net rpc shutdown - how to poweroff

Willi Mann newsletters at wm1.at
Tue Dec 31 11:06:00 GMT 2002


How do I disable NTLMSSP in Windows 2000?

Thank you
Willi


Simo Sorce wrote:

>Thank you Willi,
>unfortuately the traces is encapsulated in an ntlmssp encrypted session
>so I cannot see anything.
>Can you kindly disable ntlmssp and redo the sniff from beginning?
>feel free to send the sniff only to me if you fear information
>disclosure.
>
>Simo.
>
>On Tue, 2002-12-31 at 00:38, Willi Mann wrote:
>  
>
>>Hi Simo!
>>
>>I've put the sniff and the script which produced the shutdown on my 
>>homepage:
>>
>>http://www.wm1.at/samba/wmisniff.bin
>>http://www.wm1.at/samba/RemoteShutdown.vbs
>>
>>w2k Professional german (192.168.0.1, P4) has the sniffer and asks a w2k 
>>server german (192.168.0.254, WILLI) to do the shutdown. It only works 
>>if you have the same passwords on both of the two machines. Don't ask me 
>>about the sense of the for--next loop.
>>
>>Willi
>>
>>
>>Simo Sorce wrote:
>>
>>    
>>
>>>On Mon, 2002-12-30 at 01:06, Willi Mann wrote:
>>> 
>>>
>>>      
>>>
>>>>Hi Andrew!
>>>>
>>>>The existing net rpc shutdown function doesn't seem to be able to do a 
>>>>power off. It seems to be an implementation of the 
>>>>initiateSystemShutdown API-call, which is used in many freeware 
>>>>closed-source shutdown applications. I've played around with the flags 
>>>>in the current Samba-implementation with the following result:
>>>>If one of the first 8 bits is set to 1 the machine reboots.
>>>>The second 8 bits mark the forced shutdown but I haven't verified that 
>>>>it makes a difference to non-forced shutdowns.
>>>>   
>>>>
>>>>        
>>>>
>>>the 16bit flags we show in the source are really 2 booleans in the form
>>>of two bytes imho, I'm modifying the code in samba to behave this way.
>>>
>>>I made some test and I think you are right the rpc shutdown function is
>>>equivalent to InitiateSystemShutdownEx call on windows, so no power off
>>>possible, only the 2 booleans: force shutdown and reboot on shutdown.
>>>
>>> 
>>>
>>>      
>>>
>>>>There is a way for a working remote power off. The WMI-framework 
>>>>provides a function called win32shutdown. This function is also used by 
>>>>the Management Console-Shutdown. It offers nearly all flags which are 
>>>>available in the ExitWindowsEx-function. It is completely different to 
>>>>the net rpc shutdown. I've modified a VBscript-example provided in the 
>>>>WMI-SDK to get the shortest possible shutdown-session and sniffed it. 
>>>>There are about 100 packets on the wire (incl. authentication, SYNs, 
>>>>RSTs, etc.) I'll try to work out more about that in the next few days.
>>>>   
>>>>
>>>>        
>>>>
>>>If you can send me the trace (ina aformate readable by ethereal) I'm
>>>interested at looking into it and see how it is done.
>>>
>>>Simo.
>>>
>>> 
>>>
>>>      
>>>






More information about the samba-technical mailing list