Lotus Domino over 443 pentesting.

To:	pen-test@securityfocus.com
Subject:	Lotus Domino over 443 pentesting.
From:	Andrew <seraphele@gmail.com>
Date:	Wed, 15 Nov 2006 20:45:02 +0100
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	pentest-list2@consult.net
Delivered-to:	mailing list pen-test@securityfocus.com
Delivered-to:	moderator for pen-test@securityfocus.com
Domainkey-signature:	a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=ZFPEkZ+/fQkkUQ3kynl4v9qHjb1VstKPlWrnfu2xanBAklqn0BcoBBoiz/Q9iY2U3YR6RQU6yIfsh6ZuEVuxJPalyIUSeV3MQ1dIiTfCxxiN2yCRHvko+QdKyqFYPQGjx7EY2vfjDys3HWggD4KRciGGlZuPi32NMWc/OZcohkM=
List-help:	<mailto:pen-test-help@securityfocus.com>
List-id:	<pen-test.list-id.securityfocus.com>
List-post:	<mailto:pen-test@securityfocus.com>
List-subscribe:	<mailto:pen-test-subscribe@securityfocus.com>
List-unsubscribe:	<mailto:pen-test-unsubscribe@securityfocus.com>
Mailing-list:	contact pen-test-help@securityfocus.com; run by ezmlm
Resent-date:	Wed, 15 Nov 2006 18:22:21 -0700 (MST)
Resent-from:	pen-test-return-1078482979@securityfocus.com
Resent-message-id:	<20061116012221.CEBED237464@outgoing3.securityfocus.com>
Resent-sender:	listbounce@securityfocus.com
Sender:	listbounce@securityfocus.com

Hi list,

I need to analyze 10 Front-end servers. These servers are home-banking
authentication portal,
only 443 port is open. The authentication is a Lotus Domino based.
(operations like ?OpenDatabase names.nsf, statrep.nsf, webadmin.nsf
redirects me to the authentication form) There is also a database that
permit to me to see some 'views' and names of CssStyle directory.

VA scanners only reports false positives right now and is not good
enough form me, cause only
a XSS was found. I have read hackproofing lotus domino by ngssoftware,
but it was not very
useful.

So, does anyone know any good techniques for gaining access to these servers?
And does anyone know how can I manipulate lotus domino query in the
case of a readable database?

Any suggestions?

Thanks

Andrew B.
Junior Analyst
NWI group.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

<Prev in Thread]	Current Thread	[Next in Thread>
Lotus Domino over 443 pentesting., Andrew <= RE: Lotus Domino over 443 pentesting., Isidro Ramon Labrador Rodriguez Re: Lotus Domino over 443 pentesting., Danny Fullerton

Previous by Date:	RE: DDOS Products, ankur jindal
Next by Date:	IDS Assessments....and the I{D\|P}S evasion research project, Joseph McCray
Previous by Thread:	Gleg Ltd - Metasploit add-ons ceased due to Security Reasons, toggmeister
Next by Thread:	RE: Lotus Domino over 443 pentesting., Isidro Ramon Labrador Rodriguez
Indexes:	[Date] [Thread] [Top] [All Lists]