File http-domino-enum-passwords

脚本使用类型: portrule
脚本所属分类: intrusive, auth
脚本下载地址: http://nmap.org/svn/scripts/http-domino-enum-passwords.nse

User Summary

Attempts to enumerate the hashed Domino Internet Passwords that are (by default) accessible by all authenticated users. This script can also download any Domino ID Files attached to the Person document.

Script Arguments

domino-enum-passwords.hostname

sets the host header in case of virtual hosting

domino-enum-passwords.password

Password for HTTP auth, if required

domino-enum-passwords.count

the number of internet hashes and id files to fetch. If a negative value is given, all hashes and id files are retrieved (default: 10)

domino-enum-passwords.path

points to the path protected by authentication

domino-enum-passwords.username

Username for HTTP auth, if required

domino-enum-passwords.idpath

the path where downloaded ID files should be saved If not given, the script will only indicate if the ID file is donwloadable or not

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent

Example Usage

执行格式

nmap --script domino-enum-passwords -p 80 <host> --script-args domino-enum-passwords.username='patrik karlsson',domino-enum-passwords.password=secret

This script attempts to enumerate the password hashes used to authenitcate
to the Lotus Domino Web interface. By default, these hashes are accessible
to every authenticated user. Passwords are presented in a form suitable for
running in John the Ripper. 

The format can in two forms (http://comments.gmane.org/gmane.comp.security.openwall.john.user/785):
1. Saltless (legacy support?)
Example: 355E98E7C7B59BD810ED845AD0FD2FC4
John's format name: lotus5
2. Salted (also known as "More Secure Internet Password")
Example: (GKjXibCW2Ml6juyQHUoP)
John's format name: dominosec

In addition the script can be used to download
any ID files attached to the Person document.

It appears as if form based authentication is enabled, basic authentication
still works. Therefore the script should work in both scenarios. Valid
credentials can either be supplied directly using the parameters username 
and password or indirectly from results of http-brute or http-form-brute.

Script Output

PORT     STATE SERVICE REASON
80/tcp   open  http    syn-ack
| domino-enum-passwords:  
|   Information
|     Information retrieved as: "Jim Brass"
|   Internet hashes (salted, jtr: --format=DOMINOSEC)
|      Jim Brass:(GYvlbOz2idzni5peJUdD)
|      Warrick Brown:(GZghNctqAnJgyklUl2ml)
|      Gill Grissom:(GyhsteeXTr75YOSwW8mc)
|      David Hodges:(GZEJRHqJEVc5IZCsNX0U)
|      Ray Langston:(GE18MGVGD/8ftYMFaVlY)
|      Greg Sanders:(GHpdG/7FX7iXXlaoY5sj)
|      Sara Sidle:(GWzgG0kCQ5qmnqARL3cl)
|      Wendy Simms:(G6wooaElHpsvA4TPvSfi)
|      Nick Stokes:(Gdo2TJBRj1Ervrs9lPUp)
|      Catherine Willows:(GlDc3QP5ePFR38d7lQeM)
|   Internet hashes (unsalted, jtr: --format=lotus5)
|      Ada Lovelace:355E98E7C7B59BD810ED845AD0FD2FC4
|      John Smith:655E98E7C7B59BD810ED845AD0FD2FD4
|   ID Files
|      Jim Brass ID File has been downloaded (/tmp/id/Jim Brass.id)
|      Warrick Brown ID File has been downloaded (/tmp/id/Warrick Brown.id)
|      Gill Grissom ID File has been downloaded (/tmp/id/Gill Grissom.id)
|      David Hodges ID File has been downloaded (/tmp/id/David Hodges.id)
|      Ray Langston ID File has been downloaded (/tmp/id/Ray Langston.id)
|      Greg Sanders ID File has been downloaded (/tmp/id/Greg Sanders.id)
|      Sara Sidle ID File has been downloaded (/tmp/id/Sara Sidle.id)
|      Wendy Simms ID File has been downloaded (/tmp/id/Wendy Simms.id)
|      Nick Stokes ID File has been downloaded (/tmp/id/Nick Stokes.id)
|      Catherine Willows ID File has been downloaded (/tmp/id/Catherine Willows.id)
|   
|_  Results limited to 10 results (see domino-enum-passwords.count)

Requires

• http
• io
• nmap
• shortport
• stdnse
• table

Author: Patrik Karlsson

License: VER007 整理 http://www.ver007.com