Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Domino testing
From: "A Plasmoid" <skinodo () gmail com>
Date: Mon, 23 Jul 2007 17:00:35 -0400

Thanks so much all of you for your suggestions.

I figured out the "remove the colon" bit a while back.. and found that
the file cldbdir.nsf varies between servers...

I have found that there are really five IP addresses with domino
servers on them. One seems to be a cluster controller, two seem to be
cluster members, and two seem to be completely different.

However, the cldbdir.nsf file seems to be the same on the cluster
controller, and its two nodes. On these servers there is only a single
file called anything like  mail presented in the cldbdir.nsf.

That said, the cldbdir.nsf file on the other two contain all of the
information from the cluster but I've also now found hundreds of email
boxes like mail/xyz01234.nsf - and when I browse to them (from the
default view), I see the box is titled "Some Name" which is very nice
- so I can enumerate the users. But, how can I be sure that the mail
users are "authorized" in names.nsf - or does that go without saying?

Is there a way to get group membership information?
Thanks again!

I very much appreciate all the help


BTW, I've also found that one can access the same file like a thousand
ways (if it isn't acl'd in the first place):

http://server/names.nsf
http://server\names.nsf
http://server/98127634764534
http://server\98127634764534
http://server/%6eames.nsf
http://server/__98127634764534.nsf
ad nauseum

Some of the documentation I've stumbled across makes it seem as though
one has to be very very careful to ensure that each and every
iteration is accounted for when setting acls - this seems to be a lot
of work.  Then again, the documentation seems to be eons old (circa
2004) so maybe things have changed since then ;)

Ciao

On 7/23/07, Chris.McGinley () sungard com <Chris.McGinley () sungard com> wrote:

If cldbdir.nsf contains the names of mail databases, then you should be able to see the mail database title, file name, 
and replica ID. The file name can be entered in the URL like so -

        http://server/<nsf filename>

And, you can directly insert the replica id (minus the colon) as so (using your example from below) -
        http://server/74147FC1000F0B27

The mail1.box file that you are referring to is the server's router mailbox; all email is transferred there so that it can be 
delivered to its destination. It's normal to have 'Depositor' access to that, meaning you can drop stuff there but see 
nothing.

As for the administrator account, there is not a standard name in Domino; it is defined by the person who installs the 
software for the first time and it can be anything.

-Chris




 "A Plasmoid" <skinodo () gmail com>

07/23/2007 10:14 AM

To "Chris.McGinley () sungard com" <Chris.McGinley () sungard com>

cc pen-test () securityfocus com

Subject Re: Domino testing








Thanks Chris,

 I do have access to cldbdir.nsf - and it seems that I can get the replica IDs of hundreds of files, like 
webadmin.nsf...

 Trouble is, I get it in this format:

 74147FC1:000F0B27

 Is there a way to use a replica ID to gain access to the real file? If so, then how does one convert the above to 
something usable?

 Also, there seems to be only a single mail1.box on the server in question - my guess would be that this is the admin 
mailbox. Is there an algorithm to convert to a name? Is administrator the admin for Domino on Windows?

 Thanks again

On 7/23/07, Chris.McGinley () sungard com < Chris.McGinley () sungard com> wrote:

 If you can access the cldbdir.nsf database, you may be able to disclose
 the names of mail files. Equate that to user names and you have yourself a
 list of names to use for password guessing against the protected databases
 (e.g. names.nsf).

 dba4.nsf may give you some info about a specific database, but probably
 nothing very useful for gaining access. The others are sample & help
 databases...the help db may give you info about the host OS, but nothing
 more.

 In a situation like this, your best bet is to guess a user/pass and get
 access to names.nsf and elevate privs.

 -Chris




 "A Plasmoid" <skinodo () gmail com>
 Sent by: listbounce () securityfocus com
 07/20/2007 04:22 PM

 To
 pen-test () securityfocus com
 cc

 Subject
 Domino testing






 I'm new to Domino testing, and have found a few interesting databases.
 I am wondering if there is anything that could be done with
 them.Specifically,  there are:

 cldbdir.nsf
 dba4.nsf
 qstart.nsf
 /sample/faqw46.nsf
 /sample/pagesw46.nsf (several others in sample)
 /help/help5_designer.nsf (several others in help)

 The ?EditDocument functionality is locked down with "basic
 authentication" but I can view them.There is not a lot of info (that I
 have found) regarding domino, so I'm hoping that some kind person here
 can tell me whether these things can be leveraged into a deeper level
 of access or not.

 All of the other "important" databases like names.nsf, webadmin.nsf,
 and others are also protected with basic auth.

 Thanks for any hints, clues, and even "Google is your friend" stuff
 (as long as there is a corresponding reasonable search parameter ) :)

 ------------------------------------------------------------------------
 This List Sponsored by: Cenzic

 Swap Out your SPI or Watchfire app sec solution for
 Cenzic's robust, accurate risk assessment and management
 solution FREE - limited Time Offer

 http://www.cenzic.com/c/wf-spi
 ------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault