Vulnerability Development mailing list archives
Re[2]: UserID and hashed password for Lotus Domino
From: Philip Storry <phil () philipstorry net>
Date: Fri, 18 Oct 2002 17:57:58 +0100
Hello Nicolas, Friday, October 18, 2002, 5:14:25 PM, you wrote: NG> From http://www.cqure.net/tools04.html : NG> IPR is a tool for recovering passwords on Lotus Notes ID files. NG> It does this by guessing passwords you supply in a dictionary NG> file. It guesses approximately 400-500 passwords a second on a NG> PIII 1Ghz. Well, well, well. I go and say I've never seen such a tool, and when I send/receive my email I find someone just gives me one. I'd like to state, for the record, that I've never had a stranger give me 20 million pounds for no apparent reason. (Hey, can't blame a guy for trying! *grins*) You'll need a dictionary file for this - I recommend Moby, available here: http://www.dcs.shef.ac.uk/research/ilash/Moby/ There's plenty of words in there, but I'm sure others have their own recommendations. As a side note, this appears to work by brute-force through the Notes C API. Even minor obfuscation of a password - such as adding a letter to the end of it - would make a dictionary usless. Unless you want to create a dictionary with every possible combination in it, that is... Still, it's interesting to see that. As a Domino professional, it verifies to me that the password is hashed and stored, and that there is no way to get it except via the Lotus/BSAFE API's. Most interesting... -- Best regards, Philip mailto:phil () philipstorry net
Current thread:
- UserID and hashed password for Lotus Domino Casper Gio (Oct 18)
- Re: UserID and hashed password for Lotus Domino Nicolas Gregoire (Oct 18)
- Re[2]: UserID and hashed password for Lotus Domino Philip Storry (Oct 18)
- Re: UserID and hashed password for Lotus Domino Philip Storry (Oct 18)
- Re: UserID and hashed password for Lotus Domino gpedone77 (Oct 20)
- Message not available
- Re[2]: UserID and hashed password for Lotus Domino Philip Storry (Oct 21)
- Re: UserID and hashed password for Lotus Domino gpedone77 (Oct 23)
- Re: UserID and hashed password for Lotus Domino Nicolas Gregoire (Oct 18)
- Re: UserID and hashed password for Lotus Domino HalbaSus (Oct 20)
- Re: UserID and hashed password for Lotus Domino gpedone77 (Oct 20)
- Re[2]: UserID and hashed password for Lotus Domino Philip Storry (Oct 21)
- Re[2]: UserID and hashed password for Lotus Domino Philip Storry (Oct 21)
- Re: UserID and hashed password for Lotus Domino gpedone77 (Oct 20)
- <Possible follow-ups>
- Re: UserID and hashed password for Lotus Domino Valgasu (Oct 18)
- Re: UserID and hashed password for Lotus Domino gpedone77 (Oct 20)