April 2nd, 2003, 05:02 PM
I am doing a pentest and have access to among others admin4.nsf. I have access to a window with the title: CROSS DOMAIN REQUEST CONFIGURATION. What can I do here? anything exciting? I have access to stacks of system databases but don't really know what to do with them due to my lack of Lotus knowledge.
Any help would be of much help!!
Thanks in advance.
April 2nd, 2003, 05:20 PM
Is the penetration test authorized? Does your "target" know that you are testing their security defenses?
From what I can find the admin4.nsf is a database of administration requests. I am not sure how useful or sensitive the information in the database is.
The Cross Domain Request Configuration seems to allow for setting up a replica database on another domain.
With proper knowledge of Lotus Notes and / or database hacking techniques I would think you should be able to view individual emails and calendar / contact data stored on the server.
However, it seems to me from a penetration testing point of view you may have already proved the point. If you can get to the system and see the database files at all in the first place it seems that you succeeded in penetrating the defenses of the server. I don't believe yo need to actually crack the databases and view the internal information to prove that you have penetrated the server.
Can you clarify the goal or purpose of your penetration test?
April 2nd, 2003, 05:27 PM
>> tonybradley thanks for your response.
Yes the owners of the server are aware of my actions.
Well, I wish to get a little deeper into the system really - create a user account and/or as you mentioned, reading calender details would be super. As I said, my knowledge of Lotus is a little thin unfortunately - any help would be of much help.
Thanks in advance!