Network Security: Detailed info on RE: Lotus Domino over 443 pentesting.

Subject:	RE: Lotus Domino over 443 pentesting.
Date:	Thu, 16 Nov 2006 10:39:19 +0100

 Try the techniques described in this paper.

http://www.ngssoftware.com/papers/hpldws.pdf

Best Regards 


________________________________

                 


Isidro R. Labrador Rodríguez

Consultor de Seguridad

Auditoría y Planificación de Seguridad

Security Consultant

Security Audit and Planning Division

         


GMV SOLUCIONES
GLOBALES INTERNET, S.A.
Isaac Newton, 11
P.T.M. Tres Cantos
E-28760 Madrid
Tel. +34 91 806 16 00
Fax +34 91 806 16 99
www.gmv.com


-----Mensaje original-----
De: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] En 
nombre de Andrew
Enviado el: miércoles, 15 de noviembre de 2006 20:45
Para: pen-test@securityfocus.com
Asunto: Lotus Domino over 443 pentesting.

Hi list,

I need to analyze 10 Front-end servers. These servers are home-banking 
authentication portal, only 443 port is open. The authentication is a Lotus 
Domino based.
(operations like ?OpenDatabase names.nsf, statrep.nsf, webadmin.nsf redirects 
me to the authentication form) There is also a database that permit to me to 
see some 'views' and names of CssStyle directory.

VA scanners only reports false positives right now and is not good enough form 
me, cause only a XSS was found. I have read hackproofing lotus domino by 
ngssoftware, but it was not very useful.

So, does anyone know any good techniques for gaining access to these servers?
And does anyone know how can I manipulate lotus domino query in the case of a 
readable database?

Any suggestions?

Thanks

Andrew B.
Junior Analyst
NWI group.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


______________________
Este mensaje, y en su caso, cualquier fichero anexo al mismo,
 puede contener informacion clasificada por su emisor como confidencial
 en el marco de su Sistema de Gestion de Seguridad de la 
Informacion siendo para uso exclusivo del destinatario, quedando 
prohibida su divulgacion copia o distribucion a terceros sin la 
autorizacion expresa del remitente. Si Vd. ha recibido este mensaje 
 erroneamente, se ruega lo notifique al remitente y proceda a su borrado. 
Gracias por su colaboracion.
______________________
This message including any attachments may contain confidential 
information, according to our Information Security Management System,
 and intended solely for a specific individual to whom they are addressed.
 Any unauthorised copy, disclosure or distribution of this message
 is strictly forbidden. If you have received this transmission in error,
 please notify the sender immediately and delete it.
______________________

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

<Prev in Thread]	Current Thread	[Next in Thread>
Lotus Domino over 443 pentesting., Andrew RE: Lotus Domino over 443 pentesting., Isidro Ramon Labrador Rodriguez <= Re: Lotus Domino over 443 pentesting., Danny Fullerton

Previous by Date:	Re: Re: N-Stalker or Acunetix, thiago
Next by Date:	Re: IDS Assessments....and the I{D\|P}S evasion research project, Sam Gorton
Previous by Thread:	Lotus Domino over 443 pentesting., Andrew
Next by Thread:	Re: Lotus Domino over 443 pentesting., Danny Fullerton
Indexes:	[Date] [Thread] [Top] [All Lists]