Re: Domino testing

Thanks so much all of you for your suggestions.

I figured out the "remove the colon" bit a while back.. and found that
the file cldbdir.nsf varies between servers...

I have found that there are really five IP addresses with domino
servers on them. One seems to be a cluster controller, two seem to be
cluster members, and two seem to be completely different.

However, the cldbdir.nsf file seems to be the same on the cluster
controller, and its two nodes. On these servers there is only a single
file called anything like mail presented in the cldbdir.nsf.

That said, the cldbdir.nsf file on the other two contain all of the
information from the cluster but I've also now found hundreds of email
boxes like mail/xyz01234.nsf - and when I browse to them (from the
default view), I see the box is titled "Some Name" which is very nice
- so I can enumerate the users. But, how can I be sure that the mail
users are "authorized" in names.nsf - or does that go without saying?

Is there a way to get group membership information?
Thanks again!

I very much appreciate all the help


BTW, I've also found that one can access the same file like a thousand
ways (if it isn't acl'd in the first place):

http://server/names.nsf
http://server\names.nsf
http://server/98127634764534
http://server\98127634764534
http://server/%6eames.nsf
http://server/__98127634764534.nsf
ad nauseum

Some of the documentation I've stumbled across makes it seem as though
one has to be very very careful to ensure that each and every
iteration is accounted for when setting acls - this seems to be a lot
of work. Then again, the documentation seems to be eons old (circa
2004) so maybe things have changed since then ;)

Ciao

On 7/23/07, Chris.McGinley@xxxxxxxxxxx <Chris.McGinley@xxxxxxxxxxx> wrote:

If cldbdir.nsf contains the names of mail databases, then you should be able to see the mail database title, file name, and replica ID. The file name can be entered in the URL like so -

http://server/<nsf filename>

And, you can directly insert the replica id (minus the colon) as so (using your example from below) -
http://server/74147FC1000F0B27

The mail1.box file that you are referring to is the server's router mailbox; all email is transferred there so that it can be delivered to its destination. It's normal to have 'Depositor' access to that, meaning you can drop stuff there but see nothing.

As for the administrator account, there is not a standard name in Domino; it is defined by the person who installs the software for the first time and it can be anything.

-Chris




"A Plasmoid" <skinodo@xxxxxxxxx>

07/23/2007 10:14 AM

To "Chris.McGinley@xxxxxxxxxxx" <Chris.McGinley@xxxxxxxxxxx>

cc pen-test@xxxxxxxxxxxxxxxxx

Subject Re: Domino testing








Thanks Chris,

I do have access to cldbdir.nsf - and it seems that I can get the replica IDs of hundreds of files, like webadmin.nsf...

Trouble is, I get it in this format:

74147FC1:000F0B27

Is there a way to use a replica ID to gain access to the real file? If so, then how does one convert the above to something usable?

Also, there seems to be only a single mail1.box on the server in question - my guess would be that this is the admin mailbox. Is there an algorithm to convert to a name? Is administrator the admin for Domino on Windows?

Thanks again

On 7/23/07, Chris.McGinley@xxxxxxxxxxx < Chris.McGinley@xxxxxxxxxxx> wrote:

If you can access the cldbdir.nsf database, you may be able to disclose
the names of mail files. Equate that to user names and you have yourself a
list of names to use for password guessing against the protected databases
(e.g. names.nsf).

dba4.nsf may give you some info about a specific database, but probably
nothing very useful for gaining access. The others are sample & help
databases...the help db may give you info about the host OS, but nothing
more.

In a situation like this, your best bet is to guess a user/pass and get
access to names.nsf and elevate privs.

-Chris




"A Plasmoid" <skinodo@xxxxxxxxx>
Sent by: listbounce@xxxxxxxxxxxxxxxxx
07/20/2007 04:22 PM

To
pen-test@xxxxxxxxxxxxxxxxx
cc

Subject
Domino testing






I'm new to Domino testing, and have found a few interesting databases.
I am wondering if there is anything that could be done with
them.Specifically, there are:

cldbdir.nsf
dba4.nsf
qstart.nsf
/sample/faqw46.nsf
/sample/pagesw46.nsf (several others in sample)
/help/help5_designer.nsf (several others in help)

The ?EditDocument functionality is locked down with "basic
authentication" but I can view them.There is not a lot of info (that I
have found) regarding domino, so I'm hoping that some kind person here
can tell me whether these things can be leveraged into a deeper level
of access or not.

All of the other "important" databases like names.nsf, webadmin.nsf,
and others are also protected with basic auth.

Thanks for any hints, clues, and even "Google is your friend" stuff
(as long as there is a corresponding reasonable search parameter ) :)

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer

http://www.cenzic.com/c/wf-spi
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------