Re: UserID and hashed password for Lotus Domino

[HalbaSus <halbasus () go ro>]

Casper Gio wrote:

> hi,
> while doing security tests on a Lotus Domino sistem, I
> managed to get the UserID file for a user, and the
> hashed password of another user.
> I made it accessing thru the Internet, so I was a
> totally unpriviligied user. The way I made it, is
> simple:
>
> the company I'm doing this test for, left some of the
> domino databases open to the public. Among the others,
> there's the names.nsf database, wich contains info
> about the users. You just access this database with a
> url like: 
> http://domino_server/names.nsf
> Well, one user had his UserID file publicly
> accessible, and another user had his password digest
> stored in the database.
>
> Is there any way to obtain the password from the
> UserID, or to crack and obtain the password from its
> hash?
> (I read it was released a tool named "sesame"... any
> clue? here for more info about it:
> http://online.securityfocus.com/news/66 )
>
> I would be interested in demonstrate how to abtain a
> password or access to
> the system starting from the data I collected on the
> Internet.
> I would appreciate any help thanks.
>
>  
Hi, I am doing a test for a company also running Lotus Domino. I tried 
names nsf yet it asks for an authentification. According to 
http://packetstormsecurity.nl/0202-exploits/lotus.domino.bypass.txt 
there is a way to bypass the authentification by sending a buffer. I did 
a quick perl script that would brute force that buffer and I found 
something quite interesting.
An url like http://www.host.com/log.ntf++++x215+++++++.nsf would get me 
the same page as www.host.com/log.nsf (any other buffer would result in 
a server error) This gives me the feeling that the exploit does work, 
and what I'm actually seeing is log.ntf (not log.nsf) but probably the 2 
files are identical... or maybe I'm wrong... anyway, could you, or 
somebody else concernet about lotus domino security give me a clue about 
all this stuff.


>