[Snort-users] Very interesting packet

Lance Spitzner lance at ...185...
Sat Jul 29 23:47:13 EDT 2000


On Fri, 28 Jul 2000, Bill Pennington wrote:

> I ran a few quick and dirty test with hping2 and at first glance it
> looks like a fairly good way to fingerprint boxes running SMB services.

Good guess!  But it looks like they are sequentially scanning systems
blindly, they scanned 7 systems of mine that do not exist.  So, if
they do not get any response, they either have a Windows box, or
no box at all.  Seems to be easier ways to get info ?!?

I like your follow through using hping2.  My tool of choice for 
packet building :)

Thoughts?


> 
> Against a windows NT 4.0 sp6 box I get this:
> 
> [root at ...189... hping2-beta54]# ./hping2 NTbox -2 -p 138 -N 29702 -E pack -d
> 520
> eth0 default routing interface selected (according to /proc)
> HPING houston (eth0 x.x.x.x): udp mode set, 28 headers + 520 data bytes
> 
> --- Ntbox hping statistic ---
> 59 packets tramitted, 0 packets received, 100% packet loss
> round-trip min/avg/max = 0.0/0.0/0.0 ms
> 
> Against a Solaris 2.6 box not running Samba I get:
> 
> [root at ...189... hping2-beta54]# ./hping2 sunbox -2 -p 138 -N 29702 -E pack
> -d 520
> eth0 default routing interface selected (according to /proc)
> HPING apollo (eth0 x.x.x.x): udp mode set, 28 headers + 520 data bytes
> ICMP Port Unreachable from x.x.x.x  (sunbox.rocketcash.com)
> ICMP Port Unreachable from x.x.x.x  (sunbox.rocketcash.com)
> ICMP Port Unreachable from x.x.x.x  (sunbox.rocketcash.com)
> ICMP Port Unreachable from x.x.x.x  (sunbox.rocketcash.com)
> ICMP Port Unreachable from x.x.x.x  (sunbox.rocketcash.com)
> 
> --- sunbox hping statistic ---
> 5 packets tramitted, 0 packets received, 100% packet loss
> round-trip min/avg/max = 0.0/0.0/0.0 ms
> 
> A RedHat 6.1 box not running Samba:
> 
> [root at ...189... hping2-beta54]# ./hping2 RHbox -2 -p 138 -N 29702 -E pack -d
> 520
> eth0 default routing interface selected (according to /proc)
> HPING brutus (eth0 x.x.x.x): udp mode set, 28 headers + 520 data bytes
> ICMP Port Unreachable from x.x.x.x  (rhbox.rocketcash.com)
> ICMP Port Unreachable from x.x.x.x  (rhbox.rocketcash.com)
> ICMP Port Unreachable from x.x.x.x  (rhbox.rocketcash.com)
> ICMP Port Unreachable from x.x.x.x  (rhbox.rocketcash.com)
> 
> --- rhbox hping statistic ---
> 4 packets tramitted, 0 packets received, 100% packet loss
> round-trip min/avg/max = 0.0/0.0/0.0 ms
> 
> On a RH 6.1 box running Samba:
> 
> root at ...189... hping2-beta54]# ./hping2 sambabox -2 -p 138 -N 29702 -E pack
> -d 520
> eth0 default routing interface selected (according to /proc)
> HPING kryten (eth0 x.x.x.x): udp mode set, 28 headers + 520 data bytes
> 
> --- sambabox hping statistic ---
> 6 packets tramitted, 0 packets received, 100% packet loss
> round-trip min/avg/max = 0.0/0.0/0.0 ms
> 
> Interesting...
> 
> Lance Spitzner wrote:
> > 
> > Found a system in Korea sequentially scanning on all of
> > my systems on port 138, UDP.  What is the purpose of this
> > packet? This was reported as IDS181, but I highly doubt
> > that is what the packet is for.  Any ideas?
> > 
> > 1.  Lots of NOOPs, but is this exploit code for NT?
> > 
> > 2.  Read the ASCII in the beginning of the packets.
> > 
> >      IF PROBE IS SUCCESSFUL WE WILL GET ICMP BACK
> > 
> > 3. If not exploit code, are they trying to determine what
> >    systems are up?  If so, this does NOT make since.  Window
> >         systems by default listen on port 138.  So there would
> >         be no ICMP error message back.  This scan would only work
> >         for Unix systems not listening on port 138
> > 
> > Okay guru's, what do you think this is?
> > 
> > Thanks!
> > 
> > 07/20-04:16:00.101120 158.44.116.211:1025 -> 172.16.1.103:138
> > UDP TTL:120 TOS:0x0 ID:29702
> > Len: 520
> > 81 00 00 44 20 45 46 45 4D 45 4A 46 45 45 46 43  ...D EFEMEJFEEFC
> > 41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 43  ACACACACACACACAC
> > 41 43 41 43 41 00 20 43 4B 46 44 45 4E 45 43 46  ACACA. CKFDENECF
> > 44 45 46 46 43 46 47 45 46 46 43 43 41 43 41 43  DEFFCFGEFFCCACAC
> > 41 43 41 43 41 43 41 00 49 46 50 52 4F 42 45 49  ACACACA.IFPROBEI
> > 53 53 55 43 43 45 53 53 46 55 4C 57 45 57 49 4C  SSUCCESSFULWEWIL
> > 4C 47 45 54 49 43 4D 50 42 41 43 4B 0A 90 90 90  LGETICMPBACK....
> > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > 
> > Lance Spitzner
> > http://www.enteract.com/~lspitz/papers.html
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
> 
> -- 
> 
> 
> Bill Pennington
> Senior IT Manager
> Rocketcash
> billp at ...60...
> http://www.rocketcash.com
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> 

Lance Spitzner
http://www.enteract.com/~lspitz/papers.html





More information about the Snort-users mailing list