Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re[2]: UserID and hashed password for Lotus Domino

From: Philip Storry <phil () philipstorry net>
Date: Fri, 18 Oct 2002 17:57:58 +0100
Hello Nicolas,

Friday, October 18, 2002, 5:14:25 PM, you wrote:

NG> From http://www.cqure.net/tools04.html :

NG>         IPR is a tool for recovering passwords on Lotus Notes ID files.
NG>         It does this by guessing passwords you supply in a dictionary
NG>         file. It guesses approximately 400-500 passwords a second on a
NG>         PIII 1Ghz.

Well, well, well.

I go and say I've never seen such a tool, and when I send/receive my
email I find someone just gives me one.

I'd like to state, for the record, that I've never had a stranger
give me 20 million pounds for no apparent reason.

(Hey, can't blame a guy for trying! *grins*)

You'll need a dictionary file for this - I recommend Moby, available
here:
http://www.dcs.shef.ac.uk/research/ilash/Moby/

There's plenty of words in there, but I'm sure others have their own
recommendations.

As a side note, this appears to work by brute-force through the Notes
C API. Even minor obfuscation of a password - such as adding a letter
to the end of it - would make a dictionary usless. Unless you want to
create a dictionary with every possible combination in it, that is...

Still, it's interesting to see that. As a Domino professional, it
verifies to me that the password is hashed and stored, and that there
is no way to get it except via the Lotus/BSAFE API's.

Most interesting...

-- 
Best regards,
 Philip                            mailto:phil () philipstorry net
Previous By Date Next
Previous By Thread Next

Current thread: