Re: wanted: a script to try dictionary attacks against NOTES ID files

From: jjore@imation.com
Date: 11/20/01 

To: pentest_list <pen-test@securityfocus.com>
Subject: Re: wanted: a script to try dictionary attacks against NOTES ID files
Message-ID: <OF7D68D12B.0DC1861A-ON86256B0A.0078A663@imation.com>
From: jjore@imation.com
Date: Tue, 20 Nov 2001 16:05:58 -0600

I'm responding to both messages at once.

The notes.id password is logically distinct from the HTTP password. That
said, many notes users set the same password in both places. The HTTP
password may be either salted or unsalted depending on whether the
administrators have configured the server that way.

There are two *easy* ways to attack a HTTP password. Throw a dictionary at
the @Password(string) function and compare this with the unsalted password
from the address book. Alternatively, run a dictionary against a httpd and
attempt to login that way. Obviously that will generate buckets of log
messages. I hear that there's a crypto-analysis attack on the
notes.id+httpd password but you'd have to be smarter than me to make it
work.

Cracking a .id would be nicer since that may be done offline. In the
absense of a regular scripted approach you could fake a machine out and
run something that simulates a user moving the mouse and typing at the
keyboard. While that'd be a pain and not particularly fast it'll be faster
to setup than doing the password checking via the Notes API.

Joshua b. Jore

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages