onHacks

Yes, not really security related again. I think Mdutil is very useful and powerful, but there is too limited resources discussing use of it, so I want to talk a little bit more about my experience of using it. I am still working with IIS SMTP this time, because I have many test cases need to interact with SMTP server, and IIS SMTP is the “simplest” server that suit our requirement. Unfortunately, IIS virtual SMTP server is too simple that you cannot find a way to configure the advanced features in the given UI. (You can download IIS Resources Toolkit (eg. IIS6) to gain access to these configurations). This time, my task is to add some routing domains (around 30) to the virtual SMTP server. If you tried to add routing domains to virtual SMTP server through IIS Manager, you will know how painful it is if you need to add many routing domains at the same time. So we have Mdutil to modify the metabase keys, a list of routing domains that we need to add, and I am planning to write some code to generate scripts (more accurate, a list of Mdutil commands) to add these domains.

First of all, we need to know how the structure of domains stored in metabase before designing the scripts to add a routing domain. Let’s manually add a routing domain (eg. log0.onhacks.org) to the server through IIS Manager. After that, run the command to see what happened in the Domain path. Remeber the command?

mdutil enum -path:smtpsvc/<n>/Domain

Then you will see output similar to the following:

KeyType : [S] <String> “IIsSmtpDomain”
[smtpsvc/<n>/Domain/log0.onhacks.org]

Which means when adding a new routing domain, the SMTP server will create a child under Domain. Is this child contain no data? Obviously not! Because there are two types of routing domain that we can create in IIS SMTP server, Local (ie. Alias) and Remote. So, at least, there is a data stored in this child. By running the following command,

mdutil enum -path:smtpsvc/<n>/Domain/log0.onhacks.org

Since I added this domain with Alias type. You will get the result as following:

KeyType : [S] <String> “IIsSmtpDomain”
36946 : [IS] <DWORD> 0×10 = {16}

It matchs what we expect and no extra value need to be added in this branch. By the observation, we should have at least 3 mdutil commands to add a new branch under smtpsvc/<n>/Domain. We should first take a look on the operations provided by mdutil. Type in mdutil without arguments, you should see the help of mdutil. Following is the highlight of commands that may be useful for our task.

mdutil SET      path value …   – assign the new value
mdutil CREATE   path             – create given path

After a little experiment, I discover that CREATE operation is used to create a new branch, and by using SET, we can add a new variable in the node. So the steps to import a routing domain is as follow (eg. Import dotHac.onhacks.org).

Create a branch:

mdutil CREATE -path:smtpsvc/<n>/Domain/dotHac.onhacks.org

Add a variable KeyType to the branch:

mdutil SET -path:smtpsvc/<n>/Domain/dotHac.onhacks.org -prop:KeyType -utype:UT_SERVER -dtype:STRING -value:”IIsSmtpDomain”

Add a variable for the routing action (value: 16 = local domain, 2 = remote domain):

mdutil SET -path:smtpsvc/<n>/Domain/dotHac.onhacks.org -prop:36946 -utype:UT_SERVER -dtype:DWORD -value:16

When you open IIS manager, you will see the domain has been imported. Pretty cool, isn’t it? The next step is to generate a list of mdutil commands for batch import. My approach is to read list of the domains and its routing action into a program and the program will generate mdutil commands for each them. Here is an example in Python version.

Enjoy! Happy New Year!

ps. Is anyone know if we can use mdutil to access properties of DNS server? I would like to switch on/off the DNS referral feature in Windows DNS server.