|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: DSquare Security (info
d2sec.com)
Date: Mon Oct 27 2008 - 17:48:04 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
There are several ways to get a Lotus Notes ID during a pentest
(access to a share with all the IDs, client side exploitation, ...)
After that, if needed, you can crack the password ID with commercial
or free tools (ID Password Recovery for example)
So what can you do with an admin ID? Potentially two things:
1) Compromise the Lotus Notes server
2) Compromise the computer of the Lotus Notes clients
D2Lotus is designed to help you in this kind of work. Here are two
demonstrations of this tool:
1) Remote code execution on a Lotus Notes server:
http://www.d2sec.com/d2lotus_1.htm
2) Remote code execution on computer user via Lotus Notes Client:
http://www.d2sec.com/d2lotus_2.htm
This tool will be released in the next update of D2 Exploitation Pack.
--
DSquare Security, LLC
http://www.d2sec.com
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]