SecQuest                  INFORMATION SECURITY44Con 2012: Toppling DominoTesting security in a Lotus Notes environment    ...
44Con: London, September 2012  About this Presentation   This presentation was originally given at 44Con   2012 in London ...
44Con: London, September 2012  Who Am I?   Darren Fuller    Lotus PCLP*    Security Consultant    Ex IBM Notes develope...
44Con: London, September 2012  What I’m Talking About Today   “Although there have been a number of technical    papers pu...
44Con: London, September 2012  Typical!    Nothing about Notes/Domino for a while then     William Dawson talked about it...
44Con: London, September 2012  Used By…    More than half of Fortune 100 companies & more                                ...
44Con: London, September 2012  Lotus Notes/Domino: History    Created by Ray Ozzie/Iris Associates    V1 Shipped in 1989...
44Con: London, September 2012  Crypto Background Information    US Edition used 64 bit keys    International keys restri...
44Con: London, September 2012  Security Overview    ID Files    Database ACL (Access control list)    Execution Control...
44Con: London, September 2012  Security Overview – Encryption Layers    Database Encryption    Document Encryption    F...
44Con: London, September 2012  C’mon! We’re h4X0rs..    Can we whack it?                                © 2012 SecQuest I...
44Con: London, September 2012  Yes we Can!    Examples given in this presentation are based on     “real world” tests.   ...
44Con: London, September 2012  Breaking In Externally – What to look for    names.nsf database with anonymous access    ...
44Con: London, September 2012  Checking out the /hacker Domain    Anonymous access to domlog.nsf can give you a     sessi...
44Con: London, September 2012  NAB Access!                                © 2012 SecQuest Information Security Ltd.
44Con: London, September 2012  Because..    The admins have messed up and granted     anonymous “reader” access          ...
44Con: London, September 2012  HTTPPassword in Document Source    Vulnerability documented in 2005    Still overlooked b...
44Con: London, September 2012  HTTPPassword in Document Source   <input name="FullName" type="hidden" value="Milexa     Cr...
44Con: London, September 2012  Cracking Passwords    Grab password hashes from the document source    Domino has two typ...
44Con: London, September 2012  Cracking Passwords: results                                © 2012 SecQuest Information Secu...
44Con: London, September 2012  Targeting “Interesting” Users    Once you have cracked some passwords you     should be ab...
44Con: London, September 2012  Targeting “Interesting” Users                                  © 2012 SecQuest Information ...
44Con: London, September 2012  Access Control List Info                                © 2012 SecQuest Information Securit...
44Con: London, September 2012  Check group members in names.nsf     JTR popped this one earlier!                          ...
44Con: London, September 2012  Getting More Access – Running Commands    webadmin.nsf allows an administrator to run serv...
44Con: London, September 2012  Getting More Access    You can run O/S commands using “load” but can’t     see the results...
44Con: London, September 2012  Introducing shell.nsf aka D99Shell    You may get a certificate error after uploading..   ...
44Con: London, September 2012  D99Shell in action!                                © 2012 SecQuest Information Security Ltd.
44Con: London, September 2012  Also works on Windows servers                                  © 2012 SecQuest Information ...
44Con: London, September 2012  Demo: Breaking In!                                Oh Noez! U R demoin dis live!?!          ...
44Con: London, September 2012  Breaking in from the Inside - Objectives    Find ID files on the network    Crack passwor...
44Con: London, September 2012  Are Employees the Biggest Threat?   “Many breaches of security are done by insiders“       ...
44Con: London, September 2012  Gaining A Toehold    Since R5 you need an ID file to access the client    ID file needs t...
44Con: London, September 2012  Gaining A Toehold    It used to be hard to crack native Notes passwords!    There are a n...
44Con: London, September 2012  Demo: Notes ID Password Cracking                                I can haz beerz after, righ...
44Con: London, September 2012  We’re going after the payroll    Our freshly cracked ID file gives catalog.nsf &     names...
44Con: London, September 2012  Check the NAB (names.nsf) for group members               Oops!                            ...
44Con: London, September 2012  The result..                                © 2012 SecQuest Information Security Ltd.
44Con: London, September 2012  Client-side Tricks    Spoofing mail..    Removing restrictions of local access    LotusS...
44Con: London, September 2012  Mail spoofing; getting a payrise!    SMTP mail can be easily spoofed using telnet but     ...
44Con: London, September 2012  The Spoof Memo Form    This is all that is required:                                     ©...
44Con: London, September 2012  The result    Create a new mail using the evil form and     copy/paste it in to the mail.b...
44Con: London, September 2012  Local Access Protection    Lotus Notes has an ACL setting to “Enforce     consistent ACL” ...
44Con: London, September 2012  I Can’t Access It Locally Eh!    There are companies out there selling various     unlock ...
44Con: London, September 2012  I Can’t Access It Locally Eh!   I mentioned to colleagues @ IBM in 2004 that you    could ...
44Con: London, September 2012  Tool release    Local Access Protection Deprotector And No Cash     Expected              ...
44Con: London, September 2012  Tool release: lapdance    Local Access Protection Deprotector And No Cash     Expected (la...
44Con: London, September 2012  Tool release: lapdance    Local Access Protection Deprotector And No Cash     Expected (la...
44Con: London, September 2012  Demo: Removing Database Protection!                       Ohalp! Prayrz 2 Ceilin Cat dat di...
44Con: London, September 2012  To Finish..   “In this presentation I’ll aim to give a general    overview of Domino securi...
44Con: London, September 2012                                     @UKFully                                     @SecQuest  ...
Upcoming SlideShare
Loading in...5
×

Toppling Domino - 44CON 4012

722

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
722
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Toppling Domino - 44CON 4012

  1. 1. SecQuest INFORMATION SECURITY44Con 2012: Toppling DominoTesting security in a Lotus Notes environment Written & Presented by Darren Fuller SecQuest Information Security Ltd.  © 2012 SecQuest Information Security Ltd.
  2. 2. 44Con: London, September 2012 About this Presentation This presentation was originally given at 44Con 2012 in London and had a number of interactive demos which obviously cannot be included. If you or your company would like further information about Domino security or to arrange a re-run of this talk on your premises please contact us. https://www.secquest.co.uk Tel: 0845 19 31337 © 2012 SecQuest Information Security Ltd.
  3. 3. 44Con: London, September 2012 Who Am I? Darren Fuller  Lotus PCLP*  Security Consultant  Ex IBM Notes developer  Ex IBM EMEA X-Force  Run a company called SecQuest  Been using Notes since V3 on IBM OS/2 * Domino R5 © 2012 SecQuest Information Security Ltd.
  4. 4. 44Con: London, September 2012 What I’m Talking About Today “Although there have been a number of technical papers published by different researchers covering Lotus Notes/Domino security it is rarely covered by the wider pen testing community. In this presentation I’ll aim to give a general overview of Domino security and demonstrate ways of breaking in. This will cover security issues from the point of view of the web server, native Domino server and demonstrate some tricks you can use from the client side of things.” © 2012 SecQuest Information Security Ltd.
  5. 5. 44Con: London, September 2012 Typical!  Nothing about Notes/Domino for a while then William Dawson talked about it at BSides Vegas this year!  Interesting talk about Domino hashes which we’ll cover in a bit of detail later  Link to talks: http://www.irongeek.com/i.php?page=videos/bsideslasvegas2012/mainlist © 2012 SecQuest Information Security Ltd.
  6. 6. 44Con: London, September 2012 Used By…  More than half of Fortune 100 companies & more © 2012 SecQuest Information Security Ltd.
  7. 7. 44Con: London, September 2012 Lotus Notes/Domino: History  Created by Ray Ozzie/Iris Associates  V1 Shipped in 1989  Included public key cryptography  3 major editions available in the early days  V8.5.4 is currently in beta © 2012 SecQuest Information Security Ltd.
  8. 8. 44Con: London, September 2012 Crypto Background Information  US Edition used 64 bit keys  International keys restricted to 40 bits due to US export rules before 1997  Deal with US .gov to allow 64 bit international keys after 1997 providing they had the first 24 bits  France didn’t like this! A French edition was made with 40 bit encryption keys  These days 128 and 256 bit AES can be used © 2012 SecQuest Information Security Ltd.
  9. 9. 44Con: London, September 2012 Security Overview  ID Files  Database ACL (Access control list)  Execution Control List (ECL)  NAB Groups © 2012 SecQuest Information Security Ltd.
  10. 10. 44Con: London, September 2012 Security Overview – Encryption Layers  Database Encryption  Document Encryption  Field Encryption  Transport Layer Encryption © 2012 SecQuest Information Security Ltd.
  11. 11. 44Con: London, September 2012 C’mon! We’re h4X0rs..  Can we whack it? © 2012 SecQuest Information Security Ltd.
  12. 12. 44Con: London, September 2012 Yes we Can!  Examples given in this presentation are based on “real world” tests.  These techniques have been used a number of times to compromise various client sites.  Obviously root is nice but the data is the thing to go for, the right Notes user will give you the keys to the kingdom! © 2012 SecQuest Information Security Ltd.
  13. 13. 44Con: London, September 2012 Breaking In Externally – What to look for  names.nsf database with anonymous access  domlog.nsf with anonymous access  webadmin.nsf (you’ll be lucky!) © 2012 SecQuest Information Security Ltd.
  14. 14. 44Con: London, September 2012 Checking out the /hacker Domain  Anonymous access to domlog.nsf can give you a session ID, these default to 30 minute expiry © 2012 SecQuest Information Security Ltd.
  15. 15. 44Con: London, September 2012 NAB Access! © 2012 SecQuest Information Security Ltd.
  16. 16. 44Con: London, September 2012 Because..  The admins have messed up and granted anonymous “reader” access © 2012 SecQuest Information Security Ltd.
  17. 17. 44Con: London, September 2012 HTTPPassword in Document Source  Vulnerability documented in 2005  Still overlooked by a lot of admins © 2012 SecQuest Information Security Ltd.
  18. 18. 44Con: London, September 2012 HTTPPassword in Document Source <input name="FullName" type="hidden" value="Milexa Crozzd/hacker; Milexa Crozzd"> <input name="ShortName" type="hidden" value="milexa"> <input name="HTTPPassword" type="hidden" value="(GbZjMLBTiHzBXtS0TcIl)"> <input name="dspHTTPPassword" type="hidden" value="(GbZjMLBTiHzBXtS0TcIl)"> Metasploit can automate hash gathering © 2012 SecQuest Information Security Ltd.
  19. 19. 44Con: London, September 2012 Cracking Passwords  Grab password hashes from the document source  Domino has two types of password hashes for internet passwords; “normal” and “more secure”  Use JTR with Jumbo Patch “normal” = “lotus5” “more secure” = “dominosec” © 2012 SecQuest Information Security Ltd.
  20. 20. 44Con: London, September 2012 Cracking Passwords: results © 2012 SecQuest Information Security Ltd.
  21. 21. 44Con: London, September 2012 Targeting “Interesting” Users  Once you have cracked some passwords you should be able to authenticate and access catalog.nsf  If “internet authentication” is set to “Fewer name variations with higher security” you need to use the full canonical username: Joe King/hacker  catalog.nsf contains a list of all databases on the server + access control information  The “By Name” view will give you a list of databases your user can access © 2012 SecQuest Information Security Ltd.
  22. 22. 44Con: London, September 2012 Targeting “Interesting” Users © 2012 SecQuest Information Security Ltd.
  23. 23. 44Con: London, September 2012 Access Control List Info © 2012 SecQuest Information Security Ltd.
  24. 24. 44Con: London, September 2012 Check group members in names.nsf JTR popped this one earlier! © 2012 SecQuest Information Security Ltd.
  25. 25. 44Con: London, September 2012 Getting More Access – Running Commands  webadmin.nsf allows an administrator to run server commands. © 2012 SecQuest Information Security Ltd.
  26. 26. 44Con: London, September 2012 Getting More Access  You can run O/S commands using “load” but can’t see the results when using quick console.  For some reason writing output to a web accessible directory didn’t work on Linux  Solution: upload a Notes database shell! © 2012 SecQuest Information Security Ltd.
  27. 27. 44Con: London, September 2012 Introducing shell.nsf aka D99Shell  You may get a certificate error after uploading.. © 2012 SecQuest Information Security Ltd.
  28. 28. 44Con: London, September 2012 D99Shell in action! © 2012 SecQuest Information Security Ltd.
  29. 29. 44Con: London, September 2012 Also works on Windows servers © 2012 SecQuest Information Security Ltd.
  30. 30. 44Con: London, September 2012 Demo: Breaking In! Oh Noez! U R demoin dis live!?! © 2012 SecQuest Information Security Ltd.
  31. 31. 44Con: London, September 2012 Breaking in from the Inside - Objectives  Find ID files on the network  Crack passwords  Get in to the NAB on the server  Find ID files with higher levels of access  Pw0nage! © 2012 SecQuest Information Security Ltd.
  32. 32. 44Con: London, September 2012 Are Employees the Biggest Threat? “Many breaches of security are done by insiders“ - Katherine Spanbauer, Domino senior product manager © 2012 SecQuest Information Security Ltd.
  33. 33. 44Con: London, September 2012 Gaining A Toehold  Since R5 you need an ID file to access the client  ID file needs to be valid and not in a “deny access” group in the NAB.  Shared directories FTW! © 2012 SecQuest Information Security Ltd.
  34. 34. 44Con: London, September 2012 Gaining A Toehold  It used to be hard to crack native Notes passwords!  There are a number of products available to crack ID file passwords  Huge thanks to Nataly at Passware for the software * being used in the following demo.. * http://www.lostpassword.com © 2012 SecQuest Information Security Ltd.
  35. 35. 44Con: London, September 2012 Demo: Notes ID Password Cracking I can haz beerz after, right? © 2012 SecQuest Information Security Ltd.
  36. 36. 44Con: London, September 2012 We’re going after the payroll  Our freshly cracked ID file gives catalog.nsf & names.nsf access © 2012 SecQuest Information Security Ltd.
  37. 37. 44Con: London, September 2012 Check the NAB (names.nsf) for group members Oops! © 2012 SecQuest Information Security Ltd.
  38. 38. 44Con: London, September 2012 The result.. © 2012 SecQuest Information Security Ltd.
  39. 39. 44Con: London, September 2012 Client-side Tricks  Spoofing mail..  Removing restrictions of local access  LotusScript can access the Windows API! Declare Function GetClipboardData Lib "User32" (Byval wFormat As Long) As Long © 2012 SecQuest Information Security Ltd.
  40. 40. 44Con: London, September 2012 Mail spoofing; getting a payrise!  SMTP mail can be easily spoofed using telnet but document properties are a dead giveaway © 2012 SecQuest Information Security Ltd.
  41. 41. 44Con: London, September 2012 The Spoof Memo Form  This is all that is required: © 2012 SecQuest Information Security Ltd.
  42. 42. 44Con: London, September 2012 The result  Create a new mail using the evil form and copy/paste it in to the mail.box database on the spoofed user’s server The only giveaway.. Looks Good.. © 2012 SecQuest Information Security Ltd.
  43. 43. 44Con: London, September 2012 Local Access Protection  Lotus Notes has an ACL setting to “Enforce consistent ACL”  Opening a “protected” database locally gives an error like this: Not this -> © 2012 SecQuest Information Security Ltd.
  44. 44. 44Con: London, September 2012 I Can’t Access It Locally Eh!  There are companies out there selling various unlock solutions  Prices for software range from $49 to $657!!  I’ve tested a few versions of these “life saving” products..  One of them changed 4 bytes, another changed 6! © 2012 SecQuest Information Security Ltd.
  45. 45. 44Con: London, September 2012 I Can’t Access It Locally Eh!  I mentioned to colleagues @ IBM in 2004 that you could change 1 byte to remove protection  These apps are doing 75% too much work!   Sorry guys, the secret’s out: Changing 0x000002C4 from 20 to 00 could save $700! © 2012 SecQuest Information Security Ltd.
  46. 46. 44Con: London, September 2012 Tool release  Local Access Protection Deprotector And No Cash Expected © 2012 SecQuest Information Security Ltd.
  47. 47. 44Con: London, September 2012 Tool release: lapdance  Local Access Protection Deprotector And No Cash Expected (lapdance.pl)  Written in Perl (badly), gives some info about the database and can add and remove protection Available from https://www.secquest.co.uk/tools/lapdance.pl © 2012 SecQuest Information Security Ltd.
  48. 48. 44Con: London, September 2012 Tool release: lapdance  Local Access Protection Deprotector And No Cash Expected (lapdance.pl)  Support for ODS versions 16, 17, 20, 41, 43, 48 and 51 (ie. everything from V2 to V8.5)  Will display database protection and encryption flags information  Can add and remove local access protection © 2012 SecQuest Information Security Ltd.
  49. 49. 44Con: London, September 2012 Demo: Removing Database Protection! Ohalp! Prayrz 2 Ceilin Cat dat dis workz! © 2012 SecQuest Information Security Ltd.
  50. 50. 44Con: London, September 2012 To Finish.. “In this presentation I’ll aim to give a general overview of Domino security and demonstrate ways of breaking in. This will cover security issues from the point of view of the web server, native Domino server and demonstrate some tricks you can use from the client side of things.” © 2012 SecQuest Information Security Ltd.
  51. 51. 44Con: London, September 2012 @UKFully @SecQuest © 2012 SecQuest Information Security Ltd.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×