How do I disable NTLMSSP in Windows 2000?
Thank you
Willi
Simo Sorce wrote:
Thank you Willi,
unfortuately the traces is encapsulated in an ntlmssp encrypted session
so I cannot see anything.
Can you kindly disable ntlmssp and redo the sniff from beginning?
feel free to send the sniff only to me if you fear information
disclosure.
Simo.
On Tue, 2002-12-31 at 00:38, Willi Mann wrote:
Hi Simo!
I've put the sniff and the script which produced the shutdown on my
homepage:
http://www.wm1.at/samba/wmisniff.bin
http://www.wm1.at/samba/RemoteShutdown.vbs
w2k Professional german (192.168.0.1, P4) has the sniffer and asks a w2k
server german (192.168.0.254, WILLI) to do the shutdown. It only works
if you have the same passwords on both of the two machines. Don't ask me
about the sense of the for--next loop.
Willi
Simo Sorce wrote:
On Mon, 2002-12-30 at 01:06, Willi Mann wrote:
Hi Andrew!
The existing net rpc shutdown function doesn't seem to be able to do a
power off. It seems to be an implementation of the
initiateSystemShutdown API-call, which is used in many freeware
closed-source shutdown applications. I've played around with the flags
in the current Samba-implementation with the following result:
If one of the first 8 bits is set to 1 the machine reboots.
The second 8 bits mark the forced shutdown but I haven't verified that
it makes a difference to non-forced shutdowns.
the 16bit flags we show in the source are really 2 booleans in the form
of two bytes imho, I'm modifying the code in samba to behave this way.
I made some test and I think you are right the rpc shutdown function is
equivalent to InitiateSystemShutdownEx call on windows, so no power off
possible, only the 2 booleans: force shutdown and reboot on shutdown.
There is a way for a working remote power off. The WMI-framework
provides a function called win32shutdown. This function is also used by
the Management Console-Shutdown. It offers nearly all flags which are
available in the ExitWindowsEx-function. It is completely different to
the net rpc shutdown. I've modified a VBscript-example provided in the
WMI-SDK to get the shortest possible shutdown-session and sniffed it.
There are about 100 packets on the wire (incl. authentication, SYNs,
RSTs, etc.) I'll try to work out more about that in the next few days.
If you can send me the trace (ina aformate readable by ethereal) I'm
interested at looking into it and see how it is done.
Simo.
