Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: OBrien, Brennan (BOBriencolumbia.com)
Date: Wed Jan 30 2002 - 11:04:18 CST
Sure do. Excellent tool for enumeration. Same holds true for OWA for
exchange. This gives me the ability, over time, to guess out how the
usernames are formed, and provides me with an externally available tool
for initial password guessing.
From: nicobnicob.net [mailto:nicobnicob.net]
Sent: Wednesday, January 30, 2002 8:55 AM
Subject: Enumerating users on a Domino webserver
during a pen-test against a Domino 5.0.8 webserver, I was able to
enumerate valid users.
A simple "GET /mail/toto.nsf HTTP/1.0" redirects to the login page (with
a "200 OK"
HTTP code) if the user "toto" exists and a "404 File not Found" is
returned if the user
This issue can allow a faster brute force attack on HTTP passwords.
I have search the Net for more information about this problem, but I
Can the readers reproduce this behaviour ?
Do you see others implications than users enumeration (for social
engineering and brute
force attacks) ?