William Dawson (@bill_e_ghote) did a talk at Bsides LV 2012 and skytalks on Lotus Domino hashes
Link --> http://youtu.be/vfUqZo1Hryg
its worth a listen if you need some background info.
in 2010 i dropped a lotus domino version module
The module is in the trunk, you can read the post but in my experience newer version of Lotus Domino dont actually advertise that they are lotus domino in the banner, thus you need a way to identify these and once identified figure out current version so you can see if there are any exploits for it.
One of the other things Bill mentions is locating these vulnerable pages. He uses google dorks, which is useful as long as the site is indexed. While not in the trunk, awhile back i had a bunch of domino servers on a pentest. I ended up taking all the domino scanners i could find and combing those wordlists into one wordlist and writing a metasploit module to search for those URLs. The key was that we wanted to see which ones were open to the world and which ones require authentication (correct behavior) and any the forwarded you to somewhere else (probably because you are on 80 and the site requires 443).
In my github repo is the module and wordlist
module is here:
wordlist is here:
if i'm missing some urls please let me know so i can update the list.
looks like this when run
msf auxiliary(lotus_domino_scanner) > run
[*] Scanning 192.168.1.4:443
[*] Bases with Anonymous Access:
[*] Bases Requiring Authentication:
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed