More Related Content
Similar to Toppling Domino - 44CON 4012
Similar to Toppling Domino - 44CON 4012 (20)
Toppling Domino - 44CON 4012
- 1. SecQuest INFORMATION SECURITY
44Con 2012: Toppling Domino
Testing security in a Lotus Notes environment
Written & Presented by Darren Fuller
SecQuest Information Security Ltd.
© 2012 SecQuest Information Security Ltd.
- 2. 44Con: London, September 2012
About this Presentation
This presentation was originally given at 44Con
2012 in London and had a number of interactive
demos which obviously cannot be included.
If you or your company would like further information
about Domino security or to arrange a re-run of this
talk on your premises please contact us.
https://www.secquest.co.uk
Tel: 0845 19 31337
© 2012 SecQuest Information Security Ltd.
- 3. 44Con: London, September 2012
Who Am I?
Darren Fuller
Lotus PCLP*
Security Consultant
Ex IBM Notes developer
Ex IBM EMEA X-Force
Run a company called SecQuest
Been using Notes since V3 on IBM OS/2
* Domino R5
© 2012 SecQuest Information Security Ltd.
- 4. 44Con: London, September 2012
What I’m Talking About Today
“Although there have been a number of technical
papers published by different researchers covering
Lotus Notes/Domino security it is rarely covered by
the wider pen testing community.
In this presentation I’ll aim to give a general
overview of Domino security and demonstrate ways
of breaking in. This will cover security issues from
the point of view of the web server, native Domino
server and demonstrate some tricks you can use
from the client side of things.”
© 2012 SecQuest Information Security Ltd.
- 5. 44Con: London, September 2012
Typical!
Nothing about Notes/Domino for a while then
William Dawson talked about it at BSides Vegas
this year!
Interesting talk about Domino hashes which we’ll
cover in a bit of detail later
Link to talks:
http://www.irongeek.com/i.php?page=videos/bsideslasvegas2012/mainlist
© 2012 SecQuest Information Security Ltd.
- 6. 44Con: London, September 2012
Used By…
More than half of Fortune 100 companies & more
© 2012 SecQuest Information Security Ltd.
- 7. 44Con: London, September 2012
Lotus Notes/Domino: History
Created by Ray Ozzie/Iris Associates
V1 Shipped in 1989
Included public key cryptography
3 major editions available in the early days
V8.5.4 is currently in beta
© 2012 SecQuest Information Security Ltd.
- 8. 44Con: London, September 2012
Crypto Background Information
US Edition used 64 bit keys
International keys restricted to 40 bits due to US
export rules before 1997
Deal with US .gov to allow 64 bit international keys
after 1997 providing they had the first 24 bits
France didn’t like this! A French edition was made
with 40 bit encryption keys
These days 128 and 256 bit AES can be used
© 2012 SecQuest Information Security Ltd.
- 9. 44Con: London, September 2012
Security Overview
ID Files
Database ACL (Access control list)
Execution Control List (ECL)
NAB Groups
© 2012 SecQuest Information Security Ltd.
- 10. 44Con: London, September 2012
Security Overview – Encryption Layers
Database Encryption
Document Encryption
Field Encryption
Transport Layer Encryption
© 2012 SecQuest Information Security Ltd.
- 12. 44Con: London, September 2012
Yes we Can!
Examples given in this presentation are based on
“real world” tests.
These techniques have been used a number of
times to compromise various client sites.
Obviously root is nice but the data is the thing to
go for, the right Notes user will give you the keys to
the kingdom!
© 2012 SecQuest Information Security Ltd.
- 13. 44Con: London, September 2012
Breaking In Externally – What to look for
names.nsf database with anonymous access
domlog.nsf with anonymous access
webadmin.nsf (you’ll be lucky!)
© 2012 SecQuest Information Security Ltd.
- 14. 44Con: London, September 2012
Checking out the /hacker Domain
Anonymous access to domlog.nsf can give you a
session ID, these default to 30 minute expiry
© 2012 SecQuest Information Security Ltd.
- 16. 44Con: London, September 2012
Because..
The admins have messed up and granted
anonymous “reader” access
© 2012 SecQuest Information Security Ltd.
- 17. 44Con: London, September 2012
HTTPPassword in Document Source
Vulnerability documented in 2005
Still overlooked by a lot of admins
© 2012 SecQuest Information Security Ltd.
- 18. 44Con: London, September 2012
HTTPPassword in Document Source
<input name="FullName" type="hidden" value="Milexa
Crozzd/hacker; Milexa Crozzd">
<input name="ShortName" type="hidden" value="milexa">
<input name="HTTPPassword" type="hidden"
value="(GbZjMLBTiHzBXtS0TcIl)">
<input name="dspHTTPPassword" type="hidden"
value="(GbZjMLBTiHzBXtS0TcIl)">
Metasploit can automate hash gathering
© 2012 SecQuest Information Security Ltd.
- 19. 44Con: London, September 2012
Cracking Passwords
Grab password hashes from the document source
Domino has two types of password hashes for
internet passwords; “normal” and “more secure”
Use JTR with Jumbo Patch
“normal” = “lotus5”
“more secure” = “dominosec”
© 2012 SecQuest Information Security Ltd.
- 21. 44Con: London, September 2012
Targeting “Interesting” Users
Once you have cracked some passwords you
should be able to authenticate and access
catalog.nsf
If “internet authentication” is set to “Fewer name
variations with higher security” you need to use the
full canonical username: Joe King/hacker
catalog.nsf contains a list of all databases on the
server + access control information
The “By Name” view will give you a list of
databases your user can access
© 2012 SecQuest Information Security Ltd.
- 24. 44Con: London, September 2012
Check group members in names.nsf
JTR popped this one earlier!
© 2012 SecQuest Information Security Ltd.
- 25. 44Con: London, September 2012
Getting More Access – Running Commands
webadmin.nsf allows an administrator to run server
commands.
© 2012 SecQuest Information Security Ltd.
- 26. 44Con: London, September 2012
Getting More Access
You can run O/S commands using “load” but can’t
see the results when using quick console.
For some reason writing output to a web
accessible directory didn’t work on Linux
Solution: upload a Notes database shell!
© 2012 SecQuest Information Security Ltd.
- 27. 44Con: London, September 2012
Introducing shell.nsf aka D99Shell
You may get a certificate error after uploading..
© 2012 SecQuest Information Security Ltd.
- 30. 44Con: London, September 2012
Demo: Breaking In!
Oh Noez! U R demoin dis live!?!
© 2012 SecQuest Information Security Ltd.
- 31. 44Con: London, September 2012
Breaking in from the Inside - Objectives
Find ID files on the network
Crack passwords
Get in to the NAB on the server
Find ID files with higher levels of access
Pw0nage!
© 2012 SecQuest Information Security Ltd.
- 32. 44Con: London, September 2012
Are Employees the Biggest Threat?
“Many breaches of security are done by insiders“
- Katherine Spanbauer, Domino senior product manager
© 2012 SecQuest Information Security Ltd.
- 33. 44Con: London, September 2012
Gaining A Toehold
Since R5 you need an ID file to access the client
ID file needs to be valid and not in a “deny access”
group in the NAB.
Shared directories FTW!
© 2012 SecQuest Information Security Ltd.
- 34. 44Con: London, September 2012
Gaining A Toehold
It used to be hard to crack native Notes passwords!
There are a number of products available to crack
ID file passwords
Huge thanks to Nataly at Passware for the software
*
being used in the following demo..
* http://www.lostpassword.com
© 2012 SecQuest Information Security Ltd.
- 35. 44Con: London, September 2012
Demo: Notes ID Password Cracking
I can haz beerz after, right?
© 2012 SecQuest Information Security Ltd.
- 36. 44Con: London, September 2012
We’re going after the payroll
Our freshly cracked ID file gives catalog.nsf &
names.nsf access
© 2012 SecQuest Information Security Ltd.
- 37. 44Con: London, September 2012
Check the NAB (names.nsf) for group members
Oops!
© 2012 SecQuest Information Security Ltd.
- 39. 44Con: London, September 2012
Client-side Tricks
Spoofing mail..
Removing restrictions of local access
LotusScript can access the Windows API!
Declare Function GetClipboardData Lib "User32" (Byval wFormat
As Long) As Long
© 2012 SecQuest Information Security Ltd.
- 40. 44Con: London, September 2012
Mail spoofing; getting a payrise!
SMTP mail can be easily spoofed using telnet but
document properties are a dead giveaway
© 2012 SecQuest Information Security Ltd.
- 41. 44Con: London, September 2012
The Spoof Memo Form
This is all that is required:
© 2012 SecQuest Information Security Ltd.
- 42. 44Con: London, September 2012
The result
Create a new mail using the evil form and
copy/paste it in to the mail.box database on the
spoofed user’s server
The only
giveaway..
Looks Good..
© 2012 SecQuest Information Security Ltd.
- 43. 44Con: London, September 2012
Local Access Protection
Lotus Notes has an ACL setting to “Enforce
consistent ACL”
Opening a “protected” database locally gives an
error like this:
Not this ->
© 2012 SecQuest Information Security Ltd.
- 44. 44Con: London, September 2012
I Can’t Access It Locally Eh!
There are companies out there selling various
unlock solutions
Prices for software range from $49 to $657!!
I’ve tested a few versions of these “life saving”
products..
One of them changed 4 bytes, another changed 6!
© 2012 SecQuest Information Security Ltd.
- 45. 44Con: London, September 2012
I Can’t Access It Locally Eh!
I mentioned to colleagues @ IBM in 2004 that you
could change 1 byte to remove protection
These apps are doing 75% too much work!
Sorry guys, the secret’s out:
Changing 0x000002C4 from 20 to 00 could save $700!
© 2012 SecQuest Information Security Ltd.
- 46. 44Con: London, September 2012
Tool release
Local Access Protection Deprotector And No Cash
Expected
© 2012 SecQuest Information Security Ltd.
- 47. 44Con: London, September 2012
Tool release: lapdance
Local Access Protection Deprotector And No Cash
Expected (lapdance.pl)
Written in Perl (badly), gives some info about the
database and can add and remove protection
Available from https://www.secquest.co.uk/tools/lapdance.pl
© 2012 SecQuest Information Security Ltd.
- 48. 44Con: London, September 2012
Tool release: lapdance
Local Access Protection Deprotector And No Cash
Expected (lapdance.pl)
Support for ODS versions 16, 17, 20, 41, 43, 48
and 51 (ie. everything from V2 to V8.5)
Will display database protection and encryption
flags information
Can add and remove local access protection
© 2012 SecQuest Information Security Ltd.
- 49. 44Con: London, September 2012
Demo: Removing Database Protection!
Ohalp! Prayrz 2 Ceilin Cat dat dis workz!
© 2012 SecQuest Information Security Ltd.
- 50. 44Con: London, September 2012
To Finish..
“In this presentation I’ll aim to give a general
overview of Domino security and demonstrate ways
of breaking in. This will cover security issues from
the point of view of the web server, native Domino
server and demonstrate some tricks you can use
from the client side of things.”
© 2012 SecQuest Information Security Ltd.