Penetration testing munthe plus simonsen
Munthe plus simonsen is in every regard a fashion design company (and a very good one I might add), but they lack even the slightest grasp of data security. That is why munthe plus simonsen hired a company that specializes in IT-solutions. As a part of a course on the Technical University of Denmark (DTU) we were doing a penetration test of the system. We contacted munthe plus simonsen and got permission to enter the system (if we were able to). At the same time we were notified that they had told EDBGruppen to tighten the security. A real challenge we thought 
After probing the system for a bit we were greeted by the login box shown below:
It should be noted that we acquired the IP of the system by cheating a little. But there are numerous ways to get an IP address, so the points in this article are still very valid.
Apparently munthe plus simonsen were running a Lotus Domino system. Domino has a reputation for being very secure (it is developed by IBM after all) – so we were initially somewhat dishearten. We did a lot of research on the system, and found that Lotus Domino were known to disclose way to much information. We could thus access a Lotus Domino file containing the usernames of everyone in munthe plus simonsen. Next to the usernames there were a blank line. By reviewing the source code of the file, we discovered that the blank line actually contained information, but it was “cleverly” “hidden” with the HTML-attribute: type=”hidden”, as seen on the next screenshot.
Notice the link to the white paper containing the security flaws. Please do try to ignore the very Windows XPish operation system, I was young and didn't know better.
So far we had every username and corresponding password, but the passwords were of cause encrypted. However Lotus Domino does not use a salt value when encrypting, meaning that there is a direct link between the cleartext password and the encrypted string. In the image above the encrypted string is highlighted – experienced pen tester will immediately spot that the cleartext equivalence is: “password”. We did have to do a Google search to spot that one
Yes, every user accounts had the default password: “password”. This had not been that big of a problem if there were a policy in place to enforce a password change, but there was not. But then, even though we had access on user level, and could read just about every e-mail bouncing around the place, we had not compromised the system completely… Yes, you know where this goes, even the administrator account had not changed the password. People familiar with the Lotus Domino system might protest, and say that this does not count as completely compromised, as we had not yet obtained the root certificate. This is a valid point had it not been for one of the mails sent from the administrator account to the administrator account:
Doooh
Basically the administrator mailed the root certificate to himself, so it would not be lost again…
This was my very first pen test of a live system. I have come a long way since then, but this is still my favorite – especially the meeting with EDBGruppen afterwards where we explained the security flaws to them was priceless.
It should be noted that after this penetration test, all the security holes in question has been fixed, and munthe plus simonsen now has a decent level of security. Further more it should be noted that prior to the pen test I was freelancing at munthe plus simonsen as an on call IT-helpdesk