Penetration Testing mailing list archives
RE: Lotus Domino over 443 pentesting.
From: "Isidro Ramon Labrador Rodriguez" <irlabrador () gmv com>
Date: Thu, 16 Nov 2006 10:39:19 +0100
Try the techniques described in this paper. http://www.ngssoftware.com/papers/hpldws.pdf Best Regards ________________________________ Isidro R. Labrador Rodríguez Consultor de Seguridad Auditoría y Planificación de Seguridad Security Consultant Security Audit and Planning Division GMV SOLUCIONES GLOBALES INTERNET, S.A. Isaac Newton, 11 P.T.M. Tres Cantos E-28760 Madrid Tel. +34 91 806 16 00 Fax +34 91 806 16 99 www.gmv.com -----Mensaje original----- De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] En nombre de Andrew Enviado el: miércoles, 15 de noviembre de 2006 20:45 Para: pen-test () securityfocus com Asunto: Lotus Domino over 443 pentesting. Hi list, I need to analyze 10 Front-end servers. These servers are home-banking authentication portal, only 443 port is open. The authentication is a Lotus Domino based. (operations like ?OpenDatabase names.nsf, statrep.nsf, webadmin.nsf redirects me to the authentication form) There is also a database that permit to me to see some 'views' and names of CssStyle directory. VA scanners only reports false positives right now and is not good enough form me, cause only a XSS was found. I have read hackproofing lotus domino by ngssoftware, but it was not very useful. So, does anyone know any good techniques for gaining access to these servers? And does anyone know how can I manipulate lotus domino query in the case of a readable database? Any suggestions? Thanks Andrew B. Junior Analyst NWI group. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------ ______________________ Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede contener informacion clasificada por su emisor como confidencial en el marco de su Sistema de Gestion de Seguridad de la Informacion siendo para uso exclusivo del destinatario, quedando prohibida su divulgacion copia o distribucion a terceros sin la autorizacion expresa del remitente. Si Vd. ha recibido este mensaje erroneamente, se ruega lo notifique al remitente y proceda a su borrado. Gracias por su colaboracion. ______________________ This message including any attachments may contain confidential information, according to our Information Security Management System, and intended solely for a specific individual to whom they are addressed. Any unauthorised copy, disclosure or distribution of this message is strictly forbidden. If you have received this transmission in error, please notify the sender immediately and delete it. ______________________ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Lotus Domino over 443 pentesting. Andrew (Nov 15)
- RE: Lotus Domino over 443 pentesting. Isidro Ramon Labrador Rodriguez (Nov 16)
- <Possible follow-ups>
- Re: Lotus Domino over 443 pentesting. Danny Fullerton (Nov 15)