LotteryHack is a Java agent that attempts to crack weak encrypted HTTPPasswords. A user must copy the hashed password into a field and then run the hacking program. It generates a completely random string of characters and numbers of the password length you specify. It gets its name from the fact that it's not a scientific hack and just keeps creating random tries with a chance of success generally far inferior to winning your state's lottery. It won't stop until it succeeds, which could be never.

You can view the code for LotteryHack at http://www.component-net.com/dp-extras/dp-200104-2.html.

ExhaustiveHack is a stand-alone Java application that uses CORBA (Common Object Request Broker Architecture) to try and remotely connect to a Domino Server. If the connection fails with the current password, it changes the password and tries again. It categorically runs through every combination of letters until it has exhausted every possibility. You may put in a starting length and a maximum length for the password. You must also supply a username and the IP (Internet Protocol) address or DNS (Domain Name Server) name of the server to hack. Password lengths may be from one to twelve characters, but you could easily extend this application to have as many as you wanted.

You can view the code for ExhaustiveHack at http://www.component-net.com/dp-extras/dp-200104-1.html.

You Commie bastard
You may be wondering why someone who makes his livelihood as a Notes developer is publishing ways to hack the system. First off, I always hear hacking discussed in very general terms. It's this nebulous activity that instills unreasonable fear. Now that you've seen some more concrete examples, hopefully you can make more informed decisions about how to deal with it. Secondly, the applications aren't that great. They assume quite a few things and aren't the most efficient in the world.

In the LotteryHack agent, you need to have a hashed copy of a weak encrypted HTTPPassword. That means you need to have at least read access to their Domino Directory. You also need to know the password length, or at least have a guess, which of course could be completely wrong. The ExhaustiveHack requires that you have someone's username at the company, which admittedly isn't very hard. You also need to know a range for the password length, which could also be wrong. It also requires that the DIIOP process is running on the server you're hacking, which is more rare.

I'm not trying to demonize DIIOP or suggest anything bad about it. It's a great task that I've found very helpful in a lot of ways. The ExhaustiveHack algorithm could be put in an agent and used to try and hack hashed passwords as well. Both of the programs could be used to attack Domino in different ways, interfacing with login pages and such. The ways I've displayed were simply the easiest for me to detail.

Lastly, the two applications above are considered "brute force" hacking; they attempt to overwhelm security measures through continuous attempts. No one uses brute force methods of attack. I can sense all those security people out there shaking their heads in disagreement. If gambling wasn't illegal, I'd give you all a thousand-to-one odds against any low risk company ever being hacked by brute force. Depending on how stingy you were, I'd have a good little supplemental income. There are two main reasons why people don't use brute force attacks.