Script http-domino-enum-passwords
Script types:
portrule
Categories:
intrusive, auth
Download: https://svn.nmap.org/nmap/scripts/http-domino-enum-passwords.nse
Script Summary
Attempts to enumerate the hashed Domino Internet Passwords that are (by default) accessible by all authenticated users. This script can also download any Domino ID Files attached to the Person document. Passwords are presented in a form suitable for running in John the Ripper.
The passwords may be stored in two forms (http://comments.gmane.org/gmane.comp.security.openwall.john.user/785):
- Saltless (legacy support?) Example: 355E98E7C7B59BD810ED845AD0FD2FC4 John's format name: lotus5
- Salted (also known as "More Secure Internet Password") Example: (GKjXibCW2Ml6juyQHUoP) John's format name: dominosec
It appears as if form based authentication is enabled, basic authentication still works. Therefore the script should work in both scenarios. Valid credentials can either be supplied directly using the parameters username and password or indirectly from results of http-brute or http-form-brute.
Script Arguments
- http-domino-enum-passwords.path
points to the path protected by authentication. Default:"/names.nsf/People?OpenView"
- http-domino-enum-passwords.password
Password for HTTP auth, if required
- http-domino-enum-passwords.idpath
the path where downloaded ID files should be saved If not given, the script will only indicate if the ID file is donwloadable or not
- http-domino-enum-passwords.username
Username for HTTP auth, if required
- http-domino-enum-passwords.count
the number of internet hashes and id files to fetch. If a negative value is given, all hashes and id files are retrieved (default: 10)
- http-domino-enum-passwords.hostname
sets the host header in case of virtual hosting. Not needed if target is specified by name.
- slaxml.debug
See the documentation for the slaxml library.
- creds.[service], creds.global
See the documentation for the creds library.
- http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent
See the documentation for the http library.
- smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
Example Usage
nmap --script http-domino-enum-passwords -p 80 <host> --script-args http-domino-enum-passwords.username='patrik karlsson',http-domino-enum-passwords.password=secret
Script Output
PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-domino-enum-passwords: | Information | Information retrieved as: "Jim Brass" | Internet hashes (salted, jtr: --format=DOMINOSEC) | Jim Brass:(GYvlbOz2idzni5peJUdD) | Warrick Brown:(GZghNctqAnJgyklUl2ml) | Gill Grissom:(GyhsteeXTr75YOSwW8mc) | David Hodges:(GZEJRHqJEVc5IZCsNX0U) | Ray Langston:(GE18MGVGD/8ftYMFaVlY) | Greg Sanders:(GHpdG/7FX7iXXlaoY5sj) | Sara Sidle:(GWzgG0kCQ5qmnqARL3cl) | Wendy Simms:(G6wooaElHpsvA4TPvSfi) | Nick Stokes:(Gdo2TJBRj1Ervrs9lPUp) | Catherine Willows:(GlDc3QP5ePFR38d7lQeM) | Internet hashes (unsalted, jtr: --format=lotus5) | Ada Lovelace:355E98E7C7B59BD810ED845AD0FD2FC4 | John Smith:655E98E7C7B59BD810ED845AD0FD2FD4 | ID Files | Jim Brass ID File has been downloaded (/tmp/id/Jim Brass.id) | Warrick Brown ID File has been downloaded (/tmp/id/Warrick Brown.id) | Gill Grissom ID File has been downloaded (/tmp/id/Gill Grissom.id) | David Hodges ID File has been downloaded (/tmp/id/David Hodges.id) | Ray Langston ID File has been downloaded (/tmp/id/Ray Langston.id) | Greg Sanders ID File has been downloaded (/tmp/id/Greg Sanders.id) | Sara Sidle ID File has been downloaded (/tmp/id/Sara Sidle.id) | Wendy Simms ID File has been downloaded (/tmp/id/Wendy Simms.id) | Nick Stokes ID File has been downloaded (/tmp/id/Nick Stokes.id) | Catherine Willows ID File has been downloaded (/tmp/id/Catherine Willows.id) | |_ Results limited to 10 results (see http-domino-enum-passwords.count)
Requires
Author:
License: Same as Nmap--See https://nmap.org/book/man-legal.html