Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: lotus notes id file

  1. #1

    lotus notes id file

    hi all,

    i'm looking for a way to get the password ( or change it ) from a lotus notes id file...
    i've opened it with a hex-editor, but haven't found anything usefull, except my username and my company..

    any ideas of how to do this?

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    A quote from here:
    > However, has anyone been able to decrypt these files
    > yet to get the password. Even by brute force?

    I am not aware of any available tools to brute force a Notes ID file. Many
    people ask (see USENET), but there are no tools. There is also a lack of
    information available on what crypto algo's Notes is using. This obscurity
    is surely partly to thank for the lack of tools, but if someone puts some
    work into it, the algo will surely go the way of other proprietary algo's
    (read: broken).
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi,

    I have used Notes for around 8 years and am not aware of a way. It is hardly surprising given that it is an expensive corporate system, whose functionality is mostly internal to the corporation.

    Why would you want to do such a thing anyway?

    As I see it:

    1. User owns files
    2. Notes administrator owns user
    3. Notes administrator changes User password
    4. Notes administrator owns files.

    Otherwise you are faced with security through obscurity and cost.

    Just my thoughts

  4. #4
    it is possible, that's for sure. i've found a demo which can recover the first 2 characters in a few seconds...


    as for why, because i'm so stupid to forget my password after changing it yesterday, and my administrator is not at work cause he just got a baby, he'll be back in one week, but there are some mails i need really bad, so i can't wait another week!!!

    as for the tool above, it is a demo, so it only shows the first 2 characters of my password, but with that i can not remember it yet...

    to buy the tool will cost me 195 US dollars, and that's pretty expensive for just one password!!!

    so if anybody know about how to solve this problem, please let me know!

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    it is possible, that's for sure
    Please do not get me wrong, I never implied that it was impossible, just very difficult or expensive, given the obvious solution that I suggested. Any, all and every security system can be broken, unless it is a destructive one.

    Can you remember anything about your password?...........how many characters? was it a word/mix of words or just random characters, mixed case, numbers and symbols?

    IMHO unless you have some "intelligence agency strength" kit a strong password will take weeks to bruteforce........which is how it should be?............if I could tell you how to do it then anyone else could do it, and your system would not be secure............the lock that keeps out the burglar will also keep you out, or it is not worth having?

    I find it odd that your administrator is away without someone to deputise who knows what to do and has the admin password? For "odd" read bloody stupid and incompetent!

    If you want the e-mails, do you know who they are from?..........get them to resend...........was anyone else on the distribution list?, ask them to forward you a copy.

    My answer remains the same: it is probably impossible, within a reasonable timeframe,
    that is.

    Cheers

    EDIT: A word of advice............get rid of that demo software..........some people just might not understand

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    You could analyze that tool with another demotool (IDAPro) to see how they did it.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #7
    Can you remember anything about your password?...........how many characters? was it a word/mix of words or just random characters, mixed case, numbers and symbols?
    yes they are random characters, i never use words or anything for such important things...
    only thing ive found were that with the demo it is around 10-12 characters and the first two are "st" so that doesn't help much

    I work at a pretty small company, and that's why we only have one administrator...
    i've told them several times that that's not enough, and i would be glad to be a junior administrator here, but then you get the response that that's not possible due to the headcount....

    as for the emails, they're from various customers, of which i don't know the adress by memory, so that doesn;t help a lot either.. i've tracked down one and let him resent his, but all the others are still unreachable...

    as for the demo link, i've removed it

    You could analyze that tool with another demotool (IDAPro) to see how they did it.
    i've tried that, but i know too little about assembly yet to know how it exactly works...
    i'm still learning for it though...

  8. #8
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hmmm

    I would be skeptical about the first two characters...........probably marketing BS. I had a look at the site and seem to recall that it will only crack 6 character passes anyway? I also notice that it does a dictionary attack as well............a bit lame?

    I have seen several bruteforce proggys but they will only go to 8 characters. I have given internal demonstrations of this sort of thing to get the users more security and password aware. A half decent password will take several days if not weeks.............10-12 random characters and you are looking at needing Intelligence or Law Enforcement type tools and taking weeks/months.

    My experience of numerous high security sites is that a password change is only forced every 28 days, which gives you an idea of anticipated timescales?

    Doesn't your admin have remote access capabilities, couldn't you phone him?

    Just had a thought.............when you set up your account, didn't you create a 3.5" diskette?.......that will get round your password problem, but you will probably need the administrator to activate your account again.

    I honestly don't think that you can do anything in the timescales you mention. You will either have to contact the administrator or wait for him to come back?

    Cheers

  9. #9
    i didn't create a recuedisk, so that doesn't help..

    i know that the first 2 characters may not be the real ones, but i've used software of the same company before, and i have to tell it works great!

    so i believe that that tool will work, but it just cost to much!

    dunno if my admin has remote access, i'l go and check it out...

    isn't there any possibilitie by chance to use someone elses id file, edit it so that it can open my database?
    just a thought...

    i'll keep searching though. even if i find a solution, i'm still interested now in how to get past the security of the id-file....

  10. #10
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    OK, lets look at this logically?

    1. I doubt if the software will work on a strong pass of 10-12 characters. That is a marketing thing, people buy this stuff and expect a result in a few hours at the most? It won't do it, this will take days on the best kit you can get. People will give up and say "that stuff is a rip off..............it doesn't work" So it won't let you run it for the days/weeks required?

    Technically it will work................it is just the timing/marketing thing

    2. You cannot use someone elses ID to access your private files, but I am wondering if they really are private? You are in a business environment right? and these are mails from customers. If I had set your Notes up, the files would all be together but just divided into folders for ease of use. I would not normally protect the folders against other users as you should all be equally trusted?

    3.
    i'll keep searching though. even if i find a solution, i'm still interested now in how to get past the security of the id-file.
    Don't be silly.................you already know..............it is the time & resource thing that is the issue.

    I would look at whether your mail is actually private, or if there is communal access?

    Cheers

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •