|
Penetration Testing
mailing list archives
Re: Lotus Notes
From: "Grant Torresan" <sonofthor () severus org>
Date: Fri, 29 Nov 2002 12:12:02 -0500
Since everybody seems to be pimping their own products for auditing
Lotus Domino servers, I thought this would be an appropriate time to
announce my own humble project, which deals with this subject as well.
DominoDig is an open-source (GPL) utility written by myself (Grant
Torresan) for the purpose of quickly and cheaply auditing Lotus Domino
web servers and extracting useful information from any anonymously
accessible pages that are found.
While DominoDig may not have all the features that a commercial product
like AppDetective (which sounds most impressive, BTW) or DominoScan by
NGSSoftware, I believe that it will satisfy most of the requirements of
a pen-tester for a considerably lower price (free!).
Features of note include the following:
-Searches for a large number of default notest databases.
-Parses contents of each page it accesses looking for references to
other unique (custom) .nsf databases.
-Collects email addresses and unique IP addresses that appear in any
page it indexes.
-Produces an HTML report detailing all of the information it was able
to gather, and a list of hyperlinks to each .nsf database it was able
to access anonymously.
If you are interested in trying it out, please browse to
http://dominodig.sourceforge.net for the latest release. Please note
that this software is a "work-in-progress" and as such it is being
freqently updated and new features are being added all the time. If
there is a paricular piece of information DominoDig is not searching
for that you think would be particularly useful, or if you encounter
any problems with the software, please let me know by sending me an
email at sonofthor () severus org
Hope this helps,
Grant Torresan.
----- Original Message -----
From: "David Barnett" <dbarn064 () earthlink net>
To: <svetsanj () hotmail com>; <pen-test () securityfocus com>
Sent: Thursday, November 28, 2002 8:50 AM
Subject: Re: Lotus Notes
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Well I must concur with Chad as Notes default installs are wide
open.
Rarely when doing Pen tests have I found a correctly secured
Notes/Domino server. Permissions are rarely correct for databases.
While I am sure NexPose has done a fine job with their Vuln
scanner, I
have tried
<unbiased
commercial plug> AppDetective works really well for Lotus and Domino
scans!!
You can also use N-Stealth or any of your favorite web scanners and
add
the
following files:
/852566C90012664F
/admin4.nsf
/admin5.nsf
/admin.nsf
/agentrunner.nsf
/alog.nsf
/a_domlog.nsf
/bookmark.nsf
/busytime.nsf
/catalog.nsf
/certa.nsf
/certlog.nsf
/certsrv.nsf
/chatlog.nsf
/clbusy.nsf
/cldbdir.nsf
/clusta4.nsf
/collect4.nsf
/da.nsf
/dba4.nsf
/dclf.nsf
/DEASAppDesign.nsf
/DEASLog01.nsf
/DEASLog02.nsf
/DEASLog03.nsf
/DEASLog04.nsf
/DEASLog05.nsf
/DEASLog.nsf
/decsadm.nsf
/decslog.nsf
/DEESAdmin.nsf
/dirassist.nsf
/doladmin.nsf
/domadmin.nsf
/domcfg.nsf
/domguide.nsf
/domlog.nsf
/dspug.nsf
/events4.nsf
/events5.nsf
/events.nsf
/event.nsf
/homepage.nsf
/iNotes/Forms5.nsf/$DefaultNav
/jotter.nsf
/leiadm.nsf
/leilog.nsf
/leivlt.nsf
/log4a.nsf
/log.nsf
/l_domlog.nsf
/mab.nsf
/mail10.box
/mail1.box
/mail2.box
/mail3.box
/mail4.box
/mail5.box
/mail6.box
/mail7.box
/mail8.box
/mail9.box
/mail.box
/msdwda.nsf
/mtatbls.nsf
/mtstore.nsf
/names.nsf
/nntppost.nsf
/nntp/nd000001.nsf
/nntp/nd000002.nsf
/nntp/nd000003.nsf
/ntsync45.nsf
/perweb.nsf
/qpadmin.nsf
/quickplace/quickplace/main.nsf
/reports.nsf
/sample/siregw46.nsf
/schema50.nsf
/setupweb.nsf
/setup.nsf
/smbcfg.nsf
/smconf.nsf
/smency.nsf
/smhelp.nsf
/smmsg.nsf
/smquar.nsf
/smsolar.nsf
/smtime.nsf
/smtpibwq.nsf
/smtpobwq.nsf
/smtp.box
/smtp.nsf
/smvlog.nsf
/srvnam.htm
/statmail.nsf
/statrep.nsf
/stauths.nsf
/stautht.nsf
/stconfig.nsf
/stconf.nsf
/stdnaset.nsf
/stdomino.nsf
/stlog.nsf
/streg.nsf
/stsrc.nsf
/userreg.nsf
/vpuserinfo.nsf
/webadmin.nsf
/web.nsf
/.nsf/../winnt/win.ini
/?Open
At 01:28 AM 11/27/2002 -0500, svetsanj () hotmail com wrote:
We are doing a penetration testing for a client who has lotus
notes.
We were able to access the catalog.nsf file from the web and other
admin pages such as the user list page, connections page database
page etc.
Question is, is this just a low level threat or can a hacker use
this
info to hack further. Also clicking on some of the admin pages
brings
up a default page which says click here to access page. On a notes
client its possible to click that page put not through http. Is
there
a workaround url that bypasses that page?
SKP
---------------------------------------------------------------------
--
----
-
This list is provided by the SecurityFocus Security Intelligence
Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities
please
see:
https://alerts.securityfocus.com/
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use
<http://www.pgp.com>
iQA/AwUBPeYfJb4MEqovNuR+EQLxpACgv+PYardMxNP9E/rq5ZK6uGQ+GwwAn0g/
LYO/k86xRdalL5MLF3ZA3FW7
=CiDX
-----END PGP SIGNATURE-----
--------------------------------------------------------------------
--
----
--
This list is provided by the SecurityFocus Security Intelligence
Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities
please
see:
https://alerts.securityfocus.com/
--
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
 By Date 
By Thread
Current thread:
- Lotus Notes svetsanj (Nov 27)
- <Possible follow-ups>
- Re: Lotus Notes Grant Torresan (Nov 29)
|
Intro
