Lotus Notes/Domino 8

[benede]

Hi
1. Where do i get this hash from (HsjFebq0Kh9kH7aAZYc7kY30mC30mC3KmC30mCluagXrvWKj1) ?
2. How can open the hash from user.id file?

[benede]

oclHashcat can't open Lotus Notes ID hashes from user.id files!

The "9100 Lotus Notes/Domino 8" mode is for the hashes from Domino Directory names.nsf file.
The Internet password (HTTPPassword field) from names.nsf looks like (355E98E7C7B59BD810ED845AD0FD2FC4).

User.id file is generated by the Lotus Domino server and stored on client file system usually in %USERPROFILE%\AppData\Local\Lotus\Notes\Data.
At offset 0xD6 the ciphered user password digest is stored. So the first thing to do is to extract the ciphered blob from the user.id file,
with this tool LotusIdHashExtractor (http://blog.quarkslab.com/static/resourc...tractor.7z)
It extracts the ciphered blob as a hexadecimal string that can be used with the John The Ripper (http://www.openwall.com/john/) with the command
"./john --wordlist=big_dict.txt --format=lotus85 domino.dump" (but it only uses CPU)

[philsmd]

I'm not totally sure what the purpose of this thread is. Is it meant as a summarize/description/guide of what the user could do when he gets a user.id file (in form of a user contribution thread) or is this all about requesting a new hash type for oclHashcat?

For case #2 please remember that feature/hash type requests (and problem/bug reports) need to be registered as tickets on trac: https://hashcat.net/trac/

Btw: I do remember that when the devs implemented some lotus algos in oclHashcat (-m 8600/-m 8700/-m 9100) they did also think about this lotus85 algo, but as far as I know it wasn't implemented because it wasn't requested by a lot of users, the full details where not 100% clear and furthermore it is somehow (like other lotus algos too) a very strange algo

Anyway thanks for the tutorial on how the "lotus85" hash extraction works.