Re: Lotus Notes/Domino Pen Test

---

• From: Marco Ivaldi <raptor@xxxxxxxxxxxxxxxx>
• Date: Thu, 15 May 2008 10:57:24 +0200 (ora solare Europa occidentale)

---

Hi,

On Wed, 14 May 2008, mizambo@xxxxxxxx wrote:

Hi Pen Testers:

I'm looking for information of pentest for a Lotus notes/Domino 6.x and 7.x enviroment.

Do you have some infos, documents or tools to suggest ?

Here's a list of useful resources on Lotus Domino/Notes security:

http://www.dominosecurity.org/
http://www.ngssoftware.com/papers/hpldws.pdf
http://www.fortconsult.net/images/pdf/lotusnotes_keyfiles.pdf
http://seclists.org/pen-test/2002/Nov/0034.html (all thread)
http://seclists.org/pen-test/2007/Jul/0111.html (all thread)
http://documents.iss.net/whitepapers/domino.pdf
http://www-128.ibm.com/developerworks/views/lotus/library.jsp
http://www-128.ibm.com/developerworks/lotus/security/
http://www.redbooks.ibm.com/redbooks/pdfs/sg247017.pdf
http://www.redbooks.ibm.com/pubs/pdfs/redbooks/sg245341.pdf
http://www.nsftools.com/

Some testing tools:

http://packetstormsecurity.org/UNIX/scanners/DominoHunter-0.92.zip
http://packetstormsecurity.org/UNIX/scanners/domino.tar.gz
http://www.cqure.net/wp/?page_id=17
http://www.appsecinc.com/products/appdetective/domino/ (commercial!)
http://www.rapid7.com/nexpose/features.jsp (commercial!)
http://www.openwall.com/john
http://usuarios.lycos.es/reinob/
http://www.nestonline.com/lcrack/
http://www.securiteinfo.com/download/dhb.zip
http://www.cqure.net/wp/?page_id=12
http://www-128.ibm.com/developerworks/lotus/downloads/
Other commercial password crackers from Elcomsoft/Passware/etc.

And some exploits:

http://www.0xdeadbeef.info/exploits/raptor_dominohash
http://www.milw0rm.com/exploits/3602
http://www.milw0rm.com/exploits/3616
http://www.milw0rm.com/exploits/4207
http://www.milw0rm.com/exploits/4574

Thanks for any type of help.

Hope this helps,

--
Marco Ivaldi, OPST
Red Team Coordinator Data Security Division
@ Mediaservice.net Srl http://mediaservice.net/


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

---

• References:
  • Lotus Notes/Domino Pen Test
    • From: mizambo

• Prev by Date: Re: username and Password sent as clear text strings
• Next by Date: RE: username and Password sent as clear text strings
• Previous by thread: Lotus Notes/Domino Pen Test
• Next by thread: Request for Information on Exploit 'CA Brightstor ARCserve Backup dbasvr.exe memory corruption vulnerability'
• Index(es):
  • Date
  • Thread

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > pen-test  > 2008-05