[Snort-users] Very interesting packet

Bill Pennington billp at ...60...
Fri Jul 28 17:16:54 EDT 2000


I ran a few quick and dirty test with hping2 and at first glance it
looks like a fairly good way to fingerprint boxes running SMB services.

Against a windows NT 4.0 sp6 box I get this:

[root at ...189... hping2-beta54]# ./hping2 NTbox -2 -p 138 -N 29702 -E pack -d
520
eth0 default routing interface selected (according to /proc)
HPING houston (eth0 x.x.x.x): udp mode set, 28 headers + 520 data bytes

--- Ntbox hping statistic ---
59 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

Against a Solaris 2.6 box not running Samba I get:

[root at ...189... hping2-beta54]# ./hping2 sunbox -2 -p 138 -N 29702 -E pack
-d 520
eth0 default routing interface selected (according to /proc)
HPING apollo (eth0 x.x.x.x): udp mode set, 28 headers + 520 data bytes
ICMP Port Unreachable from x.x.x.x  (sunbox.rocketcash.com)
ICMP Port Unreachable from x.x.x.x  (sunbox.rocketcash.com)
ICMP Port Unreachable from x.x.x.x  (sunbox.rocketcash.com)
ICMP Port Unreachable from x.x.x.x  (sunbox.rocketcash.com)
ICMP Port Unreachable from x.x.x.x  (sunbox.rocketcash.com)

--- sunbox hping statistic ---
5 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

A RedHat 6.1 box not running Samba:

[root at ...189... hping2-beta54]# ./hping2 RHbox -2 -p 138 -N 29702 -E pack -d
520
eth0 default routing interface selected (according to /proc)
HPING brutus (eth0 x.x.x.x): udp mode set, 28 headers + 520 data bytes
ICMP Port Unreachable from x.x.x.x  (rhbox.rocketcash.com)
ICMP Port Unreachable from x.x.x.x  (rhbox.rocketcash.com)
ICMP Port Unreachable from x.x.x.x  (rhbox.rocketcash.com)
ICMP Port Unreachable from x.x.x.x  (rhbox.rocketcash.com)

--- rhbox hping statistic ---
4 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

On a RH 6.1 box running Samba:

root at ...189... hping2-beta54]# ./hping2 sambabox -2 -p 138 -N 29702 -E pack
-d 520
eth0 default routing interface selected (according to /proc)
HPING kryten (eth0 x.x.x.x): udp mode set, 28 headers + 520 data bytes

--- sambabox hping statistic ---
6 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

Interesting...

Lance Spitzner wrote:
> 
> Found a system in Korea sequentially scanning on all of
> my systems on port 138, UDP.  What is the purpose of this
> packet? This was reported as IDS181, but I highly doubt
> that is what the packet is for.  Any ideas?
> 
> 1.  Lots of NOOPs, but is this exploit code for NT?
> 
> 2.  Read the ASCII in the beginning of the packets.
> 
>      IF PROBE IS SUCCESSFUL WE WILL GET ICMP BACK
> 
> 3. If not exploit code, are they trying to determine what
>    systems are up?  If so, this does NOT make since.  Window
>         systems by default listen on port 138.  So there would
>         be no ICMP error message back.  This scan would only work
>         for Unix systems not listening on port 138
> 
> Okay guru's, what do you think this is?
> 
> Thanks!
> 
> 07/20-04:16:00.101120 158.44.116.211:1025 -> 172.16.1.103:138
> UDP TTL:120 TOS:0x0 ID:29702
> Len: 520
> 81 00 00 44 20 45 46 45 4D 45 4A 46 45 45 46 43  ...D EFEMEJFEEFC
> 41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 43  ACACACACACACACAC
> 41 43 41 43 41 00 20 43 4B 46 44 45 4E 45 43 46  ACACA. CKFDENECF
> 44 45 46 46 43 46 47 45 46 46 43 43 41 43 41 43  DEFFCFGEFFCCACAC
> 41 43 41 43 41 43 41 00 49 46 50 52 4F 42 45 49  ACACACA.IFPROBEI
> 53 53 55 43 43 45 53 53 46 55 4C 57 45 57 49 4C  SSUCCESSFULWEWIL
> 4C 47 45 54 49 43 4D 50 42 41 43 4B 0A 90 90 90  LGETICMPBACK....
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> 
> Lance Spitzner
> http://www.enteract.com/~lspitz/papers.html
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 


Bill Pennington
Senior IT Manager
Rocketcash
billp at ...60...
http://www.rocketcash.com




More information about the Snort-users mailing list