Home page logo

dailydave logo Dailydave mailing list archives

Owning Lotus Notes Server & Client
From: DSquare Security <info () d2sec com>
Date: Mon, 27 Oct 2008 17:48:04 -0500

There are several ways to get a Lotus Notes ID during a pentest
(access to a share with all the IDs, client side exploitation, ...)
After that, if needed, you can crack the password ID with commercial 
or free tools (ID Password Recovery for example)

So what can you do with an admin ID? Potentially two things:
1) Compromise the Lotus Notes server
2) Compromise the computer of the Lotus Notes clients

D2Lotus is designed to help you in this kind of work. Here are two
demonstrations of this tool:

1) Remote code execution on a Lotus Notes server:

2) Remote code execution on computer user via Lotus Notes Client:

This tool will be released in the next update of D2 Exploitation Pack.

DSquare Security, LLC

Dailydave mailing list
Dailydave () lists immunitysec com

  By Date           By Thread  

Current thread:
  • Owning Lotus Notes Server & Client DSquare Security (Oct 28)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]