Ceh Queries
FOOTPRINTING Email spider tool to search emails Whois, nmap,ipscan SCANNINGTutorial: Banner Grabbing is considered a very important part of penetration tests. Why? Because it gives us an information about the daemon that is running and accepting our connection and whether it is patched or not. Sometimes, it also gives off information such as the time it was compiled, if it is a beta version or not. With that information, you can move ahead and try to exploit the daemon. Ofcourse, this informati
Content
FOOTPRINTING Email spider tool to search emails Whois, nmap,ipscan SCANNING
Tutorial: Banner Grabbing is considered a very important part of penetration tests. Why? Because it gives us an information about the daemon that is running and accepting our connection and whether it is patched or not. Sometimes, it also gives off information such as the time it was compiled, if it is a beta version or not. With that information, you can move ahead and try to exploit the daemon. Ofcourse, this information can be changed, to something it is not! But, the fact remains that most system administrators are only interested in the daemon working good and they are least concerned with the version information. All they want is a 100% system uptime. So, most of them do not change it and let it be the system default. The question now remains, how do you grab a banner. Simple! Telnet to the port and see the output. Easy. We have included a small list of well known ports under port number 1024, that you can use and grab a banner. 21 FTP (File Transfer Protocol) 22 SSH (Secure Shell) 23 Telnet 25 SMTP (Send Mail Transfer Protocol) 43 whois 53 DNS (Domain Name Service) 68 DHCP (Dynamic Host Control Protocol) 79 Finger 80 HTTP (HyperText Transfer Protocol) 110 POP3 (Post Office Protocol, version 3) 115 SFTP (Secure File Transfer Protocol) 119 NNTP (Network New Transfer Protocol) 123 NTP (Network Time Protocol) 137 NetBIOS-ns 138 NetBIOS-dgm 139 NetBIOS 143 IMAP (Internet Message Access Protocol) 161 SNMP (Simple Network Management Protocol) 194 IRC (Internet Relay Chat) 220 IMAP3 (Internet Message Access Protocol 3) 389 LDAP (Lightweight Directory Access Protocol) 443 SSL (Secure Socket Layer) 445 SMB (NetBIOS over TCP) 666 Doom
993 SIMAP (Secure Internet Message Access Protocol) 995 SPOP (Secure Post Office Protocol) For example, you want to grab a banner for an SMTP service (port 25). All you do is,
telnet mailserver 25 EHLO/HELO
SMTP Banner grab So, you can clearly see that it is a ESMTP server. After further prodding, you can find that it is an EXIM server. You can move ahead now and focus only on EXIM ESMTP server based exploits, etc.
Example 8-1. Fingerprinting FTP services through issuing commands # ftp 192.168.0.250 Connected to 192.168.0.250 (192.168.0.250). 220 ftp.trustmatta.com FTP server ready. Name (ftp.trustmatta.com:root): ftp 331 Guest login ok, send your complete e-mail address as password. Password: [email protected] 230 Guest login ok, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files.
Banner Grabbing
Telnet in Vista and Windows 7 First you need to install Telnet In Control Panel, Programs and Features, Turn Windows Features on or off, check Telnet Client Banner Grabbing Connecting to remote applications and observing the output Simple way, at a command prompt • telnet www.ccsf.edu 80 On the next blank screen type in • GET / HTTP/1.1 • Press Enter twice Making Characters Visible In Windows XP and Vista, you can't see what you type in the Telnet session. To fix that, do this: At a command prompt, type telnet hills.ccsf.edu 80 Press Enter. Press Ctrl+]. Then type set localecho Press Enter twice • Link Ch 3z11 Example Banners www.ccsf.edu tells you too much cnn.com is better
Netcat Banner Grabs Get Netcat for Windows at link Ch 3d
Banner-Grabbing Countermeasures Turn off unnecessary services Disable the presentation the vendor and version in banners Audit yourself regularly with port scans and raw netcat connects to active ports
ENUMERATION TOIPC
NTP (NETWORK TIME PROTOCOL)
What is NTP? NTP stands for Network Time Protocol, and it is an Internet protocol used to synchronize the clocks of computers to sometime reference. NTP is an Internet standard protocol originally developed by Professor David L. Mills at the University of Delaware. What is SNTP? SNTP (Simple Network Time Protocol) is basically also NTP, but lacks some internal algorithms that are not needed for all types of servers. See Q: 9.4. for more and detailed information. As a full implementation of the NTP protocol seemed too complicated for many systems, a simplified version of the protocol, namely SNTP had been defined.
Why should Time be synchronized? Time usually just advances. If you have communicating programs running on different computers, time still should even advance if you switch from one computer to another. Obviously if one system is ahead of the others, the others are behind that particular one. From the perspective of an external observer, switching between these systems would cause time to jump forward and back, a nondesirable effect. As a consequence, isolated networks may run their own wrong time, but as soon as you connect to the Internet, effects will be visible. Just imagine some EMail message arrived five minutes before it was sent, and there even was a reply two minutes before the message was sent. Even on a single computer some applications have trouble when the time jumps backwards. For example, database systems using transactions and crash recovery like to know the time of the last good state. Therefore, air traffic control was one of the first applications for NTP. What are the basic features of NTP? There exist several protocols to synchronize computer clocks, each having distinguished features. Here is a list of NTP's features: NTP needs some reference clock that defines the true time to operate. All clocks are set towards that true time. (It will not just make all systems agree on some time,
but will make them agree upon the true time as defined by some standard.)NTP uses UTC as reference time*
* (What is UTC?) Coordinated Universal Time is a time standard based on International Atomic Time (TAI) with leap seconds added at irregular intervals to compensate for the Earth's slowing rotation. Leap seconds are used to allow UTC to closely track UT1, which is mean solar time at the Royal Observatory, Greenwich NTP is a fault-tolerant protocol that will automatically select the best of several available time sources to synchronize to. Multiple candidates can be combined to minimize the accumulated error. Temporarily or permanently insane time sources will be detected and avoided.
NTP is highly scalable: A synchronization network may consist of several reference clocks. Each node of such a network can exchange time information either bidirectional or unidirectional. Propagating time from one node to other forms a hierarchical graph with reference clocks at the top.
Having available several time sources, NTP can select the best candidates to build its estimate of the current time. The protocol is highly accurate, using a resolution of less than a nanosecond (about 2^-32 seconds). (The popular protocol used by rdate and defined in [RFC 868] only uses a resolution of one second). Even when a network connection is temporarily unavailable, NTP can use measurements from the past to estimate current time and error.For formal reasons NTP will also maintain estimates for the accuracy of the local time.
Which Operating Systems are supported? The implementation described in Which Implementations are available for UNIX? works for most popular UNIX operating systems. Among those are: AIX, FreeBSD, HP-UX, Irix, Linux, NetBSD, SCO UNIX, OpenBSD, OSF/1, Solaris, System V.4.
According to a message in news://comp.protocols.time.ntp there's also a supported implementation for VMS: "UCX (the VMS TCP stack) has a full implementation of NTP built-in. As of v5 it's pretty much vanilla NTP, prior to that the command syntax and
control file formats were proprietary. Check the manuals." See Q: 4.3.4.1. for more details. In addition there are efforts to make it run on Windows/NT (see Q: 8.3.11.2.3.). Currently there are problems with time resolution, reference clock drivers, authentication and name resolution.
How many NTP servers are available in the Internet?
According to A Survey of the NTP Network there were at least 175,000 hosts running NTP in the Internet. Among these there were over 300 valid stratum-1 servers. In addition there were over 20,000 servers at stratum 2, and over 80,000 servers at stratum 3.
Which version of NTP should I use?
Unfortunately the answer to this question is not quite easy: Currently there are version three and version four implementations of NTP available. The latest software release being worked on is NTPv4, but the official Internet standard is still NTPv3. In addition, some vendors of operating systems customize and deliver their own versions. If you rely on support, you should also consider that.
If you are worried with compatibility issues, older version clients can generally talk to newer version servers automagically (as newer servers know how to answer the queries, hopefully), but the other direction requires manual interference (See html/confopt.htm about the version keyword).
NTPv4 introduces some new features that you may find desirable (See Q: 4.1.9.). For example, if you use dial-up connections, version four can increase its polling interval above one day if the clock is stable enough. In addition the new algorithms can deal with high delay variations a bit better than the LAN-oriented version three. On the other hand, NTPv4 uses floating point operations where NTPv3 used integer arithmetic. This should not be a problem for current hardware, but might be an issue for older systems without a floating point unit.
There is also a security issue with all versions probably older than 4.0.99k23 that may allow denial of service or even unauthorized system access. Still vendors supplying older versions may have fixed their particular version.
See also Section 6.4
What's the difference between xntp and ntp?
Obviously the difference is an x, and its meaning some years ago was (according to Professor David L. Mills):
Dennis Fergusson intended the "x" as "experimental". I got maybe twenty messages over the years suggesting the x was not appropriate for code in use over a decade and I dropped it for NTPv4. See the paper on NTP history at http://www.eecis.udel.edu/~mills/papers.htm.
In practice xntp refers to an implementation of version three or older while ntp refers to implementation of version four (or later).
What's new in Version 4? According to the NTP Version 4 Release Notes found in release.htm, the new features of version four (as compared to version three) are: Use of floating-point arithmetic instead of fixed-point arithmetic. Redesigned clock discipline algorithm that improves accuracy, handling of network jitter, and polling intervals. Support for the nanokernel kernel implementation that provides nanosecond precision as well as improved algorithms. Public-Key cryptography known as autokey that avoids having common secret keys. Automatic server discovery (manycast mode) Fast synchronization at startup and after network failures (burst mode)
New and revised drivers for reference clocks Support for new platforms and operating systems Where is NTP specified? The official specification of NTP version 3 is [RFC 1305]. Specifically, there is no specification for version 4 yet. Despite of some arguments to update the specification, there won't be one in the near future. There was a recent discussion on the subject. Hans P. Reiser wrote: Several slides and papers on NTP illustrate the NTP Interval Intersection Algorithm with an example of 4 peers, A to D, showing two confidence intervals labeled "Correct DTS" and "Correct NTP". (Also shown in Appendix of RFC-1305, Fig. 16). While it is easy to understand the DTS case, I have some problems matching the shown NTP interval with the specified algorithms. According to the algorithm as specified, e.g., in RFC-1305: f=0 (no falsetickers) will fail, so f=1 scan for low endpoint will yield left end of interval C (condition i>=3 holds), by that time c=1 (incremented at midpoint of D) scan for high endpoint starts with c=1, f=1, i=0 condition i>=3 holds as soon as the right end of interval B is reached, by that time c=2 (incremented at midpoint of C)
Now, c>f, so no success yet. Increment f to value 2
Some documents now say "declare failure if f>=m/2", which is the case now. Even if you make another pass with f=2, you will get an interval from left end of A to right end of A, thus again different from what ss shown in RFC's Fig 16.
Do I get something really wrong here (and I really tried hard to locate any flaw in my argument), or is there really a error in the RFC example and all other places which use this example?
The answer written by Professor David L. Mills reads:
(...) What's more, you exposed a significant error in both the documentation and the implementation.
See slide 15 from the architecture and protocol briefing on the NTP project page linked from www.ntp.org. The statements preceeding the algorithm are correct; that is the intent of its design according to the set of formal correctness assertions worked out with the computer science theory community. Unfortunately, in my haste to bottle the algorithm in quick and easy gulps, something got lost in the description. The actual algorithm is constructed differently, but accomplishes the same thing. Pseudo code for the correctness model is in rfc1305 but (sigh) there is a leetle buggie in that description.
Just to be honest I rechecked the actual NTPv4 code and found a nasty surprise. The code is broken and does not exactly implement the formal model. Under some conditions it allows a falseticker to masquerade as a truechimer. Not to panic; the masquerade is subtle and will not result in significant error. However, I don't know how this happened; the core code is 14 years old, may have been noodled (but not by me) and hasn't been carefully reviewed since.
I repaired the code as per rfc1305 and bugfix and verified it does what the formal model intended. The repair is in the development version here and should be in the repository when other known bugs are fixed. Meanwhile, I fixed the description in the briefing; it should be on the project page in the morning.
The clock selection algorithm is at the very heart of the NTP design. While a formal description of its operation is now in the briefing, an informal description may be of interest to folks in this group. I know there are many skeptics who complain when the algorithm does something they don't like, rather than what the correctness assertions require.
If a candidate presented to the algorithm is reliably synchronized to UTC, its time offset value seen from afar cannot exceed an error bound equal to plus-minus half the roundtrip propagation delay to that candidate plus a little wiggle due to statistical variations (jitter). Once the offset value has been determined, the error bound increases at a fixed rate due to the maximum credible frequency error of the clock oscillator. The error bound, called the root synchronization distance, is
continuously calculated by ntpd. The correctness interval is defined as twice this bound with midpoint equal to the offset value.
Now consider a number of correctness intervals aligned along the time axis at their respective offset values. Obviously, those points where the intervals all overlap form a clique representing the correct UTC time. If some interval does not overlap the others, there must be more than one clique, but only one clique can contain the correct time. If there is a clique containing more than half the number of intervals, its members must all be truechimers and the other cliques must contain only falsetickers. If there is no clique containing more than half the intervals, a correct time cannot be determined and the Byzantines lose the war.
Consider the common case of two intervals that do not overlap due to a systematic error. According to principle, one of the two must not be synchronized to UTC, but there is no way for the selection algorithm to know which one. So, by the above, a correct time cannot be determined. In prinicple, you could choose one based on other characteristics, like the size of the interval, but this would seriously complicate the algorithm and probably cause the theory community to disown me.
While the corrected code is strict to principle, it may be too strict for some who don't care that much about correctness principles. There may be a need for a tinker switch with appropriate warning disclaimers.
NTP ENUMERATION
Network Time Protocol Enumeration NTP is a protocol designed to synchronise clocks of networked computers. From a Vulnerability Analysis/ Penetration testing aspect, the data available when querying the ntp server can prove quite valuable and is usually available without any formal authentication being required. The following commands can be used against an NTP server:
•
ntpdate
• • •
ntptrace ntpdc ntpq
Ntpdate - ntpdate can collect a number of time samples from a number of time sources (i.e., multiple NTP servers)
ntpdate [-bBdoqsuv] [-a key] [-e authdelay] [-k keyfile] [-o version] [-p samples] [-t timeout] [server/IP_address] # ntpdate 192.168.0.1 27 Dec 11:50:49 ntpdate[627]: adjust time server 192.168.0.1 offset -0.005030 sec
Options
-a key Enable the authentication function/specify the key identifier to be used for authentication. -B Force the time to always be slewed. -b Force the time to be stepped. -d Enable debugging mode. -e authdelay Specify the processing delay. -k keyfile Specify the path for the authentication key file as the string keyfile. The default is /etc/ntp.keys. -o version Specify NTP version for outgoing packets as the integer version, can be 1 or 2. Default is 3. -p samples Specify # of samples to be acquired from each server, with values from 1-8. Default is 4. -q Query only - don't set the clock. -s Divert logging output from the standard output (default) to the system syslog facility. -t timeout Specify the maximum time waiting for a server response. Default is 1 second. -u Use an unprivileged port or outgoing packets. -v Be verbose.
Ntptrace - ntptrace determines where a NTP server gets its time from, and follows the chain of NTP servers back to its primary i.e. master, time source. If you supply no argument ntptrace will start with the localhost, if a server is specified, the localhost will appear last.
ntptrace [-vdn] [-r retries ] [-t timeout] [servername/IP_address] # ntptrace localhost: stratum 4, offset 0.0019529, synch distance 0.143235 192.168.0.1: stratum 2, offset 0.0114273, synch distance 0.115554 192.168.1.1: stratum 1, offset 0.0017698, synch distance 0.011193 Options -d Display debugging output. -n Does not print host names only IP addresses are shown. May be useful if a nameserver is down. -r retries Sets the number of retransmission attempts for each host (default = 5). -t timeout Sets the retransmission timeout (in seconds) (default = 2). -v Prints verbose information about the NTP servers.
Ntpdc - ntpdc is used to query the ntpd daemon about its current state and to request changes in that state. The program may be run either in interactive mode or controlled using command line arguments.
ntpdc [-ilnps] [-c command] [hostname/IP_address]
root@attacker]# ntpdc -c sysinfo 192.168.0.1 ***Warning changing to older implementation ***Warning changing the request packet size from 160 to 48 system peer: 192.168.1.100 system peer mode: client leap indicator: 00 stratum: 5 precision: -15 root distance: 0.00107 s
root dispersion: 0.02306 s reference ID: [192.168.1.100] reference time: f66s4f45.f633e130 Wed, Jun 28 2006 11:06:11.631 system flags: monitor ntp stats calibrate jitter: 0.000000 s stability: 4.256 ppm broadcastdelay: 0.003875 s authdelay: 0.000107 s root@attacker]# ntpdc -c monlist 192.168.0.1 ***Warning changing to older implementation ***Warning changing the request packet size from 160 to 48 remote address port local address count m ver code avgint lstint ======================================================================= 192.168.0.222 32786 192.168.0.1 572 00 188 192.168.1.100 123 192.168.0.1 4299 3 2 0 22 1022110 192.168.2.133 32766 192.168.0.1 10 4 2 0 559 1110 192.168.2.133 123 192.168.0.1 636 0 1101 1502 attacker 32812 127.0.0.1 153 0 1022142 1022142 Options
-c command Following argument interpreted as an interactive format command. Multiple -c options may be
given.
-i -l -n -p -s
Force ntpdc to operate in interactive mode. Obtain a list of peers which are known to the server(s). This switch is equivalent to -c listpeers Output all host addresses in dotted-quad numeric format rather than host names. Print a list of the peers as well as a summary of their state. This is equivalent to -c peers. Print a list of the peers as well as a summary of their state. This is equivalent to -c dmpeers.
Available commands (abridged):
listpeers Obtains and prints a brief list of the peers. peers Obtains a list of peers for which the server is maintaining state. sysinfo Print a variety of system state variables. reslist Obtain and print the server's restriction list. monlist [version] Obtain and print traffic counts collected and maintained by the monitor facility.
Ntpq -ntpq is used to monitor NTP daemon ntpd operations and determine performance. ntpq [-inp] [-c command] [host/IP_address] root@attacker]# ntpq 192.168.01 ntpq> lpeers remote refid st t when poll reach delay offset jitter *192.168.1.100 LOCAL(0) 4 u 18 58 344 0.655 -0.039 0.029 ntpq> version ntpq [email protected] Mon May 07 14:14:14 EDT 2006 (1) ntpq> host current host is 192.168.0.1 ntpq> readlist assID=0 status=0674 leap_none, sync_ntp, 7 events, event_peer/strat_chg, system="SunOS", leap=00, stratum=5, rootdelay=0.655, rootdispersion=20.080, peer=40852, refid=192.168.1.100, reftime=c66b4f07.d732d455 Sat, Jul 01 2006 17:28:11.773, poll=6, clock=0xc66b4f3b.595ed455, phase=-0.040, freq=80337.65, error=0.01 Options
-c -d -i -n -p
Following argument is interpreted as an interactive format command. Multiple -c options may be given. Debugging mode. Force ntpq to operate in interactive mode. Output all host addresses in dotted-quad numeric format rather than host names. Print a list of the peers as well as a summary of their state. Available Commands (abridged):
lpeers A summary of all associations for which the server is maintaining state is printed. peers Obtains a current list peers of the server, along with a summary of each peer's state. lpassociations Print data for all associations version Everything you need to know about the software version and generation time. system The operating system version and release identifier. hostname The name of the host
As you can see, this is an awful lot of information that you can get from a target machine running ntp with no restrictions applied to it. Restrictive Policies: The restrict option in /etc/ntp.conf allows you to control which machines can access your server. If you want to deny all machines from accessing your NTP server, add the following line to /etc/ntp.conf:
restrict default ignore
If you only want to allow machines within your own network to synchronize their clocks with your server, but ensure they are not allowed to configure the server or used as peers to synchronize against, add
restrict 192.168.0.1 mask 255.255.255.0 nomodify notrap instead, where 192.168.0.1 is a local IP address with a netmask of 255.255.255.0
SMTP Simple Mail Transfer Protocol (SMTP) is an Internet standard for electronic mail (email) transmission across Internet Protocol (IP) networks. While electronic mail servers and other mail transfer agents use SMTP to send and receive mail messages, user-level client mail applications typically only use SMTP for sending messages to a mail server for relaying. For receiving messages, client
applications usually use either the Post Office Protocol (POP) or the Internet Message Access Protocol (IMAP) to access their mail box accounts on a mail server. Mail processing model The overall flow for message creation, mail transport and delivery may be illustrated as follows:
sending MUA → MSA → sending MTA → receiving MTA → MDA → Mailstore for retrieval by MUA E-mail is submitted from an message user agent (MUA), the user's email client, to a mail server (MSA), usually using SMTP. From there, the MSA delivers the mail to an MTA, often running on the same machine. These functions may not be distinguished, or merged into one program, and a message may be directly submitted to an MTA: port 587 is used for submission to MSAs (thence to MTAs), while port 25 is used for transferring to MTAs.
The MTA looks up the destination mail exchanger records in the DNS, and relays the mail to the server on record via TCP port 25 and SMTP. Once the receiving MTA accepts the incoming message, it is delivered via a mail delivery agent (MDA) to a server which is designated for local mail delivery. The MDA either delivers the mail directly to storage, or forwards it over a network using either SMTP or the Local Mail Transfer Protocol (LMTP), a derivative of ESMTP designed for this purpose. Once delivered to the local mail server, the mail is stored for batch retrieval by authenticated mail clients (MUAs). Mail is retrieved by end-user applications, the email clients, using IMAP, a protocol that both facilitates access to mail and manages stored mail, or the Post Office Protocol (POP) which typically uses the traditional mbox mail file format. Webmail clients may use either method, but the retrieval protocol is often not a formal standard. Some local mail servers and MUAs are capable of either push or pull mail retrieval.
SMTP defines message transport, not the message content. Thus, it defines the mail envelope and its parameters, such as the envelope sender, but not the header or the body of the message itself. STD 10 and RFC 5321 define SMTP (the envelope), while STD 11 and RFC 5322 define the message (header and body), formally referred to as the Internet Message Format
Enumerating SMTP, TCP 25
SMTP can be enumerated with Telnet, using these commands • VRFY confirms names of valid users • EXPN reveals the actual delivery addresses of aliases and mailing lists Antivirus Note McAfee antivirus blocks telnets to port 25 "Prevent mass mailing worms from sending mail" SMTP Enumeration Countermeasures Disable the EXPN and VRFY commands, or restrict them to authenticated users Sendmail and Exchange both allow that in modern versions
This sample sends a simple text email that can be viewed in any email client. Set objMessage = CreateObject("CDO.Message") objMessage.Subject = "Example CDO Message" objMessage.From = "[email protected]" objMessage.To = "[email protected]" objMessage.TextBody = "This is some sample message text." objMessage.Send
Sending an HTML email. Note the use of the Cc & Bcc properties to send using Blind Carbon Copy (Bcc) and Carbon Copy (Cc). These properties can be used with either text or HTML email. Set objMessage = CreateObject("CDO.Message") objMessage.Subject = "Example CDO Message" objMessage.From = "[email protected]" objMessage.To = "[email protected]" 'The line below shows how to send using HTML included directly in your script objMessage.HTMLBody = "<h1>This is some sample message html.</h1>" 'The line below shows how to send a webpage from a remote site
'objMessage.CreateMHTMLBody "http://www.paulsadowski.com/wsh/" 'The line below shows how to send a webpage from a file on your machine 'objMessage.CreateMHTMLBody "file://c|/temp/test.htm" objMessage.Bcc = "[email protected]" objMessage.Cc = "[email protected]" objMessage.Send
Sending a text email with an attached file. By repeating the .AddAttachment method you can attach more than one file. When attaching files keep in mind that your recipient may be limited in their ability to receive files above a certain size. Many ISPs limit emails to 8 or 10MB each. You should not send large files to anyone before obtaining their permission.
Set objMessage = CreateObject("CDO.Message") objMessage.Subject = "Example CDO Message" objMessage.From = "[email protected]" objMessage.To = "[email protected]" objMessage.TextBody = "This is some sample message text." objMessage.AddAttachment "c:\temp\readme.txt" objMessage.Send
SENDING MESSAGE USING REMOTE SMTP Sending a text email using a remote server. Sometimes you need to send email using another server. It may be required by your company, or your ISP may be blocking the SMTP port, or your dynamic IP may be blacklisted for being in a dynamic pool.
This code shows you how to use a remotes server rather than the SMTP server on your own machine.
Set objMessage = CreateObject("CDO.Message") objMessage.Subject = "Example CDO Message" objMessage.From = "[email protected]" objMessage.To = "[email protected]" objMessage.TextBody = "This is some sample message text."
'==This section provides the configuration information for the remote SMTP server. '==Normally you will only change the server name or IP. objMessage.Configuration.Fields.Item _ ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
'Name or IP of Remote SMTP Server objMessage.Configuration.Fields.Item _ ("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "smtp.myserver.com"
'Server port (typically 25) objMessage.Configuration.Fields.Item _ ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objMessage.Configuration.Fields.Update
'==End remote SMTP server configuration section==
objMessage.Send
Tutorial: Banner Grabbing is considered a very important part of penetration tests. Why? Because it gives us an information about the daemon that is running and accepting our connection and whether it is patched or not. Sometimes, it also gives off information such as the time it was compiled, if it is a beta version or not. With that information, you can move ahead and try to exploit the daemon. Ofcourse, this information can be changed, to something it is not! But, the fact remains that most system administrators are only interested in the daemon working good and they are least concerned with the version information. All they want is a 100% system uptime. So, most of them do not change it and let it be the system default. The question now remains, how do you grab a banner. Simple! Telnet to the port and see the output. Easy. We have included a small list of well known ports under port number 1024, that you can use and grab a banner. 21 FTP (File Transfer Protocol) 22 SSH (Secure Shell) 23 Telnet 25 SMTP (Send Mail Transfer Protocol) 43 whois 53 DNS (Domain Name Service) 68 DHCP (Dynamic Host Control Protocol) 79 Finger 80 HTTP (HyperText Transfer Protocol) 110 POP3 (Post Office Protocol, version 3) 115 SFTP (Secure File Transfer Protocol) 119 NNTP (Network New Transfer Protocol) 123 NTP (Network Time Protocol) 137 NetBIOS-ns 138 NetBIOS-dgm 139 NetBIOS 143 IMAP (Internet Message Access Protocol) 161 SNMP (Simple Network Management Protocol) 194 IRC (Internet Relay Chat) 220 IMAP3 (Internet Message Access Protocol 3) 389 LDAP (Lightweight Directory Access Protocol) 443 SSL (Secure Socket Layer) 445 SMB (NetBIOS over TCP) 666 Doom
993 SIMAP (Secure Internet Message Access Protocol) 995 SPOP (Secure Post Office Protocol) For example, you want to grab a banner for an SMTP service (port 25). All you do is,
telnet mailserver 25 EHLO/HELO
SMTP Banner grab So, you can clearly see that it is a ESMTP server. After further prodding, you can find that it is an EXIM server. You can move ahead now and focus only on EXIM ESMTP server based exploits, etc.
Example 8-1. Fingerprinting FTP services through issuing commands # ftp 192.168.0.250 Connected to 192.168.0.250 (192.168.0.250). 220 ftp.trustmatta.com FTP server ready. Name (ftp.trustmatta.com:root): ftp 331 Guest login ok, send your complete e-mail address as password. Password: [email protected] 230 Guest login ok, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files.
Banner Grabbing
Telnet in Vista and Windows 7 First you need to install Telnet In Control Panel, Programs and Features, Turn Windows Features on or off, check Telnet Client Banner Grabbing Connecting to remote applications and observing the output Simple way, at a command prompt • telnet www.ccsf.edu 80 On the next blank screen type in • GET / HTTP/1.1 • Press Enter twice Making Characters Visible In Windows XP and Vista, you can't see what you type in the Telnet session. To fix that, do this: At a command prompt, type telnet hills.ccsf.edu 80 Press Enter. Press Ctrl+]. Then type set localecho Press Enter twice • Link Ch 3z11 Example Banners www.ccsf.edu tells you too much cnn.com is better
Netcat Banner Grabs Get Netcat for Windows at link Ch 3d
Banner-Grabbing Countermeasures Turn off unnecessary services Disable the presentation the vendor and version in banners Audit yourself regularly with port scans and raw netcat connects to active ports
ENUMERATION TOIPC
NTP (NETWORK TIME PROTOCOL)
What is NTP? NTP stands for Network Time Protocol, and it is an Internet protocol used to synchronize the clocks of computers to sometime reference. NTP is an Internet standard protocol originally developed by Professor David L. Mills at the University of Delaware. What is SNTP? SNTP (Simple Network Time Protocol) is basically also NTP, but lacks some internal algorithms that are not needed for all types of servers. See Q: 9.4. for more and detailed information. As a full implementation of the NTP protocol seemed too complicated for many systems, a simplified version of the protocol, namely SNTP had been defined.
Why should Time be synchronized? Time usually just advances. If you have communicating programs running on different computers, time still should even advance if you switch from one computer to another. Obviously if one system is ahead of the others, the others are behind that particular one. From the perspective of an external observer, switching between these systems would cause time to jump forward and back, a nondesirable effect. As a consequence, isolated networks may run their own wrong time, but as soon as you connect to the Internet, effects will be visible. Just imagine some EMail message arrived five minutes before it was sent, and there even was a reply two minutes before the message was sent. Even on a single computer some applications have trouble when the time jumps backwards. For example, database systems using transactions and crash recovery like to know the time of the last good state. Therefore, air traffic control was one of the first applications for NTP. What are the basic features of NTP? There exist several protocols to synchronize computer clocks, each having distinguished features. Here is a list of NTP's features: NTP needs some reference clock that defines the true time to operate. All clocks are set towards that true time. (It will not just make all systems agree on some time,
but will make them agree upon the true time as defined by some standard.)NTP uses UTC as reference time*
* (What is UTC?) Coordinated Universal Time is a time standard based on International Atomic Time (TAI) with leap seconds added at irregular intervals to compensate for the Earth's slowing rotation. Leap seconds are used to allow UTC to closely track UT1, which is mean solar time at the Royal Observatory, Greenwich NTP is a fault-tolerant protocol that will automatically select the best of several available time sources to synchronize to. Multiple candidates can be combined to minimize the accumulated error. Temporarily or permanently insane time sources will be detected and avoided.
NTP is highly scalable: A synchronization network may consist of several reference clocks. Each node of such a network can exchange time information either bidirectional or unidirectional. Propagating time from one node to other forms a hierarchical graph with reference clocks at the top.
Having available several time sources, NTP can select the best candidates to build its estimate of the current time. The protocol is highly accurate, using a resolution of less than a nanosecond (about 2^-32 seconds). (The popular protocol used by rdate and defined in [RFC 868] only uses a resolution of one second). Even when a network connection is temporarily unavailable, NTP can use measurements from the past to estimate current time and error.For formal reasons NTP will also maintain estimates for the accuracy of the local time.
Which Operating Systems are supported? The implementation described in Which Implementations are available for UNIX? works for most popular UNIX operating systems. Among those are: AIX, FreeBSD, HP-UX, Irix, Linux, NetBSD, SCO UNIX, OpenBSD, OSF/1, Solaris, System V.4.
According to a message in news://comp.protocols.time.ntp there's also a supported implementation for VMS: "UCX (the VMS TCP stack) has a full implementation of NTP built-in. As of v5 it's pretty much vanilla NTP, prior to that the command syntax and
control file formats were proprietary. Check the manuals." See Q: 4.3.4.1. for more details. In addition there are efforts to make it run on Windows/NT (see Q: 8.3.11.2.3.). Currently there are problems with time resolution, reference clock drivers, authentication and name resolution.
How many NTP servers are available in the Internet?
According to A Survey of the NTP Network there were at least 175,000 hosts running NTP in the Internet. Among these there were over 300 valid stratum-1 servers. In addition there were over 20,000 servers at stratum 2, and over 80,000 servers at stratum 3.
Which version of NTP should I use?
Unfortunately the answer to this question is not quite easy: Currently there are version three and version four implementations of NTP available. The latest software release being worked on is NTPv4, but the official Internet standard is still NTPv3. In addition, some vendors of operating systems customize and deliver their own versions. If you rely on support, you should also consider that.
If you are worried with compatibility issues, older version clients can generally talk to newer version servers automagically (as newer servers know how to answer the queries, hopefully), but the other direction requires manual interference (See html/confopt.htm about the version keyword).
NTPv4 introduces some new features that you may find desirable (See Q: 4.1.9.). For example, if you use dial-up connections, version four can increase its polling interval above one day if the clock is stable enough. In addition the new algorithms can deal with high delay variations a bit better than the LAN-oriented version three. On the other hand, NTPv4 uses floating point operations where NTPv3 used integer arithmetic. This should not be a problem for current hardware, but might be an issue for older systems without a floating point unit.
There is also a security issue with all versions probably older than 4.0.99k23 that may allow denial of service or even unauthorized system access. Still vendors supplying older versions may have fixed their particular version.
See also Section 6.4
What's the difference between xntp and ntp?
Obviously the difference is an x, and its meaning some years ago was (according to Professor David L. Mills):
Dennis Fergusson intended the "x" as "experimental". I got maybe twenty messages over the years suggesting the x was not appropriate for code in use over a decade and I dropped it for NTPv4. See the paper on NTP history at http://www.eecis.udel.edu/~mills/papers.htm.
In practice xntp refers to an implementation of version three or older while ntp refers to implementation of version four (or later).
What's new in Version 4? According to the NTP Version 4 Release Notes found in release.htm, the new features of version four (as compared to version three) are: Use of floating-point arithmetic instead of fixed-point arithmetic. Redesigned clock discipline algorithm that improves accuracy, handling of network jitter, and polling intervals. Support for the nanokernel kernel implementation that provides nanosecond precision as well as improved algorithms. Public-Key cryptography known as autokey that avoids having common secret keys. Automatic server discovery (manycast mode) Fast synchronization at startup and after network failures (burst mode)
New and revised drivers for reference clocks Support for new platforms and operating systems Where is NTP specified? The official specification of NTP version 3 is [RFC 1305]. Specifically, there is no specification for version 4 yet. Despite of some arguments to update the specification, there won't be one in the near future. There was a recent discussion on the subject. Hans P. Reiser wrote: Several slides and papers on NTP illustrate the NTP Interval Intersection Algorithm with an example of 4 peers, A to D, showing two confidence intervals labeled "Correct DTS" and "Correct NTP". (Also shown in Appendix of RFC-1305, Fig. 16). While it is easy to understand the DTS case, I have some problems matching the shown NTP interval with the specified algorithms. According to the algorithm as specified, e.g., in RFC-1305: f=0 (no falsetickers) will fail, so f=1 scan for low endpoint will yield left end of interval C (condition i>=3 holds), by that time c=1 (incremented at midpoint of D) scan for high endpoint starts with c=1, f=1, i=0 condition i>=3 holds as soon as the right end of interval B is reached, by that time c=2 (incremented at midpoint of C)
Now, c>f, so no success yet. Increment f to value 2
Some documents now say "declare failure if f>=m/2", which is the case now. Even if you make another pass with f=2, you will get an interval from left end of A to right end of A, thus again different from what ss shown in RFC's Fig 16.
Do I get something really wrong here (and I really tried hard to locate any flaw in my argument), or is there really a error in the RFC example and all other places which use this example?
The answer written by Professor David L. Mills reads:
(...) What's more, you exposed a significant error in both the documentation and the implementation.
See slide 15 from the architecture and protocol briefing on the NTP project page linked from www.ntp.org. The statements preceeding the algorithm are correct; that is the intent of its design according to the set of formal correctness assertions worked out with the computer science theory community. Unfortunately, in my haste to bottle the algorithm in quick and easy gulps, something got lost in the description. The actual algorithm is constructed differently, but accomplishes the same thing. Pseudo code for the correctness model is in rfc1305 but (sigh) there is a leetle buggie in that description.
Just to be honest I rechecked the actual NTPv4 code and found a nasty surprise. The code is broken and does not exactly implement the formal model. Under some conditions it allows a falseticker to masquerade as a truechimer. Not to panic; the masquerade is subtle and will not result in significant error. However, I don't know how this happened; the core code is 14 years old, may have been noodled (but not by me) and hasn't been carefully reviewed since.
I repaired the code as per rfc1305 and bugfix and verified it does what the formal model intended. The repair is in the development version here and should be in the repository when other known bugs are fixed. Meanwhile, I fixed the description in the briefing; it should be on the project page in the morning.
The clock selection algorithm is at the very heart of the NTP design. While a formal description of its operation is now in the briefing, an informal description may be of interest to folks in this group. I know there are many skeptics who complain when the algorithm does something they don't like, rather than what the correctness assertions require.
If a candidate presented to the algorithm is reliably synchronized to UTC, its time offset value seen from afar cannot exceed an error bound equal to plus-minus half the roundtrip propagation delay to that candidate plus a little wiggle due to statistical variations (jitter). Once the offset value has been determined, the error bound increases at a fixed rate due to the maximum credible frequency error of the clock oscillator. The error bound, called the root synchronization distance, is
continuously calculated by ntpd. The correctness interval is defined as twice this bound with midpoint equal to the offset value.
Now consider a number of correctness intervals aligned along the time axis at their respective offset values. Obviously, those points where the intervals all overlap form a clique representing the correct UTC time. If some interval does not overlap the others, there must be more than one clique, but only one clique can contain the correct time. If there is a clique containing more than half the number of intervals, its members must all be truechimers and the other cliques must contain only falsetickers. If there is no clique containing more than half the intervals, a correct time cannot be determined and the Byzantines lose the war.
Consider the common case of two intervals that do not overlap due to a systematic error. According to principle, one of the two must not be synchronized to UTC, but there is no way for the selection algorithm to know which one. So, by the above, a correct time cannot be determined. In prinicple, you could choose one based on other characteristics, like the size of the interval, but this would seriously complicate the algorithm and probably cause the theory community to disown me.
While the corrected code is strict to principle, it may be too strict for some who don't care that much about correctness principles. There may be a need for a tinker switch with appropriate warning disclaimers.
NTP ENUMERATION
Network Time Protocol Enumeration NTP is a protocol designed to synchronise clocks of networked computers. From a Vulnerability Analysis/ Penetration testing aspect, the data available when querying the ntp server can prove quite valuable and is usually available without any formal authentication being required. The following commands can be used against an NTP server:
•
ntpdate
• • •
ntptrace ntpdc ntpq
Ntpdate - ntpdate can collect a number of time samples from a number of time sources (i.e., multiple NTP servers)
ntpdate [-bBdoqsuv] [-a key] [-e authdelay] [-k keyfile] [-o version] [-p samples] [-t timeout] [server/IP_address] # ntpdate 192.168.0.1 27 Dec 11:50:49 ntpdate[627]: adjust time server 192.168.0.1 offset -0.005030 sec
Options
-a key Enable the authentication function/specify the key identifier to be used for authentication. -B Force the time to always be slewed. -b Force the time to be stepped. -d Enable debugging mode. -e authdelay Specify the processing delay. -k keyfile Specify the path for the authentication key file as the string keyfile. The default is /etc/ntp.keys. -o version Specify NTP version for outgoing packets as the integer version, can be 1 or 2. Default is 3. -p samples Specify # of samples to be acquired from each server, with values from 1-8. Default is 4. -q Query only - don't set the clock. -s Divert logging output from the standard output (default) to the system syslog facility. -t timeout Specify the maximum time waiting for a server response. Default is 1 second. -u Use an unprivileged port or outgoing packets. -v Be verbose.
Ntptrace - ntptrace determines where a NTP server gets its time from, and follows the chain of NTP servers back to its primary i.e. master, time source. If you supply no argument ntptrace will start with the localhost, if a server is specified, the localhost will appear last.
ntptrace [-vdn] [-r retries ] [-t timeout] [servername/IP_address] # ntptrace localhost: stratum 4, offset 0.0019529, synch distance 0.143235 192.168.0.1: stratum 2, offset 0.0114273, synch distance 0.115554 192.168.1.1: stratum 1, offset 0.0017698, synch distance 0.011193 Options -d Display debugging output. -n Does not print host names only IP addresses are shown. May be useful if a nameserver is down. -r retries Sets the number of retransmission attempts for each host (default = 5). -t timeout Sets the retransmission timeout (in seconds) (default = 2). -v Prints verbose information about the NTP servers.
Ntpdc - ntpdc is used to query the ntpd daemon about its current state and to request changes in that state. The program may be run either in interactive mode or controlled using command line arguments.
ntpdc [-ilnps] [-c command] [hostname/IP_address]
root@attacker]# ntpdc -c sysinfo 192.168.0.1 ***Warning changing to older implementation ***Warning changing the request packet size from 160 to 48 system peer: 192.168.1.100 system peer mode: client leap indicator: 00 stratum: 5 precision: -15 root distance: 0.00107 s
root dispersion: 0.02306 s reference ID: [192.168.1.100] reference time: f66s4f45.f633e130 Wed, Jun 28 2006 11:06:11.631 system flags: monitor ntp stats calibrate jitter: 0.000000 s stability: 4.256 ppm broadcastdelay: 0.003875 s authdelay: 0.000107 s root@attacker]# ntpdc -c monlist 192.168.0.1 ***Warning changing to older implementation ***Warning changing the request packet size from 160 to 48 remote address port local address count m ver code avgint lstint ======================================================================= 192.168.0.222 32786 192.168.0.1 572 00 188 192.168.1.100 123 192.168.0.1 4299 3 2 0 22 1022110 192.168.2.133 32766 192.168.0.1 10 4 2 0 559 1110 192.168.2.133 123 192.168.0.1 636 0 1101 1502 attacker 32812 127.0.0.1 153 0 1022142 1022142 Options
-c command Following argument interpreted as an interactive format command. Multiple -c options may be
given.
-i -l -n -p -s
Force ntpdc to operate in interactive mode. Obtain a list of peers which are known to the server(s). This switch is equivalent to -c listpeers Output all host addresses in dotted-quad numeric format rather than host names. Print a list of the peers as well as a summary of their state. This is equivalent to -c peers. Print a list of the peers as well as a summary of their state. This is equivalent to -c dmpeers.
Available commands (abridged):
listpeers Obtains and prints a brief list of the peers. peers Obtains a list of peers for which the server is maintaining state. sysinfo Print a variety of system state variables. reslist Obtain and print the server's restriction list. monlist [version] Obtain and print traffic counts collected and maintained by the monitor facility.
Ntpq -ntpq is used to monitor NTP daemon ntpd operations and determine performance. ntpq [-inp] [-c command] [host/IP_address] root@attacker]# ntpq 192.168.01 ntpq> lpeers remote refid st t when poll reach delay offset jitter *192.168.1.100 LOCAL(0) 4 u 18 58 344 0.655 -0.039 0.029 ntpq> version ntpq [email protected] Mon May 07 14:14:14 EDT 2006 (1) ntpq> host current host is 192.168.0.1 ntpq> readlist assID=0 status=0674 leap_none, sync_ntp, 7 events, event_peer/strat_chg, system="SunOS", leap=00, stratum=5, rootdelay=0.655, rootdispersion=20.080, peer=40852, refid=192.168.1.100, reftime=c66b4f07.d732d455 Sat, Jul 01 2006 17:28:11.773, poll=6, clock=0xc66b4f3b.595ed455, phase=-0.040, freq=80337.65, error=0.01 Options
-c -d -i -n -p
Following argument is interpreted as an interactive format command. Multiple -c options may be given. Debugging mode. Force ntpq to operate in interactive mode. Output all host addresses in dotted-quad numeric format rather than host names. Print a list of the peers as well as a summary of their state. Available Commands (abridged):
lpeers A summary of all associations for which the server is maintaining state is printed. peers Obtains a current list peers of the server, along with a summary of each peer's state. lpassociations Print data for all associations version Everything you need to know about the software version and generation time. system The operating system version and release identifier. hostname The name of the host
As you can see, this is an awful lot of information that you can get from a target machine running ntp with no restrictions applied to it. Restrictive Policies: The restrict option in /etc/ntp.conf allows you to control which machines can access your server. If you want to deny all machines from accessing your NTP server, add the following line to /etc/ntp.conf:
restrict default ignore
If you only want to allow machines within your own network to synchronize their clocks with your server, but ensure they are not allowed to configure the server or used as peers to synchronize against, add
restrict 192.168.0.1 mask 255.255.255.0 nomodify notrap instead, where 192.168.0.1 is a local IP address with a netmask of 255.255.255.0
SMTP Simple Mail Transfer Protocol (SMTP) is an Internet standard for electronic mail (email) transmission across Internet Protocol (IP) networks. While electronic mail servers and other mail transfer agents use SMTP to send and receive mail messages, user-level client mail applications typically only use SMTP for sending messages to a mail server for relaying. For receiving messages, client
applications usually use either the Post Office Protocol (POP) or the Internet Message Access Protocol (IMAP) to access their mail box accounts on a mail server. Mail processing model The overall flow for message creation, mail transport and delivery may be illustrated as follows:
sending MUA → MSA → sending MTA → receiving MTA → MDA → Mailstore for retrieval by MUA E-mail is submitted from an message user agent (MUA), the user's email client, to a mail server (MSA), usually using SMTP. From there, the MSA delivers the mail to an MTA, often running on the same machine. These functions may not be distinguished, or merged into one program, and a message may be directly submitted to an MTA: port 587 is used for submission to MSAs (thence to MTAs), while port 25 is used for transferring to MTAs.
The MTA looks up the destination mail exchanger records in the DNS, and relays the mail to the server on record via TCP port 25 and SMTP. Once the receiving MTA accepts the incoming message, it is delivered via a mail delivery agent (MDA) to a server which is designated for local mail delivery. The MDA either delivers the mail directly to storage, or forwards it over a network using either SMTP or the Local Mail Transfer Protocol (LMTP), a derivative of ESMTP designed for this purpose. Once delivered to the local mail server, the mail is stored for batch retrieval by authenticated mail clients (MUAs). Mail is retrieved by end-user applications, the email clients, using IMAP, a protocol that both facilitates access to mail and manages stored mail, or the Post Office Protocol (POP) which typically uses the traditional mbox mail file format. Webmail clients may use either method, but the retrieval protocol is often not a formal standard. Some local mail servers and MUAs are capable of either push or pull mail retrieval.
SMTP defines message transport, not the message content. Thus, it defines the mail envelope and its parameters, such as the envelope sender, but not the header or the body of the message itself. STD 10 and RFC 5321 define SMTP (the envelope), while STD 11 and RFC 5322 define the message (header and body), formally referred to as the Internet Message Format
Enumerating SMTP, TCP 25
SMTP can be enumerated with Telnet, using these commands • VRFY confirms names of valid users • EXPN reveals the actual delivery addresses of aliases and mailing lists Antivirus Note McAfee antivirus blocks telnets to port 25 "Prevent mass mailing worms from sending mail" SMTP Enumeration Countermeasures Disable the EXPN and VRFY commands, or restrict them to authenticated users Sendmail and Exchange both allow that in modern versions
This sample sends a simple text email that can be viewed in any email client. Set objMessage = CreateObject("CDO.Message") objMessage.Subject = "Example CDO Message" objMessage.From = "[email protected]" objMessage.To = "[email protected]" objMessage.TextBody = "This is some sample message text." objMessage.Send
Sending an HTML email. Note the use of the Cc & Bcc properties to send using Blind Carbon Copy (Bcc) and Carbon Copy (Cc). These properties can be used with either text or HTML email. Set objMessage = CreateObject("CDO.Message") objMessage.Subject = "Example CDO Message" objMessage.From = "[email protected]" objMessage.To = "[email protected]" 'The line below shows how to send using HTML included directly in your script objMessage.HTMLBody = "<h1>This is some sample message html.</h1>" 'The line below shows how to send a webpage from a remote site
'objMessage.CreateMHTMLBody "http://www.paulsadowski.com/wsh/" 'The line below shows how to send a webpage from a file on your machine 'objMessage.CreateMHTMLBody "file://c|/temp/test.htm" objMessage.Bcc = "[email protected]" objMessage.Cc = "[email protected]" objMessage.Send
Sending a text email with an attached file. By repeating the .AddAttachment method you can attach more than one file. When attaching files keep in mind that your recipient may be limited in their ability to receive files above a certain size. Many ISPs limit emails to 8 or 10MB each. You should not send large files to anyone before obtaining their permission.
Set objMessage = CreateObject("CDO.Message") objMessage.Subject = "Example CDO Message" objMessage.From = "[email protected]" objMessage.To = "[email protected]" objMessage.TextBody = "This is some sample message text." objMessage.AddAttachment "c:\temp\readme.txt" objMessage.Send
SENDING MESSAGE USING REMOTE SMTP Sending a text email using a remote server. Sometimes you need to send email using another server. It may be required by your company, or your ISP may be blocking the SMTP port, or your dynamic IP may be blacklisted for being in a dynamic pool.
This code shows you how to use a remotes server rather than the SMTP server on your own machine.
Set objMessage = CreateObject("CDO.Message") objMessage.Subject = "Example CDO Message" objMessage.From = "[email protected]" objMessage.To = "[email protected]" objMessage.TextBody = "This is some sample message text."
'==This section provides the configuration information for the remote SMTP server. '==Normally you will only change the server name or IP. objMessage.Configuration.Fields.Item _ ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
'Name or IP of Remote SMTP Server objMessage.Configuration.Fields.Item _ ("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "smtp.myserver.com"
'Server port (typically 25) objMessage.Configuration.Fields.Item _ ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objMessage.Configuration.Fields.Update
'==End remote SMTP server configuration section==
objMessage.Send
