Lotus Notes Password Hash
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Lotus Notes Password Hash

  1. #1
    Senior Member Deeboe's Avatar
    Join Date
    Nov 2005
    Posts
    185

    Lotus Notes Password Hash

    Hello,

    I had an interesting discussion today I would like to share to see if anyone has seen this before.

    It seems in "names.nsf" file on a Notes server, the password hashes of the users listed can be seen. This can be done in numerous ways:

    - By looking at the names.nsf in a browser window
    - By looking at the source of names.nsf in an editor
    - By looking up the address book itself and creating a view with the HTTPPassword field
    - By exporting idvidual users in Notes and viewing this in text form

    This is disturbing to me in more ways than one. I do not know if this hash is "crackable", and frankly am a little scared to find out.

    Has anyone seen this before? What have you done? What CAN be done?

    Thanks,
    -Deeboe
    If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
    - Sun Tzu, The Art of War

    http://tazforum.**********.com/

  2. #2
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    Dang! I didn't know anyone still used Lotus Notes. Your issue may depend on the version of Notes running on your systems. At one point there were problems with the user and password security in Notes, as well as the ability to pass confidential documents to the entire world (that used Notes anyway).

    Lotus Notes is currently at version 7, according to the IBM web site. Do you know the version you are working with?

  3. #3
    Senior Member Deeboe's Avatar
    Join Date
    Nov 2005
    Posts
    185
    I am running 6.5.x on my machine right now.

    -Deeboe
    If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
    - Sun Tzu, The Art of War

    http://tazforum.**********.com/

  4. #4
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252
    Dang! I didn't know anyone still used Lotus Notes. Your issue may depend on the version of Notes running on your systems. At one point there were problems with the user and password security in Notes, as well as the ability to pass confidential documents to the entire world (that used Notes anyway).
    rapier57 - Ok - I'll bite - what do you use? No - really, we use Notes here as well and we're kind of a large company, so I would like to know what else is out there that ppl can use over Notes that works better. If it's better than Notes, I would like to know so I can ask our Notes group if they have looked at that/those product(s).

    Deeboe - Ok - does the team/group/oompah-loompahs - heh that support Notes know about this possible exploit you came across? What about IBM?
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

  5. #5
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    I found several places detailing this:
    But... this one seems nice.

    http://www.venera.com/downloads/Lotu...isclosures.pdf

    Also, this may be of some interest to you.

    http://www.securityfocus.com/bid/14389/info

    Also this...

    http://www.securityfocus.com/bid/14388/info

    If they are the same thing.... then

    Solution:
    Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.
    Search the securityfocus vulnerability database for more info on notes vulerabiliites.

    According to those vuln descriptions... it should be pretty easy to get the hash and then brute force it....
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  6. #6
    Senior Member Deeboe's Avatar
    Join Date
    Nov 2005
    Posts
    185
    I think they broke down into tears and rolled into a ball.

    Actually, they were a little freaked out (understandable) and were not sure how to handle it. I haven't heard an update yet.

    -Deeboe
    If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
    - Sun Tzu, The Art of War

    http://tazforum.**********.com/

  7. #7
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    OK, looks like it is a known issue. I didn't find anything on the IBM site, and the SecurityFocus notes indicate that it is not version specific. The exposure seems to be only available if the user has a valid Notes account. So, we don't need to worry about internal threats, right?

    GenXer: No, I don't have anything to share on that. Hell, I still use Borland SideKick. Sorry, I shoulda put a <sarcasm on> flag on that comment.

  8. #8
    Senior Member Deeboe's Avatar
    Join Date
    Nov 2005
    Posts
    185
    OK, however I wonder how that works with an Internet browser... You shouldn't need a Notes ID to view the browser... do you?

    If you browse to the Names.nsf file on the web, you can see them there as well. Now, a good compnay will keep those on the Intranet, but that doen't mean SQUAT when you think about it.

    Thoughts?

    -Deeboe
    If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
    - Sun Tzu, The Art of War

    http://tazforum.**********.com/

  9. #9
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    Sorry mate,

    It took me a while to have a "thunk" and find what I was looking for..................I am afraid I haven't used Notes for a while: here is your answer such as there is one:

    http://www.securiteam.com/securitynews/5FP0E15GLQ.html

    Hope that helps

    Also, longer passwords and stronger passwords and change them regularly. "Out of the box" it is rather vulnerable to dictionary attacks.

    The lack of a "salt" also means that any given password always gets the same hash (I seem to recall it is some sort of Lotus bastardisation of RC4, but I could be wrong) so you are vulnerable to "rainbow tables" as precomputation is easy.

    Hope that helps

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  10. #10
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    That depends, DeeBoe. If you are browsing to the file from the network (authenticated in the domain) you probably can see it. If you are browsing to the file from an unauthenticated system, outside the network, you should not be able to see it. If you can, that may be why your Notes admins are having spasms on the floor.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •