Penetration Testing mailing list archives
Re: Domino testing
From: "A Plasmoid" <skinodo () gmail com>
Date: Mon, 23 Jul 2007 17:00:35 -0400
Thanks so much all of you for your suggestions. I figured out the "remove the colon" bit a while back.. and found that the file cldbdir.nsf varies between servers... I have found that there are really five IP addresses with domino servers on them. One seems to be a cluster controller, two seem to be cluster members, and two seem to be completely different. However, the cldbdir.nsf file seems to be the same on the cluster controller, and its two nodes. On these servers there is only a single file called anything like mail presented in the cldbdir.nsf. That said, the cldbdir.nsf file on the other two contain all of the information from the cluster but I've also now found hundreds of email boxes like mail/xyz01234.nsf - and when I browse to them (from the default view), I see the box is titled "Some Name" which is very nice - so I can enumerate the users. But, how can I be sure that the mail users are "authorized" in names.nsf - or does that go without saying? Is there a way to get group membership information? Thanks again! I very much appreciate all the help BTW, I've also found that one can access the same file like a thousand ways (if it isn't acl'd in the first place): http://server/names.nsf http://server\names.nsf http://server/98127634764534 http://server\98127634764534 http://server/%6eames.nsf http://server/__98127634764534.nsf ad nauseum Some of the documentation I've stumbled across makes it seem as though one has to be very very careful to ensure that each and every iteration is accounted for when setting acls - this seems to be a lot of work. Then again, the documentation seems to be eons old (circa 2004) so maybe things have changed since then ;) Ciao On 7/23/07, Chris.McGinley () sungard com <Chris.McGinley () sungard com> wrote:
If cldbdir.nsf contains the names of mail databases, then you should be able to see the mail database title, file name, and replica ID. The file name can be entered in the URL like so - http://server/<nsf filename> And, you can directly insert the replica id (minus the colon) as so (using your example from below) - http://server/74147FC1000F0B27 The mail1.box file that you are referring to is the server's router mailbox; all email is transferred there so that it can be delivered to its destination. It's normal to have 'Depositor' access to that, meaning you can drop stuff there but see nothing. As for the administrator account, there is not a standard name in Domino; it is defined by the person who installs the software for the first time and it can be anything. -Chris "A Plasmoid" <skinodo () gmail com> 07/23/2007 10:14 AM To "Chris.McGinley () sungard com" <Chris.McGinley () sungard com> cc pen-test () securityfocus com Subject Re: Domino testing Thanks Chris, I do have access to cldbdir.nsf - and it seems that I can get the replica IDs of hundreds of files, like webadmin.nsf... Trouble is, I get it in this format: 74147FC1:000F0B27 Is there a way to use a replica ID to gain access to the real file? If so, then how does one convert the above to something usable? Also, there seems to be only a single mail1.box on the server in question - my guess would be that this is the admin mailbox. Is there an algorithm to convert to a name? Is administrator the admin for Domino on Windows? Thanks again On 7/23/07, Chris.McGinley () sungard com < Chris.McGinley () sungard com> wrote: If you can access the cldbdir.nsf database, you may be able to disclose the names of mail files. Equate that to user names and you have yourself a list of names to use for password guessing against the protected databases (e.g. names.nsf). dba4.nsf may give you some info about a specific database, but probably nothing very useful for gaining access. The others are sample & help databases...the help db may give you info about the host OS, but nothing more. In a situation like this, your best bet is to guess a user/pass and get access to names.nsf and elevate privs. -Chris "A Plasmoid" <skinodo () gmail com> Sent by: listbounce () securityfocus com 07/20/2007 04:22 PM To pen-test () securityfocus com cc Subject Domino testing I'm new to Domino testing, and have found a few interesting databases. I am wondering if there is anything that could be done with them.Specifically, there are: cldbdir.nsf dba4.nsf qstart.nsf /sample/faqw46.nsf /sample/pagesw46.nsf (several others in sample) /help/help5_designer.nsf (several others in help) The ?EditDocument functionality is locked down with "basic authentication" but I can view them.There is not a lot of info (that I have found) regarding domino, so I'm hoping that some kind person here can tell me whether these things can be leveraged into a deeper level of access or not. All of the other "important" databases like names.nsf, webadmin.nsf, and others are also protected with basic auth. Thanks for any hints, clues, and even "Google is your friend" stuff (as long as there is a corresponding reasonable search parameter ) :) ------------------------------------------------------------------------ This List Sponsored by: Cenzic Swap Out your SPI or Watchfire app sec solution for Cenzic's robust, accurate risk assessment and management solution FREE - limited Time Offer http://www.cenzic.com/c/wf-spi ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Domino testing A Plasmoid (Jul 20)
- Re: Domino testing Marco Ivaldi (Jul 23)
- Re: Domino testing Daniele Bellucci (Jul 23)
- <Possible follow-ups>
- Re: Domino testing A Plasmoid (Jul 23)