A blog about generally interesting infosec stuff by Darren Fuller/Paul Marsh, SecQuest Information Security https://www.secquest.co.uk

Thursday, 9 February 2012

Foxconn Lotus Domino Breakdown

Following Swagg Security's release of some Foxconn info (http://pastebin.com/DbHu7xCQ) I thought I'd take a quick look at the Lotus Notes stuff they posted whilst munching my sarnies. Please note that this is a quick (20 minute) crack/breakdown and not a week of real research!

The leaked "MailUsers.txt" file in the torrent contained two types of Domino hash formats; weak/unsalted (user1) and salted (user2)
user1:D3D44EED37928E47777F1B6C937F4068
user2:(GcE5LxKhZO5riNHlvasU)


John the Ripper has support for both types of these hashes so I ran these files through john using the "Rockyou" leaked dictionary.

From the 7730 users that had an entry for password along with a valid username just over 1800 password hashes were cracked with this dictionary. A breakdown of the top 10 passwords in use is below & seems to follow the "usual" pattern we see in these cases:
#  Password
85 12345678
53 password
53 123456
15 1234
14 password123
13 123
12 888888
9  foxconn
7  init123
7  999999
Some things never change eh!

From this leaked info it looks as if one of their Domino Directory (names.nsf) files allows either anonymous access or has been dumped using a valid user..

Digininja has a bit of a breakdown of the non-Lotus related passwords here

No comments:

Post a Comment