net rpc shutdown - how to poweroff
simo.sorce at xsec.it
Mon Dec 30 23:51:01 GMT 2002
Thank you Willi,
unfortuately the traces is encapsulated in an ntlmssp encrypted session
so I cannot see anything.
Can you kindly disable ntlmssp and redo the sniff from beginning?
feel free to send the sniff only to me if you fear information
On Tue, 2002-12-31 at 00:38, Willi Mann wrote:
> Hi Simo!
> I've put the sniff and the script which produced the shutdown on my
> w2k Professional german (192.168.0.1, P4) has the sniffer and asks a w2k
> server german (192.168.0.254, WILLI) to do the shutdown. It only works
> if you have the same passwords on both of the two machines. Don't ask me
> about the sense of the for--next loop.
> Simo Sorce wrote:
> >On Mon, 2002-12-30 at 01:06, Willi Mann wrote:
> >>Hi Andrew!
> >>The existing net rpc shutdown function doesn't seem to be able to do a
> >>power off. It seems to be an implementation of the
> >>initiateSystemShutdown API-call, which is used in many freeware
> >>closed-source shutdown applications. I've played around with the flags
> >>in the current Samba-implementation with the following result:
> >>If one of the first 8 bits is set to 1 the machine reboots.
> >>The second 8 bits mark the forced shutdown but I haven't verified that
> >>it makes a difference to non-forced shutdowns.
> >the 16bit flags we show in the source are really 2 booleans in the form
> >of two bytes imho, I'm modifying the code in samba to behave this way.
> >I made some test and I think you are right the rpc shutdown function is
> >equivalent to InitiateSystemShutdownEx call on windows, so no power off
> >possible, only the 2 booleans: force shutdown and reboot on shutdown.
> >>There is a way for a working remote power off. The WMI-framework
> >>provides a function called win32shutdown. This function is also used by
> >>the Management Console-Shutdown. It offers nearly all flags which are
> >>available in the ExitWindowsEx-function. It is completely different to
> >>the net rpc shutdown. I've modified a VBscript-example provided in the
> >>WMI-SDK to get the shortest possible shutdown-session and sniffed it.
> >>There are about 100 packets on the wire (incl. authentication, SYNs,
> >>RSTs, etc.) I'll try to work out more about that in the next few days.
> >If you can send me the trace (ina aformate readable by ethereal) I'm
> >interested at looking into it and see how it is done.
Simo Sorce - simo.sorce at xsec.it
via Durando 10 Ed. G - 20158 - Milano
tel. +39 02 2399 7130 - fax: +39 02 700 442 399
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20021230/05b1426d/attachment.bin
More information about the samba-technical