in the URL like so -
>
>         http://server/<nsf filename>
>
> And, you can directly insert the replica id (minus the colon) as so (using your example from below) -
>         http://server/74147FC1000F0B27
>
> The mail1.box file that you are referring to is the server's router mailbox; all email is transferred there so that it can be 
> delivered to its destination. It's normal to have 'Depositor' access to that, meaning you can drop stuff there but see 
> nothing.
>
> As for the administrator account, there is not a standard name in Domino; it is defined by the person who installs the 
> software for the first time and it can be anything.
>
> -Chris
>
>
>
>
>  "A Plasmoid" <skinodo () gmail com>
>
> 07/23/2007 10:14 AM
>
> To "Chris.McGinley () sungard com" <Chris.McGinley () sungard com>
>
> cc pen-test () securityfocus com
>
> Subject Re: Domino testing
>
>
>
>
>
>
>
>
> Thanks Chris,
>
>  I do have access to cldbdir.nsf - and it seems that I can get the replica IDs of hundreds of files, like 
> webadmin.nsf...
>
>  Trouble is, I get it in this format:
>
>  74147FC1:000F0B27
>
>  Is there a way to use a replica ID to gain access to the real file? If so, then how does one convert the above to 
> something usable?
>
>  Also, there seems to be only a single mail1.box on the server in question - my guess would be that this is the admin 
> mailbox. Is there an algorithm to convert to a name? Is administrator the admin for Domino on Windows?
>
>  Thanks again
>
> On 7/23/07, Chris.McGinley () sungard com < Chris.McGinley () sungard com> wrote:
>
>  If you can access the cldbdir.nsf database, you may be able to disclose
>  the names of mail files. Equate that to user names and you have yourself a
>  list of names to use for password guessing against the protected databases
>  (e.g. names.nsf).
>
>  dba4.nsf may give you some info about a specific database, but probably
>  nothing very useful for gaining access. The others are sample & help
>  databases...the help db may give you info about the host OS, but nothing
>  more.
>
>  In a situation like this, your best bet is to guess a user/pass and get
>  access to names.nsf and elevate privs.
>
>  -Chris
>
>
>
>
>  "A Plasmoid" <skinodo () gmail com>
>  Sent by: listbounce () securityfocus com
>  07/20/2007 04:22 PM
>
>  To
>  pen-test () securityfocus com
>  cc
>
>  Subject
>  Domino testing
>
>
>
>
>
>
>  I'm new to Domino testing, and have found a few interesting databases.
>  I am wondering if there is anything that could be done with
>  them.Specifically,  there are:
>
>  cldbdir.nsf
>  dba4.nsf
>  qstart.nsf
>  /sample/faqw46.nsf
>  /sample/pagesw46.nsf (several others in sample)
>  /help/help5_designer.nsf (several others in help)
>
>  The ?EditDocument functionality is locked down with "basic
>  authentication" but I can view them.There is not a lot of info (that I
>  have found) regarding domino, so I'm hoping that some kind person here
>  can tell me whether these things can be leveraged into a deeper level
>  of access or not.
>
>  All of the other "important" databases like names.nsf, webadmin.nsf,
>  and others are also protected with basic auth.
>
>  Thanks for any hints, clues, and even "Google is your friend" stuff
>  (as long as there is a corresponding reasonable search parameter ) :)
>
>  ------------------------------------------------------------------------
>  This List Sponsored by: Cenzic
>
>  Swap Out your SPI or Watchfire app sec solution for
>  Cenzic's robust, accurate risk assessment and management
>  solution FREE - limited Time Offer
>
>  http://www.cenzic.com/c/wf-spi
>  ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------