Re: UserID and hashed password for Lotus Domino

["gpedone77" <gpedone77 () yahoo it>]

> I guessed the way before you even described it. Which version of
> Domino is this? (Type 'show server' at the server console to find
> out.)

5.0.9a


> 2. The ID file is on the person document because a lazy administrator
> left it there.

guess so, and dont know for what strange reason, since other users didnt
have the ID available (I couldnt check all of 2000 users anyway).



> 3. The password digest is NOT necessarily the same as the password in
> the ID file. The most recent version of Domino/Notes (R6) does, I
> believe, offer the option of changing the internet password (The
> digest you describe) when the ID password is changed - but obviously
> the ID file's password cannot be changed from the internet browser
> end, as the browser has no knowledge of what an ID file is.

The password in the ID file, is the password to login into Domino right?
One user had the password digest shown in the Administration section of his
document, but not the Internet (HTTP) password.

Since this user is my dad (he works at this company) I had the chance to ask
him let me see his internet password digest... well, it's different from the
latter digest, even if he told me the password is the same.
So ... does that mean that domino 5.0.9a uses "salted" hashes?
or does that mean that domino 5.0.9a uses two *different* algorithms for ID
password and HTTP password?




> Lotus is extremely coy about the ID file format. However, I do know
> that they use the RSA BSAFE libraries, and that the password can be
> checked by the server to ensure that the ID file and a stored hash at
> the server are the same. This suggests to me that the password is
> stored as a hash in the file, making it difficult - if not practically
> impossible - to extract the original password plaintext from.


I wonder, what need is in storing the password inside the ID file?
Why not just keeping it in the server?
(uhmm maybe is this for when you log in the notes client and you're not
connected to the server? dont know much about the domino world, sorry)



> CG> I would be interested in demonstrate how to abtain a
> CG> password or access to
> CG> the system starting from the data I collected on the
> CG> Internet.
> CG> I would appreciate any help thanks.
>
> If you manage to do it, please let me know. As far as I'm aware, that
> ID file is a waste of time. The better bet might be to go after the
> hashed internet password (Not the ID password) in the Person record.


Do you mean that the hashing of the Internet password is *weaker* than the
hashing of the ID password ?

Right now I cannot stay with my home computer crunching passwords because it
takes really long and 100% cpu, and I dont even know if that is possible (as
you said).
But I can make a try. I can ask my dad to give me his userID file, then
write his password into the dictionary file, and then try the attack... just
to see if that tool other people suggested me really works.



> Sorry for the length of my reply, but I wanted to be clear in putting
> across that none of these are - as far as I'm aware - security holes.



Many thanks about this.
I do know these are security holes just because of sloppy administration,
not because of Domino, which I consider a very very secure platform.
Thanks alot :)


Casper


______________________________________________________________________
Scarica il nuovo Yahoo! Messenger: con webcam, nuove faccine e tante altre novità.
http://it.yahoo.com/mail_it/foot/?http://it.messenger.yahoo.com/