So just how secure is your Domino server from attempts to hack into it?
So as I was going through the Google News Alerts, I see this blog posting in CIO.com from another post over at infosecisland.com titled Hacking Lotus Notes. Often these types of stories are a bit more fluff than fire, but this one actually talks techniques and specific attacks... for instance:
IBM Lotus Domino Server is a solution for the corporate environment that provides different services to manage electronic documents, and it includes many models such as Mail server, Http server and Data base. The current version is Lotus Domino 8.5.1.
To detect the server we start by scanning the network, usually the server runs a web interface Lotus Domino httpd, so we run Nmap and scan the targeted network as follows:
Nmap –sV 172.16.1.0.24 –p 80
Nmap scan report for 172.16.1.7
Host is up (0.017s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
80 open http Lotus Domino httpd
Now as you can see the IP address of the Domino server is found and you can open your web browser to check some nice Domino web pages with the version: http://serverip/homepage.nsf.
You can use the Google Hack method to find all web servers running on Domino by searching for inurl:homepage.nsf. In the results you will find thousands of Domino based web pages. Now it is very important to note that you should not attempt training yourself on these sites.
Based on this, you can see the rest of the article is probably going to go down the path of what steps to take to fine the weak spot in your environment. This sounds like a perfect article to print out and use to attack your own system before someone else with far worse intentions decides to do it for you...
| Permalink |
Comments
{ Link }
Their CEO Craig Allan is an experienced "White Hat" hacker who can identify security vulnerabilities at all levels of the ISO model.
Virtual Offis also host Domino servers in a utility grade primary Data Centre located at Pyrmont in Sydney and have a secondary data centre located at St Leonards (also in Sydney). Their Pyrmont site also hosts most of the pay TV services for the Australiasian Region.
Posted by Ian Randall At 23:08:26 On 12/07/2010 | - Website - |
"the names.nsf database ...on most Domino servers this file can be accessed by anonymous users"
If you have secured the ACL on your names.nsf against this, then he cannot do any of the other things he proposes, as he cannot get the information he is relying on to perform the rest.
Posted by Maria Helm At 05:55:14 On 13/07/2010 | - Website - |
While you may have various templates or nsf files that are open, the core ones should not be set to anonymous.
But yes I have gone into a few companies to show that they needed help by not only screensaving their person doc in the names, but pulling their ID file off the server.
Of course without a password the ID would be useless, but in these cases password usually works too.
Posted by Keith Brooks At 06:44:00 On 13/07/2010 | - Website - |
In my research for the presentation I lifted the list of attendees from the UKLUG site, then proceeded to go down the websites of the attendees. I found some 27,000+ customer details buried in various sites. More to the point I notified those users that I found the information. I haven't gone back and tested again, but I suppose I should follow up.
Domino is a very secure system, but if you don't develop your web applications with security in mind, you can weaken that security. Moreover, you can expose details than harms both you as the company that runs the site, and more importantly, your customers.
The attacks I used didn't even go into advanced techniques such as cross-site attacks, embedded controls, redirection and search attacks, and such. This was all done with basic $first, $last, $DefaultView, NavigateTo, and other such attacks.
As I say to everybody, it is extremely easy to hide your folder/database information and that keeps a lot of hackers out of your machines. But how many people actually do it? (Looks at address bar... blog.nsf) case in point.
Posted by Dragon Cotterill At 09:19:45 On 13/07/2010 | - Website - |
As an administrator you can provide each database/template with an anonymous=NoAccess entry, only to see it replaced by default values when upgrading.
Last month I opened a SPR to prevent this setup behaviour. The SPR is ZKUN86QLHA 'Replacing some standard databases/templates as homepage.nsf, help/* and iNotes/*'.
See { Link }
Posted by Duco Bergsma At 10:44:31 On 14/07/2010 | - Website - |