William Dawson (@bill_e_ghote) did a talk at Bsides LV 2012 and skytalks on Lotus Domino hashes
Link --> http://youtu.be/vfUqZo1Hryg
its worth a listen if you need some background info.
in 2010 i dropped a lotus domino version module
The module is in the trunk, you can read the post but in my experience newer version of Lotus Domino dont actually advertise that they are lotus domino in the banner, thus you need a way to identify these and once identified figure out current version so you can see if there are any exploits for it.
One of the other things Bill mentions is locating these vulnerable pages. He uses google dorks, which is useful as long as the site is indexed. While not in the trunk, awhile back i had a bunch of domino servers on a pentest. I ended up taking all the domino scanners i could find and combing those wordlists into one wordlist and writing a metasploit module to search for those URLs. The key was that we wanted to see which ones were open to the world and which ones require authentication (correct behavior) and any the forwarded you to somewhere else (probably because you are on 80 and the site requires 443).
In my github repo is the module and wordlist
module is here:
wordlist is here:
if i'm missing some urls please let me know so i can update the list.
looks like this when run
msf auxiliary(lotus_domino_scanner) > run [*] Scanning 192.168.1.4:443 [*] Bases with Anonymous Access: download/filesets/l_LOTUS_SCRIPT.inf download/filesets/l_SEARCH.inf download/filesets/n_LOTUS_SCRIPT.inf download/filesets/n_SEARCH.inf events4.nsf help/lsxlc.nsf homepage.nsf iNotes/Forms6.nsf iNotes/Forms7.nsf mtatbls.nsf [*] Bases Requiring Authentication: admin4.nsf agentrunner.nsf agentrunner.nsf Bookmark.nsf certlog.nsf certsrv.nsf certsrv.nsf cldbdir.nsf dbdirman.nsf ddm.nsf doladmin.nsf domadmin.nsf domcfg.nsf domcfg.nsf/?open log.nsf log.nsf mail1.box mail2.box names.nsf names.nsf names.nsf/$Users schema.nsf statrep.nsf statrep.nsf statrep.nsf?ReadEntries webadmin.nsf webadmin.nsf [*] Forward: [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed