net rpc shutdown - how to poweroff

Simo Sorce simo.sorce at xsec.it
Mon Dec 30 23:51:01 GMT 2002 

Thank you Willi,
unfortuately the traces is encapsulated in an ntlmssp encrypted session
so I cannot see anything.
Can you kindly disable ntlmssp and redo the sniff from beginning?
feel free to send the sniff only to me if you fear information
disclosure.

Simo.

On Tue, 2002-12-31 at 00:38, Willi Mann wrote:
> Hi Simo!
> 
> I've put the sniff and the script which produced the shutdown on my 
> homepage:
> 
> http://www.wm1.at/samba/wmisniff.bin
> http://www.wm1.at/samba/RemoteShutdown.vbs
> 
> w2k Professional german (192.168.0.1, P4) has the sniffer and asks a w2k 
> server german (192.168.0.254, WILLI) to do the shutdown. It only works 
> if you have the same passwords on both of the two machines. Don't ask me 
> about the sense of the for--next loop.
> 
> Willi
> 
> 
> Simo Sorce wrote:
> 
> >On Mon, 2002-12-30 at 01:06, Willi Mann wrote:
> >  
> >
> >>Hi Andrew!
> >>
> >>The existing net rpc shutdown function doesn't seem to be able to do a 
> >>power off. It seems to be an implementation of the 
> >>initiateSystemShutdown API-call, which is used in many freeware 
> >>closed-source shutdown applications. I've played around with the flags 
> >>in the current Samba-implementation with the following result:
> >>If one of the first 8 bits is set to 1 the machine reboots.
> >>The second 8 bits mark the forced shutdown but I haven't verified that 
> >>it makes a difference to non-forced shutdowns.
> >>    
> >>
> >
> >the 16bit flags we show in the source are really 2 booleans in the form
> >of two bytes imho, I'm modifying the code in samba to behave this way.
> >
> >I made some test and I think you are right the rpc shutdown function is
> >equivalent to InitiateSystemShutdownEx call on windows, so no power off
> >possible, only the 2 booleans: force shutdown and reboot on shutdown.
> >
> >  
> >
> >>There is a way for a working remote power off. The WMI-framework 
> >>provides a function called win32shutdown. This function is also used by 
> >>the Management Console-Shutdown. It offers nearly all flags which are 
> >>available in the ExitWindowsEx-function. It is completely different to 
> >>the net rpc shutdown. I've modified a VBscript-example provided in the 
> >>WMI-SDK to get the shortest possible shutdown-session and sniffed it. 
> >>There are about 100 packets on the wire (incl. authentication, SYNs, 
> >>RSTs, etc.) I'll try to work out more about that in the next few days.
> >>    
> >>
> >
> >If you can send me the trace (ina aformate readable by ethereal) I'm
> >interested at looking into it and see how it is done.
> >
> >Simo.
> >
> >  
> >
-- 
Simo Sorce - simo.sorce at xsec.it
Xsec s.r.l.
via Durando 10 Ed. G - 20158 - Milano
tel. +39 02 2399 7130 - fax: +39 02 700 442 399
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20021230/05b1426d/attachment.bin

More information about the samba-technical mailing list