Hacking Lotus Domino

IBM Lotus Domino Server is a solution for the corporate environment that provides different services to manage electronic documents, and it includes many models such as Mail server, Http server and Data base. The current version is Lotus Domino 8.5.1.

To detect the server we start by scanning the network, usually the server runs a web interface Lotus Domino httpd, so we run Nmap and scan the targeted network as follows:

Nmap –sV –p 80
Nmap scan report for
Host is up (0.017s latency).
Not shown: 65533 filtered ports
80 open http Lotus Domino httpd

Now as you can see the IP address of the Domino server is found and you can open your web browser to check some nice Domino web pages with the version: http://serverip/homepage.nsf.

You can use the Google Hack method to find all web servers running on Domino by searching for inurl:homepage.nsf. In the results you will find thousands of Domino based web pages. Now it is very important to note that you should not attempt training yourself on these sites.

Usually when you install Lotus client you need to connect as a user to the server, and a screen for authentication appears to make non experienced hackers terrified, but if you concentrate and check everything slowly you will find the gaps and admin faults.

First you start by learning the important resources on the server, on Domino most important files are with the .NSF extension, so we have:

/Names.nsf File in Domino server contains file name and path (Most important database in the Domino environment)

You can find other files using DominoHunter which provides you a list on all .nsf files. But what we need is the names.nsf database which includes all mail addresses, users information, users operating systems, security applications on Lotus notes and other important information.

What is interesting that on most Domino servers this file can be accessed by anonymous users =-).
Now the kind of information that we will need take care of:

1. List of user’s login so we can guess there passwords also which user account is the admin.

2. All information can be used in the social engineering to trick non trained personal.

3. In the names.nsf you will find also OS version as lotus notes client version this will be very helpful to find the 0-days for all users and application and OS. Here an attacker can use even vulnerability in Internet explorer to compromise some accounts.

Gathering information is not all what is possible – in 2005 there someone discovered a vulnerability allows an attacker to get Internet users password hash. The vulnerability is not difficult to exploit because all users hash passwords are stored in Hidden HTTPPassowrd or dspHTTPPassword files, depending on the version.
What is strange that this vulnerability remains unfixed.

Now the number of users can be hundreds or thousands, so you will need to have all hashes in automatic way. On 2007 an exploit has been released for Dumping Password Hash Raptor_dominohash that allows downloading of all users’ hashes.

DominoHashBreaker is also an important tool that tries to find the clear text form of the password by utilizing a dictionary attack. The goal is to make it possible for an administrator to check the robustness of the passwords of its users.

But for the best results, John the Ripper with Jumbo patch – which adds modern password hashes – and all you need is give HASH.txt to JohnTheRipper (in the form username:hash). If you find one account password you will be able to know the password policy for all users and will not consume much time to have all passwords list. And these passwords are for Domino web access.

If we have the administrator password account, then its ok, if not we should repeat the previous steps. Something interesting is that the admin password will allow attacker to open webadmin.nsf (servername/webadmin.nsf) this is for administrating Lotus Domino webserver interface, and by getting access to this resource you can add, remove or modify users.

On domino there is another protocol which is NRPC using port 1352, and this allows users to have client Lotus notes and Lotus designer, and the client should have a certificate to approve his identity with extension ID. There is also a password authentication mechanism.

Passwords are used to decrypt the ID file, so to have access to any Domino account we will need 2 things: an ID file and password for this file. This is more complicated than the Web access but it is always possible.

To get the ID file you can exploit a vulnerability in Lotus Domino where the server keeps a copy of the ID stored on the server, so if you have users login as shown using names.nsf. you will have the ID for the password there is 3 tools that can search for the ID password which is ( ID Password recovery, Lotus Notes Password Recovery or Notes Password Recovery by following this link ,all three tools for free.

This post presents a clear idea about the different configuration faults that can exist in a Domino server with a small vulnerability that can allow an outsider to take full control of the server and manipulate a corporation’s very sensitive information.

Reference: http://dsecrg.com/pages/pub/show.php?id=2

make sure you subscribe to my RSS feed!