Penetration Testing mailing list archives
Re: Lotus Notes Server
From: kapil assudani <kapil.assudani () yahoo com>
Date: Fri, 9 Jun 2006 22:25:43 -0700 (PDT)
Hey, In addition to the valuable suggestion from peeps on the list ..it all boils down to looking for the following nsf files on the lotus server which carry the information you have been craving for: names.nsf,log.nsf,admin4.nsf and domcfg.nsf The Lotus Domino server has thousands of .nsf database file..and what sucks for an administrator is he cannot protect all of them with one click, only choice an administrator has is to manually go to each database and check the protection for it...i dunno if that has changed for the new versions..but this has been pretty much the deal with Lotus. Out of these if domcfg.nsf is open, you should be sure of performing the URL redirect vulnerbility on the Lotus Server to call it p0wn1g3!! Here's is how you would go bout it: To open the Domino Configuration database add 'domcfg.nsf/?Open' to the end of the above URL, so you have: http://IAMLOTUS.COM/domcfg.nsf/?open If its not protected with a password its time for the fun stuff Now to ADD a URL Redirect simply change the URL to: http://IAMLOTUS.COM/domcfg.nsf/URLRedirect/?OpenForm. At this point you get a URL Redirection form. Fill in the fields. Saving the document (pressing the submit button) will produce a new URL Redirection document. The next time the server is restarted the URL Redirection will take effect. With this example, every http request toward http://IAMLOTUS.COM will be redirected toward http://LOTUSP0WN1G3.COM, having the affect of completely redirecting the site. FUN FUN FUN eh!! thanks secNerd --- AdamT <adwulf () gmail com> wrote:
Seconded. If you can get at port 1352/tcp (the notes protocol), it's possible they've got their .id files stored as part of their directory, in which case you just need to know the name of a user, and it will give you their .id file. You'll have to brute force the password though. I've been to one place where 1352 was open from the outside world, all .id files were stored in the directory, and EVERY .id file was REQUIRED BY POLICY to be kept with the same two letter password. Like shooting fish.... NB: The .id file password will (in most cases) be different to the password they'd use to authenticate to a domino web page or mail service. The username for http, smtp, pop3 services and suchlike will usually be along the lines of Firstname Lastname, but it's possible to change that. All the information about the notes directory can be found in a file called names.nsf, and if you want to see which databases are on the server, look for catalog.nsf (not all databases will be listed - mailboxes, for example generally aren't). Mailboxes (mail databases) are usually found somewhere like /mail/jbloggs.nsf - and you can likely point your browser at that file and attempt to authenticate. Also - Check some of their web servers for domino - especially if they're running R4, and if you end up with a url that looks like /filename.nsf?(insert lots of junk here) - try cutting it back to the .nsf file and see what you can get. Also try changing the bit of the URL that says OpenDocument to EditDocument. I once found a large IT consultancy's job vacancies page allowed you to see and edit the details of rival candidates, as well as add in 'HR comments' on them. They changed that to an 'email us your CV' link pretty quick. If you have access to their file servers, have a look out for .id files in there, as many Notes admins like to keep a backup copy of all .id files for all users, usually with the same default password. I'd be tempted to call their helpdesk, explain that you're new here and you don't know what your notes ID password has been set top. 9 times out of 10, it'll be the same password the rest of the org uses as the initial password when .ids are created - so the helpdesk staff don't even need to look you up, they already *know* the password will be set to 'welcome2acme' or somesuch, and will just tell you in order to get you off the phone and increase their calltime stats. On 08/06/06, Michael Gargiullo <mgargiullo () pvtpt com> wrote:A copy of the lotus client -----Original Message----- From: 09Sparky () gmail com[mailto:09Sparky () gmail com]Sent: Thursday, June 08, 2006 8:45 AM To: pen-test () securityfocus com Subject: Lotus Notes Server Can anyone give me some insight as to what Ishould expect to see when Ido an internal assessment/pentest agains a LotusNotes Server? Any helplike what I should be looking for, what is commonand any special toolsused aside from nmap, nessus, etc.-- AdamT "A casual stroll through the lunatic asylum shows that faith does not prove anything." - Nietzsche
------------------------------------------------------------------------------
This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- Lotus Notes Server 09Sparky (Jun 08)
- Re: Lotus Notes Server Fransman Lucien (Jun 08)
- Re: Lotus Notes Server Tim (Jun 08)
- <Possible follow-ups>
- RE: Lotus Notes Server Michael Gargiullo (Jun 08)
- Re: Lotus Notes Server AdamT (Jun 09)
- Re: Lotus Notes Server kapil assudani (Jun 10)
- Re: Lotus Notes Server AdamT (Jun 09)