Casper Gio wrote: >hi, >while doing security tests on a Lotus Domino sistem, I >managed to get the UserID file for a user, and the >hashed password of another user. >I made it accessing thru the Internet, so I was a >totally unpriviligied user. The way I made it, is >simple: > >the company I'm doing this test for, left some of the >domino databases open to the public. Among the others, >there's the names.nsf database, wich contains info >about the users. You just access this database with a >url like: >http://domino_server/names.nsf >Well, one user had his UserID file publicly >accessible, and another user had his password digest >stored in the database. > >Is there any way to obtain the password from the >UserID, or to crack and obtain the password from its >hash? >(I read it was released a tool named "sesame"... any >clue? here for more info about it: >http://online.securityfocus.com/news/66 ) > >I would be interested in demonstrate how to abtain a >password or access to >the system starting from the data I collected on the >Internet. >I would appreciate any help thanks. > > > Hi, I am doing a test for a company also running Lotus Domino. I tried names nsf yet it asks for an authentification. According to http://packetstormsecurity.nl/0202-exploits/lotus.domino.bypass.txt there is a way to bypass the authentification by sending a buffer. I did a quick perl script that would brute force that buffer and I found something quite interesting. An url like http://www.host.com/log.ntf++++x215+++++++.nsf would get me the same page as www.host.com/log.nsf (any other buffer would result in a server error) This gives me the feeling that the exploit does work, and what I'm actually seeing is log.ntf (not log.nsf) but probably the 2 files are identical... or maybe I'm wrong... anyway, could you, or somebody else concernet about lotus domino security give me a clue about all this stuff. > >
This archive was generated by hypermail 2b30 : Sun Oct 20 2002 - 10:07:22 PDT