Domi-Owned is a tool used for compromising IBM/Lotus Domino servers.
Tested on IBM/Lotus Domino 8.5.2, 8.5.3, 9.0.0, and 9.0.1 running on Windows and Linux.
UsageA valid username and password is not required unless 'names.nsf' and/or 'webadmin.nsf' requires authentication.
FingerprintingRunning Domi-Owned with just the
flag will attempt to identify the Domino server version, as well as check if 'names.nsf' and 'webadmin.nsf' requires authentication.
If a username and password is given, Domi-Owned will check to see if that account can access 'names.nsf' and 'webadmin.nsf' with those credentials.
Reverse BruteforceTo perform a Reverse Bruteforce attack against a Domino server, specify a file containing a list of usernames with
, a password with
, and the
flag. Domi-Owned will then try to authenticate to 'names.nsf', returning successful accounts.
Dump HashesTo dump all Domino accounts with a non-empty hash from 'names.nsf', run Domi-Owned with the
flag. This prints the results to the screen and writes them to separate out files depending on the hash type (Domino 5, Domino 6, Domino 8).
Quick ConsoleThe Domino Quick Console is active by default; however, it will not show the command's output. A work around to this problem is to redirect the command output to a file, in this case 'log.txt', that is then displayed as a web page on the Domino server.
flag is given, Domi-Owned will access the Domino Quick Console, through 'webadmin.nsf', allowing the user to issue native Windows or Linux commands. Domi-Owned will then retrieve the output of the command and display the results in real time, through a command line interpreter. Type
to quit the Quick Console interpreter, which will also delete the 'log.txt' output file.
Fingerprint Domino server
python domi-owned.py --url http://domino-server.com
Preform a reverse bruteforce attack
python domi-owned.py --url http://domino-server.com -U ./usernames.txt -p password --bruteforce
Dump Domino account hashes
python domi-owned.py --url http://domino-server.com -u user -p password --hashdump
Interact with the Domino Quick Console
python domi-owned.py --url http://domino-server.com -u user -p password --quickconsole