[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <421DA5F7.9090607@xmcopartners.com>
From: thierry.haven at xmcopartners.com (Thierry Haven)
Subject: smtpsvc and undocumented registry values
Thanks for your answers... but I'm sorry, my question was about mail -RELAYING- through SMTP. By modyfing the banner with Metabase Explorer (as you said, or as established on safehack.com) it is only possible to hide the current version when connecting to the server thanks to telnet / port 25. However, if someone wants to do this without Metabase Explorer, here's another way to do it:
#cd drive:\Inetpub\Adminscripts
#cscript adsutil.vbs set smtpsvc/vsi_number/connectresponse "new banner"
(with vsi_number = the virtual SMTP server number)
In my first post, I was talking about removing the version in mail -HEADERS-... So I believe that it's not possible so far without patching smtpsvc.dll, which is definitively NOT a proper/clean solution.
Best Regards,
_______________________________________
Thierry Haven - Xmco Partners
Security Consulting / Pentest
web : http://www.xmcopartners.com
Jalal, Ahmed wrote:
> I came across such a trick in an Exchange book. Basically you go into IIS
> 6.0 Metabase Explorer utility and locate the SMTP virtual server you want to
> change (\lm\Smtpsvc\1). Then you highlight the "1" folder and click edit,
> new, String Record and give it a value of 36907. After creating that, you
> highlight the newly created record, double click on it and enter the new
> banner information. Then restart the SMTP virtual server.
>
> I have never tried it, just read it.
>
>
>
>
>
> -----Original Message-----
> From: Thierry Haven [mailto:thierry.haven@...opartners.com]
> Sent: Wednesday, February 23, 2005 11:27 AM
> To: Thierry Haven
> Cc: full-disclosure@...ts.netsys.com
> Subject: [Full-Disclosure] smtpsvc and undocumented registry values
>
> Hi,
> I've been hacking around smtpsvc.dll (Windows Server 2003) in order to hide
> the Server version when a mail is relayed:
>
> Original header:
> "from [192.168.X.X] ([192.168.X.X]) by winserv2003 with Microsoft
> SMTPSVC(6.0.3790.0); Wed, 23 Feb 2005 15:47:51 +0100"
>
>
> I found that it is possible to remove this information by patching the code
> directly in the DLL:
>
> Modified header:
> "from [192.168.X.X] ([192.168.X.X]) by winserv2003 with some server;
> Wed, 23 Feb 2005 15:49:51 +0100"
>
> ... Assuming that smtpsvc.dll checks its own version at runtime by
> retrieving information in the .rsrc section of the PE thanks to version.dll
> calls. However I'd like to know if there is a better way to disable this
> "feature" (maybe a key in the registry ?).
>
>
> Next I'd like to ask about such undocumented registry values. Where to find
> information about them ?
>
>
> Best Regards,
>
> _______________________________________
> Thierry Haven - Xmco Partners
> Security Consulting / Pentest
> web : http://www.xmcopartners.com
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists