Johann, You may want to contact Application Security Inc. They have said that they plan to start beta-testing a new Lotus Domino Scanning/PenTesting application next month. According to ASI, this will be a full-featured tool that will scan for, identify and then perform a detailed inspection of a Domino server over any and all ports that are open. ASI can be reached at (212) 490-6022 and or http://www.appsecinc.com/. In the meantime theres a couple of things that you can do to test Domino servers that operate over the HTTP protocol. This is by no means a complete list and is just intended as a starter: If the server is configured to allow anonymous connections you will be able to point a browser at it and be directed towards http://server/homepage.nsf. If not then unpack your favorite brute forcer (e.g. authforce) and cross your fingers. Once you can view content, try the ?OpenServer command; unless the server is wide open then this will probably fail. If you can successfully get at the URL http://server/webadmin.nsf then you have hit jackpot. In general at this point you want to poke around and see what is available, especially if you were able to brute force a username/password pair. In addition to webadmin.nsf, try to access key databases like names.nsf, events4.nsf, log.nsf, and decsadm.nsf. Of course there always the possibility that the underlying OS is insecure, at which point you can just copy the databases to another server and view them their, provided that they are not encrypted. -Josh Daymont On Tue, 9 Oct 2001, Johann van Duyn wrote: > Hi there... > > I am about to do a security audit (of the semi-pen-test variety) on a > network with Lotus Domino and Notes R5 running on it. > > I am a bit out of my depth regarding Domino and Notes, being a bit of an > Exchange fan myself. Can anyone give me a few pointers and possible gotchas > that could benefit me (and, ultimately, the company I'm working for) in > this? > > Much appreciated. > > :-) > > Johann > Confidentiality Notice: The information in this document and > attachments is confidential and may also be legally privileged. > It is intended only for the use of the named recipient. Internet > communications are not secure and therefore British American > Tobacco does not accept legal responsibility for the contents of > this message. If you are not the intended recipient,please notify us > immediately and then delete this document. Do not disclose the > contents of this document to any other person, nor take any copies. > Violation of this notice may be unlawful. > > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Oct 09 2001 - 15:29:23 PDT