Notes HTTP password (was: Re: wanted: a script to try dictionary attacks against NOTES ID files)

From: miguel.dilaj@pharma.novartis.com
Date: 11/20/01 

Subject: Notes HTTP password (was: Re: wanted: a script to try dictionary attacks against NOTES ID files)
To: pen-test@securityfocus.com
From: miguel.dilaj@pharma.novartis.com
Date: Tue, 20 Nov 2001 15:31:33 -0300
Message-ID: <OF2F095349.0F83DCE1-ON03256B0A.00655B14@is.chbs>

Hello people

The discussion on Notes ID bring something to my mind.
Some time ago people of Trust Factory showed a tool named 'sesame' to brute
force/dictionary attack of hashed Notes HTTP passwords in a Black Hat
convention. The algorythm used is a variant of RSA MD4 (without salt, so
each password gives only 1 hash). People of Trust Factory didn't release
sesame to the public.
Is there any other tool to attack those passwords? I take into account the
fact that people tends to use the same password in many places, Notes HTTP
password, Notes login, net login, etc. All tools I know are able to attack
standard MD4 with salt, not the Notes variant.
Best regards,

Miguel Dilaj

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • SecurityFocus Microsoft Newsletter #57
    ... Subject: SecurityFocus Microsoft Newsletter #57 ... Win timely, comprehensive, actionable attack warnings with SecurityFocus ... Relevant URL: ...
    (Focus-Microsoft)
  • Re: Any reasons to filter ARP packets?
    ... it can make a good article on securityfocus or a similar site. ... you can not only intercept ... As a funny attack, you could ... can decrypt almost _any_ encrypted connection. ...
    (comp.os.linux.security)
  • Introducing a new tool to help pen-testers where therere Domino servers
    ... Domino servers badly configured, that expose names.nsf to the world. ... HTTP password for them (provided they HAVE an HTTP password, ... "intelligent permutations" on dictionary words attack ... I'll put it into the Tools section of SecurityFocus in a couple days... ...
    (Pen-Test)
  • Re: wanted: a script to try dictionary attacks against NOTES ID files
    ... Subject: wanted: a script to try dictionary attacks against NOTES ID files ... The notes.id password is logically distinct from the HTTP password. ... There are two *easy* ways to attack a HTTP password. ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • [Full-Disclosure] SecurityFocus.com unavailable...
    ... Securityfocus is just DDoS'ed, which any kid on planet in theory can ... or _their_ ISP in fact is under attack. ... And you don't even need to be a hardcore coder to be able to protect ... yourself - your best friend is www.google.com, ...
    (Full-Disclosure)