Tuesday, August 7, 2012

Lotus Domino Scanner


occasionally I run into Lotus Domino stuff on tests.

William Dawson (@bill_e_ghote) did a talk at Bsides LV 2012 and skytalks on Lotus Domino hashes

Link --> http://youtu.be/vfUqZo1Hryg

its worth a listen if you need some background info.

in 2010 i dropped a lotus domino version module
http://carnal0wnage.attackresearch.com/2010/05/metasploit-lotus-domino-version-scanner.html

The module is in the trunk, you can read the post but in my experience newer version of Lotus Domino dont actually advertise that they are lotus domino in the banner, thus you need a way to identify these and once identified figure out current version so you can see if there are any exploits for it.

One of the other things Bill mentions is locating these vulnerable pages. He uses google dorks, which is useful as long as the site is indexed.  While not in the trunk, awhile back i had a bunch of domino servers on a pentest. I ended up taking all the domino scanners i could find and combing those wordlists into one wordlist and writing a metasploit module to search for those URLs.  The key was that we wanted to see which ones were open to the world and which  ones require authentication (correct behavior) and any the forwarded you to somewhere else (probably because you are on 80 and the site requires 443).

In my github repo is the module and wordlist

module is here:
https://github.com/carnal0wnage/Metasploit-Code/blob/master/modules/auxiliary/scanner/lotus_domino_scanner.rb

wordlist is here:
https://github.com/carnal0wnage/Metasploit-Code/blob/master/data/wordlists/lotus_domino_bases.txt

if i'm missing some urls please let me know so i can update the list.

looks like this when run



msf  auxiliary(lotus_domino_scanner) > run

[*] Scanning 192.168.1.4:443
[*] Bases with Anonymous Access:
download/filesets/l_LOTUS_SCRIPT.inf
download/filesets/l_SEARCH.inf
download/filesets/n_LOTUS_SCRIPT.inf
download/filesets/n_SEARCH.inf
events4.nsf
help/lsxlc.nsf
homepage.nsf
iNotes/Forms6.nsf
iNotes/Forms7.nsf
mtatbls.nsf


[*] Bases Requiring Authentication:
admin4.nsf
agentrunner.nsf
agentrunner.nsf
Bookmark.nsf
certlog.nsf
certsrv.nsf
certsrv.nsf
cldbdir.nsf
dbdirman.nsf
ddm.nsf
doladmin.nsf
domadmin.nsf
domcfg.nsf
domcfg.nsf/?open
log.nsf
log.nsf
mail1.box
mail2.box
names.nsf
names.nsf
names.nsf/$Users
schema.nsf
statrep.nsf
statrep.nsf
statrep.nsf?ReadEntries
webadmin.nsf
webadmin.nsf


[*] Forward:

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


CG

5 comments:

midnitesnake said...

I dont see this one in your list:
/catalog.nsf - list of databases

Others, that have worked in the past for me (slight variations of ones already in your list):
mailbox.nsf
database.nsf
reports.nsf

CG said...

thanks!

Anonymous said...

hi,

How can we add this on metaploit?
We have follow this http://carnal0wnage.attackresearch.com/2012/08/lotus-domino-scanner.html but seems that it does not work on windows.

CG said...

"it doesnt work" isnt really enough to help you.

are you getting an error?

you put the modules in your .msf4 in the relevant path.

same goes for the wordlist.

HTH

-CG

CG said...

as a followup for the interwebz, i confirmed the urls in comment #1 are in the domino bases file.