From: AdamT (adwulf@gmail.com)
Date: Fri Jun 09 2006 - 05:46:14 EDT
Seconded. If you can get at port 1352/tcp (the notes protocol), it's
possible they've got their .id files stored as part of their
directory, in which case you just need to know the name of a user, and
it will give you their .id file.
You'll have to brute force the password though. I've been to one
place where 1352 was open from the outside world, all .id files were
stored in the directory, and EVERY .id file was REQUIRED BY POLICY to
be kept with the same two letter password. Like shooting fish....
NB: The .id file password will (in most cases) be different to the
password they'd use to authenticate to a domino web page or mail
service. The username for http, smtp, pop3 services and suchlike will
usually be along the lines of Firstname Lastname, but it's possible to
change that. All the information about the notes directory can be
found in a file called names.nsf, and if you want to see which
databases are on the server, look for catalog.nsf (not all databases
will be listed - mailboxes, for example generally aren't). Mailboxes
(mail databases) are usually found somewhere like /mail/jbloggs.nsf -
and you can likely point your browser at that file and attempt to
authenticate.
Also - Check some of their web servers for domino - especially if
they're running R4, and if you end up with a url that looks like
/filename.nsf?(insert lots of junk here) - try cutting it back to the
.nsf file and see what you can get. Also try changing the bit of the
URL that says OpenDocument to EditDocument. I once found a large IT
consultancy's job vacancies page allowed you to see and edit the
details of rival candidates, as well as add in 'HR comments' on them.
They changed that to an 'email us your CV' link pretty quick.
If you have access to their file servers, have a look out for .id
files in there, as many Notes admins like to keep a backup copy of all
.id files for all users, usually with the same default password. I'd
be tempted to call their helpdesk, explain that you're new here and
you don't know what your notes ID password has been set top. 9 times
out of 10, it'll be the same password the rest of the org uses as the
initial password when .ids are created - so the helpdesk staff don't
even need to look you up, they already *know* the password will be set
to 'welcome2acme' or somesuch, and will just tell you in order to get
you off the phone and increase their calltime stats.
On 08/06/06, Michael Gargiullo <mgargiullo@pvtpt.com> wrote:
> A copy of the lotus client
>
> -----Original Message-----
> From: 09Sparky@gmail.com [mailto:09Sparky@gmail.com]
> Sent: Thursday, June 08, 2006 8:45 AM
> To: pen-test@securityfocus.com
> Subject: Lotus Notes Server
>
> Can anyone give me some insight as to what I should expect to see when I
> do an internal assessment/pentest agains a Lotus Notes Server? Any help
> like what I should be looking for, what is common and any special tools
> used aside from nmap, nessus, etc.
>
>
-- AdamT "A casual stroll through the lunatic asylum shows that faith does not prove anything." - Nietzsche ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request@cenzic.com for details. ------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:04 EDT