Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Owning Lotus Notes Server & Client

From: DSquare Security <info () d2sec com>
Date: Mon, 27 Oct 2008 17:48:04 -0500
There are several ways to get a Lotus Notes ID during a pentest
(access to a share with all the IDs, client side exploitation, ...)
After that, if needed, you can crack the password ID with commercial 
or free tools (ID Password Recovery for example)

So what can you do with an admin ID? Potentially two things:
1) Compromise the Lotus Notes server
2) Compromise the computer of the Lotus Notes clients

D2Lotus is designed to help you in this kind of work. Here are two
demonstrations of this tool:

1) Remote code execution on a Lotus Notes server:
   http://www.d2sec.com/d2lotus_1.htm

2) Remote code execution on computer user via Lotus Notes Client:
   http://www.d2sec.com/d2lotus_2.htm 


This tool will be released in the next update of D2 Exploitation Pack.


-- 
DSquare Security, LLC
http://www.d2sec.com

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: