wxp SP2 host responds to "nmblookup HOST" but not "nmblookup *"

[Christopher R. Hertel]

On Wed, Dec 29, 2004 at 10:14:12AM +1100, Andrew Bartlett wrote:
> On Tue, 2004-12-28 at 14:33 -0800, David Wuertele wrote:
> 
> > I didn't realize the messenger service was handling this.  Or is it
> > that some security logic is only turning on the "respond to wildcard"
> > feature if it sees that the messenger service is running?
> > 
> > Dave
> 
> I'm pretty sure that's what happened.  Remember, SP2 was a compromise
> between better security (which would mean not listening at all) and not
> breaking applications people used.  While we may all find it
> frustrating, I'm sure winpopup is actually used in some organisations
> even in it's (frustrating) broadcast mode.

No, Winpopup is not in broadcast mode.  The names are all unique names and 
the protocol is something like a mailslot protocol (though it isn't...  I 
have some docs and some captures...).

The problem Dave has identified is that XP-SP2 won't respond when it
receives a broadcast *name query* for the wildcard name.  The name query
doesn't happen at the service level, but inside the NBT Name Service
level.  No service registers the wildcard name.  No service listens to the
wildcard name.

I would imagine that Windows would handle this query within the NBT layer.  
It shouldn't have anything to do with some arbitrary service running or 
not running.

> I'm pretty sure that some of the worms out there probably used the
> wildcard to aid in finding hosts to infect.  (Now they will just
> individually scan, but what can you do...)

Yes, that's probably true.

Chris -)-----

-- 
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org