Penetration Testing mailing list archives

Re: Pen-Testing Lotus Notes/Domino

From: Josh Daymont <joshd () midgard net>
Date: Tue, 9 Oct 2001 14:49:53 -0700 (PDT)


Johann,

You may want to contact Application Security Inc.  They have said that
they plan to start beta-testing a new Lotus Domino Scanning/PenTesting
application next month.  According to ASI, this will be a full-featured
tool that will scan for, identify and then perform a detailed inspection
of a Domino server over any and all ports that are open.  ASI can be
reached at (212) 490-6022 and or http://www.appsecinc.com/.

In the meantime theres a couple of things that you can do to test Domino
servers that operate over the HTTP protocol.  This is by no means a
complete list and is just intended as a starter:  If the server is
configured to allow anonymous connections you will be able to point a
browser at it and be directed towards http://server/homepage.nsf.  If not
then unpack your favorite brute forcer (e.g. authforce) and cross your
fingers.

Once you can view content, try the ?OpenServer command; unless the server
is wide open then this will probably fail.  If you can successfully
get at the URL http://server/webadmin.nsf then you have hit jackpot.  In
general at this point you want to poke around and see what is available,
especially if you were able to brute force a username/password pair.
In addition to webadmin.nsf, try to access key databases like names.nsf,
events4.nsf, log.nsf, and decsadm.nsf.

Of course there always the possibility that the underlying OS is insecure,
at which point you can just copy the databases to another server and view
them their, provided that they are not encrypted.

-Josh Daymont

On Tue, 9 Oct 2001, Johann van Duyn wrote:

Hi there...

I am about to do a security audit (of the semi-pen-test variety) on a
network with Lotus Domino and Notes R5 running on it.

I am a bit out of my depth regarding Domino and Notes, being a bit of an
Exchange fan myself. Can anyone give me a few pointers and possible gotchas
that could benefit me (and, ultimately, the company I'm working for) in
this?

Much appreciated.

:-)

Johann
Confidentiality Notice: The information in this document and
attachments is confidential and may also be legally privileged.
It is intended only for the use of the named recipient. Internet
communications are not   secure and therefore British American
Tobacco does not accept legal responsibility for the contents of
this message. If you are not the intended recipient,please notify us
immediately and then delete this document. Do not disclose the
contents of this document to any other person, nor take any copies.
Violation of this notice may be unlawful.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Pen-Testing Lotus Notes/Domino Johann van Duyn (Oct 09)
- RE: Pen-Testing Lotus Notes/Domino Enno Rey (Oct 09)
- Re: Pen-Testing Lotus Notes/Domino Josh Daymont (Oct 09)
- Re: Pen-Testing Lotus Notes/Domino Steve Cogan (Oct 10)
- <Possible follow-ups>
- RE: Pen-Testing Lotus Notes/Domino jjore (Oct 09)