[Snort-users] Very interesting packet

Denis Ducamp Denis.Ducamp at ...199...
Sat Jul 29 16:48:57 EDT 2000


On Sat, Jul 29, 2000 at 12:05:04PM -0700, Bill Pennington wrote:
> It is a good way to fingerprint what a box IS running. No ICMP Port
> Unreachable means the box is running SMB services. At least that is what
> by very limited testing seems to point out. I am not saying that is the
> sole purpose of the packet only that it seems to have that effect.

A lot of udp services receiving uncorrect paquet ignore it and doesn't reply
(else it will generated a DoS as MicroSoft had some in their RPC services).

So what you are describing is how you detect if an udp port is open or not,
look at how nmap works. That has no relation with the content of the paquet
or the type of service listening on that port.

You may try to send that paquet to port 53 and you certainly see the same
reaction (no filtering) :
. no DNS server => icmp port unreachable
. DNS server => no reply.

> > > 07/20-04:16:00.101120 158.44.116.211:1025 -> 172.16.1.103:138
> > > UDP TTL:120 TOS:0x0 ID:29702
> > > Len: 520
> > > 81 00 00 44 20 45 46 45 4D 45 4A 46 45 45 46 43  ...D EFEMEJFEEFC
> > > 41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 43  ACACACACACACACAC
> > > 41 43 41 43 41 00 20 43 4B 46 44 45 4E 45 43 46  ACACA. CKFDENECF
> > > 44 45 46 46 43 46 47 45 46 46 43 43 41 43 41 43  DEFFCFGEFFCCACAC
> > > 41 43 41 43 41 43 41 00 49 46 50 52 4F 42 45 49  ACACACA.IFPROBEI
> > > 53 53 55 43 43 45 53 53 46 55 4C 57 45 57 49 4C  SSUCCESSFULWEWIL
> > > 4C 47 45 54 49 43 4D 50 42 41 43 4B 0A 90 90 90  LGETICMPBACK....
> > > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
...

Found in nessus <http://www.nessus.org/> :

* rfparalyze.nasl
 desc["english"] = "
It was possible to crash the remote host
using the 'rfparalyze' denial of service attack.

 . lines 105-107 :
req = raw_string(0x81, 0x00, 0x00, 0x44, 0x20) + yourname;
req = req +  raw_string(0x00, 0x20);
req = req + myname + raw_string(0x00);

 . but that is against port 139/tcp, line 109 :
soc = open_sock_tcp(139);

24 other scripts build paquets beginning with 0x81, 0x00, 0x00, 0x48 and
they are all against port 139/tcp :

. smb_accessible_shares.nasl
. smb_crash_winlogon.nasl
. smb_dom2sid.nasl
. smb_enum_services.nasl
. smb_enum_shares.nasl
. smb_lanman_browse_list.nasl
. smb_login.nasl
. smb_login_as_users.nasl
. smb_nt_ms00-029.nasl
. smb_nt_ms00-036.nasl
. smb_nt_ms00-047.nasl
. smb_reg_autologon.nasl
. smb_reg_hklm.nasl
. smb_reg_missing_winreg.nasl
. smb_reg_pdc.nasl
. smb_reg_run_permissions.nasl
. smb_reg_schedule.nasl
. smb_reg_service_pack.nasl
. smb_reg_sfcdisable.nasl
. smb_reg_trojan_paths.nasl
. smb_reg_winlogon_permissions.nasl
. smb_registry_access.nasl
. smb_registry_full_access.nasl
. smb_sid2user.nasl

I'm not a specialist about smb and all that MicroSoft encapsulated into so I
can't say more about that, but ***perhaps*** that 81 00 00 44 is a command.

The message doesn't specify which type of icmp is expected and perhaps that
this message is unrelevant (a piece from a previous exploit).

Denis Ducamp.

-- 
Denis.Ducamp at ...199... -- Hervé Schauer Consultants -- http://www.hsc.fr/




More information about the Snort-users mailing list