wxp SP2 host responds to "nmblookup HOST" but not "nmblookup *"

Christopher R. Hertel crh at ubiqx.mn.org
Wed Dec 29 02:39:46 GMT 2004 

Yep, yep, yep.  :)

WinPopup messages sent to a *group* are sent using a *completely 
different protocol* than messages to a *unique* name.

When the message is sent to a group address, it's:
-- Sent to the WORKGROUP<00> address, as we suspected.
-- Sent in an SMB Trans message, not the 0xD0 SMB or 0xD5..D7 set.
-- Since it's a datagram, there's no negprot or session setup.
-- There's no share name listed.
-- The mailslot name is \MAILSLOT\MESSNGR.
-- The whole thing requires only one packet.

Whee!  Fun, eh?  I'll have to keep track of that capture.

...but...

I still don't see how this changes anything regarding the problem Dave had 
with XP-SP2.  It still makes no logical sense to me that the Messanger 
Service would respond to any name query at all.

Easily confused...

Chris -)-----

On Wed, Dec 29, 2004 at 12:25:49PM +1100, Andrew Bartlett wrote:
> On Tue, 2004-12-28 at 19:16 -0600, Christopher R. Hertel wrote:
> > On Wed, Dec 29, 2004 at 10:14:12AM +1100, Andrew Bartlett wrote:
> > > On Tue, 2004-12-28 at 14:33 -0800, David Wuertele wrote:
> > > 
> > > > I didn't realize the messenger service was handling this.  Or is it
> > > > that some security logic is only turning on the "respond to wildcard"
> > > > feature if it sees that the messenger service is running?
> > > > 
> > > > Dave
> > > 
> > > I'm pretty sure that's what happened.  Remember, SP2 was a compromise
> > > between better security (which would mean not listening at all) and not
> > > breaking applications people used.  While we may all find it
> > > frustrating, I'm sure winpopup is actually used in some organisations
> > > even in it's (frustrating) broadcast mode.
> > 
> > No, Winpopup is not in broadcast mode.  The names are all unique names and 
> > the protocol is something like a mailslot protocol (though it isn't...  I 
> > have some docs and some captures...).
> 
> I assure you, the winpopup wars I had on my network (before I disabled
> messenger service on all my machines) were broadcast UDP packets, as
> mailslot requests.  I almost got a program written to catch them, and
> record host addresses.
> 
> I hoped they were just unicast sessions to smbd, as then my 'beartrap'
> would have caught the bastards involved....
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett <abartlet at samba.org>



-- 
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org

More information about the samba-technical mailing list