Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Lotus Notes
From: "Grant Torresan" <sonofthor () severus org>
Date: Fri, 29 Nov 2002 12:12:02 -0500

Since everybody seems to be pimping their own products for auditing 
Lotus Domino servers, I thought this would be an appropriate time to 
announce my own humble project, which deals with this subject as well.

DominoDig is an open-source (GPL) utility written by myself (Grant 
Torresan) for the purpose of quickly and cheaply auditing Lotus Domino 
web servers and extracting useful information from any anonymously 
accessible pages that are found.

While DominoDig may not have all the features that a commercial product 
like AppDetective (which sounds most impressive, BTW) or DominoScan by 
NGSSoftware, I believe that it will satisfy most of the requirements of 
a pen-tester for a considerably lower price (free!).

Features of note include the following:

-Searches for a large number of default notest databases.
-Parses contents of each page it accesses looking for references to 
other unique (custom) .nsf databases.
-Collects email addresses and unique IP addresses that appear in any 
page it indexes.
-Produces an HTML report detailing all of the information it was able 
to gather, and a list of hyperlinks to each .nsf database it was able 
to access anonymously.


If you are interested in trying it out, please browse to 
http://dominodig.sourceforge.net for the latest release.  Please note 
that this software is a "work-in-progress" and as such it is being 
freqently updated and new features are being added all the time.  If 
there is a paricular piece of information DominoDig is not searching 
for that you think would be particularly useful, or if you encounter 
any problems with the software, please let me know by sending me an 
email at sonofthor () severus org 

Hope this helps,

Grant Torresan.


----- Original Message -----
From: "David Barnett" <dbarn064 () earthlink net>
To: <svetsanj () hotmail com>; <pen-test () securityfocus com>
Sent: Thursday, November 28, 2002 8:50 AM
Subject: Re: Lotus Notes



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Well I must concur with Chad as Notes default installs are wide 
open. 
Rarely when doing Pen tests have I found a correctly secured 
Notes/Domino server. Permissions are rarely correct for databases. 
While I am sure NexPose has done a fine job with their Vuln 
scanner, I 
have tried
<unbiased
commercial plug> AppDetective works really well for Lotus and Domino
scans!!
You can also use N-Stealth or any of your favorite web scanners and 
add
the
following files:

/852566C90012664F
/admin4.nsf
/admin5.nsf
/admin.nsf
/agentrunner.nsf
/alog.nsf
/a_domlog.nsf
/bookmark.nsf
/busytime.nsf
/catalog.nsf
/certa.nsf
/certlog.nsf
/certsrv.nsf
/chatlog.nsf
/clbusy.nsf
/cldbdir.nsf
/clusta4.nsf
/collect4.nsf
/da.nsf
/dba4.nsf
/dclf.nsf
/DEASAppDesign.nsf
/DEASLog01.nsf
/DEASLog02.nsf
/DEASLog03.nsf
/DEASLog04.nsf
/DEASLog05.nsf
/DEASLog.nsf
/decsadm.nsf
/decslog.nsf
/DEESAdmin.nsf
/dirassist.nsf
/doladmin.nsf
/domadmin.nsf
/domcfg.nsf
/domguide.nsf
/domlog.nsf
/dspug.nsf
/events4.nsf
/events5.nsf
/events.nsf
/event.nsf
/homepage.nsf
/iNotes/Forms5.nsf/$DefaultNav
/jotter.nsf
/leiadm.nsf
/leilog.nsf
/leivlt.nsf
/log4a.nsf
/log.nsf
/l_domlog.nsf
/mab.nsf
/mail10.box
/mail1.box
/mail2.box
/mail3.box
/mail4.box
/mail5.box
/mail6.box
/mail7.box
/mail8.box
/mail9.box
/mail.box
/msdwda.nsf
/mtatbls.nsf
/mtstore.nsf
/names.nsf
/nntppost.nsf
/nntp/nd000001.nsf
/nntp/nd000002.nsf
/nntp/nd000003.nsf
/ntsync45.nsf
/perweb.nsf
/qpadmin.nsf
/quickplace/quickplace/main.nsf
/reports.nsf
/sample/siregw46.nsf
/schema50.nsf
/setupweb.nsf
/setup.nsf
/smbcfg.nsf
/smconf.nsf
/smency.nsf
/smhelp.nsf
/smmsg.nsf
/smquar.nsf
/smsolar.nsf
/smtime.nsf
/smtpibwq.nsf
/smtpobwq.nsf
/smtp.box
/smtp.nsf
/smvlog.nsf
/srvnam.htm
/statmail.nsf
/statrep.nsf
/stauths.nsf
/stautht.nsf
/stconfig.nsf
/stconf.nsf
/stdnaset.nsf
/stdomino.nsf
/stlog.nsf
/streg.nsf
/stsrc.nsf
/userreg.nsf
/vpuserinfo.nsf
/webadmin.nsf
/web.nsf
/.nsf/../winnt/win.ini
/?Open



At 01:28 AM 11/27/2002 -0500, svetsanj () hotmail com wrote:




We are doing a penetration testing for a client who has lotus 
notes. 
We were able to access the catalog.nsf file from the web and other 
admin pages such as the user list page, connections page database 
page etc.

Question is, is this just a low level threat or can a hacker use 
this 
info to hack further. Also clicking on some of the admin pages 
brings 
up a default page which says click here to access page. On a notes 
client its possible to click that page put not through http. Is 
there 
a workaround url that bypasses that page?

        SKP






---------------------------------------------------------------------
--
----
-
This list is provided by the SecurityFocus Security Intelligence 
Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which 
automatically alerts you to the latest security vulnerabilities 
please
see:
https://alerts.securityfocus.com/


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use 
<http://www.pgp.com>

iQA/AwUBPeYfJb4MEqovNuR+EQLxpACgv+PYardMxNP9E/rq5ZK6uGQ+GwwAn0g/
LYO/k86xRdalL5MLF3ZA3FW7
=CiDX
-----END PGP SIGNATURE-----


--------------------------------------------------------------------
--
----
--
This list is provided by the SecurityFocus Security Intelligence 
Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which 
automatically alerts you to the latest security vulnerabilities 
please
see:
https://alerts.securityfocus.com/




-- 


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]