Re: Lotus Notes Server
- From: kapil assudani <kapil.assudani@xxxxxxxxx>
- Date: Fri, 9 Jun 2006 22:25:43 -0700 (PDT)
Hey,
In addition to the valuable suggestion from peeps on
the list ..it all
boils down to looking for the following nsf files on
the lotus server
which carry the information you have been craving for:
names.nsf,log.nsf,admin4.nsf and domcfg.nsf
The Lotus Domino server has thousands of .nsf database
file..and what
sucks for an administrator is he cannot protect all of
them with one
click, only choice an administrator has is to manually
go to each database
and check the protection for it...i dunno if that has
changed for the
new versions..but this has been pretty much the deal
with Lotus.
Out of these if domcfg.nsf is open, you should be
sure of performing
the URL redirect vulnerbility on the Lotus Server to
call it p0wn1g3!!
Here's is how you would go bout it:
To open the Domino Configuration database add
'domcfg.nsf/?Open' to the
end of the above URL, so you have:
http://IAMLOTUS.COM/domcfg.nsf/?open
If its not protected with a password its time for the
fun stuff
Now to ADD a URL Redirect simply change the URL to:
http://IAMLOTUS.COM/domcfg.nsf/URLRedirect/?OpenForm.
At this point you get a URL Redirection form. Fill in
the fields.
Saving the document (pressing the submit button) will
produce a new URL
Redirection document. The next time the server is
restarted the URL
Redirection will take effect.
With this example, every http request toward
http://IAMLOTUS.COM will
be
redirected toward http://LOTUSP0WN1G3.COM, having the
affect of
completely
redirecting the site.
FUN FUN FUN eh!!
thanks
secNerd
--- AdamT <adwulf@xxxxxxxxx> wrote:
Seconded. If you can get at port 1352/tcp (the------------------------------------------------------------------------------
notes protocol), it's
possible they've got their .id files stored as part
of their
directory, in which case you just need to know the
name of a user, and
it will give you their .id file.
You'll have to brute force the password though.
I've been to one
place where 1352 was open from the outside world,
all .id files were
stored in the directory, and EVERY .id file was
REQUIRED BY POLICY to
be kept with the same two letter password. Like
shooting fish....
NB: The .id file password will (in most cases) be
different to the
password they'd use to authenticate to a domino web
page or mail
service. The username for http, smtp, pop3 services
and suchlike will
usually be along the lines of Firstname Lastname,
but it's possible to
change that. All the information about the notes
directory can be
found in a file called names.nsf, and if you want to
see which
databases are on the server, look for catalog.nsf
(not all databases
will be listed - mailboxes, for example generally
aren't). Mailboxes
(mail databases) are usually found somewhere like
/mail/jbloggs.nsf -
and you can likely point your browser at that file
and attempt to
authenticate.
Also - Check some of their web servers for domino -
especially if
they're running R4, and if you end up with a url
that looks like
/filename.nsf?(insert lots of junk here) - try
cutting it back to the
.nsf file and see what you can get. Also try
changing the bit of the
URL that says OpenDocument to EditDocument. I once
found a large IT
consultancy's job vacancies page allowed you to see
and edit the
details of rival candidates, as well as add in 'HR
comments' on them.
They changed that to an 'email us your CV' link
pretty quick.
If you have access to their file servers, have a
look out for .id
files in there, as many Notes admins like to keep a
backup copy of all
.id files for all users, usually with the same
default password. I'd
be tempted to call their helpdesk, explain that
you're new here and
you don't know what your notes ID password has been
set top. 9 times
out of 10, it'll be the same password the rest of
the org uses as the
initial password when .ids are created - so the
helpdesk staff don't
even need to look you up, they already *know* the
password will be set
to 'welcome2acme' or somesuch, and will just tell
you in order to get
you off the phone and increase their calltime stats.
On 08/06/06, Michael Gargiullo
<mgargiullo@xxxxxxxxx> wrote:
A copy of the lotus client[mailto:09Sparky@xxxxxxxxx]
-----Original Message-----
From: 09Sparky@xxxxxxxxx
Sent: Thursday, June 08, 2006 8:45 AMshould expect to see when I
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Lotus Notes Server
Can anyone give me some insight as to what I
do an internal assessment/pentest agains a LotusNotes Server? Any help
like what I should be looking for, what is commonand any special tools
used aside from nmap, nessus, etc.
--
AdamT
"A casual stroll through the lunatic asylum shows
that faith does not
prove anything." - Nietzsche
This List Sponsored by: Cenzic------------------------------------------------------------------------------
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only
one to win the Analyst's
Choice Award from eWeek. As attacks through web
applications continue to rise,
you need to proactively protect your applications
from hackers. Cenzic has the
most comprehensive solutions to meet your
application security penetration
testing and vulnerability management needs. You have
an option to go with a
managed service (Cenzic ClickToSecure) or an
enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how
a managed service can
help you:
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit
for you to confirm your
results from other product. Contact us at
request@xxxxxxxxxx for details.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@xxxxxxxxxx for details.
------------------------------------------------------------------------------
- References:
- Re: Lotus Notes Server
- From: AdamT
- Re: Lotus Notes Server
- Prev by Date: Re: Some new SSH exploit script?
- Next by Date: Re: Some new SSH exploit script?
- Previous by thread: Re: Lotus Notes Server
- Next by thread: "Ninja Servers"
- Index(es):
