Re: Lotus Notes Server

From: kapil assudani (kapil.assudani@yahoo.com)
Date: Sat Jun 10 2006 - 01:25:43 EDT


Hey,
 
 In addition to the valuable suggestion from peeps on
the list ..it all
boils down to looking for the following nsf files on
the lotus server
which carry the information you have been craving for:
 
 names.nsf,log.nsf,admin4.nsf and domcfg.nsf

The Lotus Domino server has thousands of .nsf database
file..and what
sucks for an administrator is he cannot protect all of
them with one
click, only choice an administrator has is to manually
go to each database
and check the protection for it...i dunno if that has
changed for the
new versions..but this has been pretty much the deal
with Lotus.
 
 Out of these if domcfg.nsf is open, you should be
sure of performing
the URL redirect vulnerbility on the Lotus Server to
call it p0wn1g3!!
 
 Here's is how you would go bout it:
 
 
To open the Domino Configuration database add
'domcfg.nsf/?Open' to the
end of the above URL, so you have:

http://IAMLOTUS.COM/domcfg.nsf/?open

If its not protected with a password its time for the
fun stuff

Now to ADD a URL Redirect simply change the URL to:
http://IAMLOTUS.COM/domcfg.nsf/URLRedirect/?OpenForm.

At this point you get a URL Redirection form. Fill in
the fields.

Saving the document (pressing the submit button) will
produce a new URL
Redirection document. The next time the server is
restarted the URL
Redirection will take effect.

With this example, every http request toward
http://IAMLOTUS.COM will
be
redirected toward http://LOTUSP0WN1G3.COM, having the
affect of
completely
redirecting the site.

FUN FUN FUN eh!!

thanks

secNerd

--- AdamT <adwulf@gmail.com> wrote:

> Seconded. If you can get at port 1352/tcp (the
> notes protocol), it's
> possible they've got their .id files stored as part
> of their
> directory, in which case you just need to know the
> name of a user, and
> it will give you their .id file.
>
> You'll have to brute force the password though.
> I've been to one
> place where 1352 was open from the outside world,
> all .id files were
> stored in the directory, and EVERY .id file was
> REQUIRED BY POLICY to
> be kept with the same two letter password. Like
> shooting fish....
>
> NB: The .id file password will (in most cases) be
> different to the
> password they'd use to authenticate to a domino web
> page or mail
> service. The username for http, smtp, pop3 services
> and suchlike will
> usually be along the lines of Firstname Lastname,
> but it's possible to
> change that. All the information about the notes
> directory can be
> found in a file called names.nsf, and if you want to
> see which
> databases are on the server, look for catalog.nsf
> (not all databases
> will be listed - mailboxes, for example generally
> aren't). Mailboxes
> (mail databases) are usually found somewhere like
> /mail/jbloggs.nsf -
> and you can likely point your browser at that file
> and attempt to
> authenticate.
>
> Also - Check some of their web servers for domino -
> especially if
> they're running R4, and if you end up with a url
> that looks like
> /filename.nsf?(insert lots of junk here) - try
> cutting it back to the
> .nsf file and see what you can get. Also try
> changing the bit of the
> URL that says OpenDocument to EditDocument. I once
> found a large IT
> consultancy's job vacancies page allowed you to see
> and edit the
> details of rival candidates, as well as add in 'HR
> comments' on them.
> They changed that to an 'email us your CV' link
> pretty quick.
>
> If you have access to their file servers, have a
> look out for .id
> files in there, as many Notes admins like to keep a
> backup copy of all
> .id files for all users, usually with the same
> default password. I'd
> be tempted to call their helpdesk, explain that
> you're new here and
> you don't know what your notes ID password has been
> set top. 9 times
> out of 10, it'll be the same password the rest of
> the org uses as the
> initial password when .ids are created - so the
> helpdesk staff don't
> even need to look you up, they already *know* the
> password will be set
> to 'welcome2acme' or somesuch, and will just tell
> you in order to get
> you off the phone and increase their calltime stats.
>
> On 08/06/06, Michael Gargiullo
> <mgargiullo@pvtpt.com> wrote:
> > A copy of the lotus client
> >
> > -----Original Message-----
> > From: 09Sparky@gmail.com
> [mailto:09Sparky@gmail.com]
> > Sent: Thursday, June 08, 2006 8:45 AM
> > To: pen-test@securityfocus.com
> > Subject: Lotus Notes Server
> >
> > Can anyone give me some insight as to what I
> should expect to see when I
> > do an internal assessment/pentest agains a Lotus
> Notes Server? Any help
> > like what I should be looking for, what is common
> and any special tools
> > used aside from nmap, nessus, etc.
> >
> >
>
> --
> AdamT
> "A casual stroll through the lunatic asylum shows
> that faith does not
> prove anything." - Nietzsche
>
>
------------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security?
> Why not go with the #1 solution - Cenzic, the only
> one to win the Analyst's
> Choice Award from eWeek. As attacks through web
> applications continue to rise,
> you need to proactively protect your applications
> from hackers. Cenzic has the
> most comprehensive solutions to meet your
> application security penetration
> testing and vulnerability management needs. You have
> an option to go with a
> managed service (Cenzic ClickToSecure) or an
> enterprise software
> (Cenzic Hailstorm). Download FREE whitepaper on how
> a managed service can
> help you:
> http://www.cenzic.com/news_events/wpappsec.php
> And, now for a limited time we can do a FREE audit
> for you to confirm your
> results from other product. Contact us at
> request@cenzic.com for details.
>
------------------------------------------------------------------------------
>
>

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:04 EDT