[Snort-users] Very interesting packet

Bill Pennington billp at ...60...
Sun Jul 30 00:29:45 EDT 2000


The only other thing that came to mind was some sort of DOS bot that
perhaps tries to overflow SMB services?? If it is successful then you
would get a ICMP Unreachable. I dunno that is all I can think of, does
not seem like it would make much sense.

Is this the full dump or is there more?

Lance Spitzner wrote:
> 
> On Fri, 28 Jul 2000, Bill Pennington wrote:
> 
> > I ran a few quick and dirty test with hping2 and at first glance it
> > looks like a fairly good way to fingerprint boxes running SMB services.
> 
> Good guess!  But it looks like they are sequentially scanning systems
> blindly, they scanned 7 systems of mine that do not exist.  So, if
> they do not get any response, they either have a Windows box, or
> no box at all.  Seems to be easier ways to get info ?!?
> 
> I like your follow through using hping2.  My tool of choice for
> packet building :)
> 
> Thoughts?
> 
> >
> > Against a windows NT 4.0 sp6 box I get this:
> >
> > [root at ...189... hping2-beta54]# ./hping2 NTbox -2 -p 138 -N 29702 -E pack -d
> > 520
> > eth0 default routing interface selected (according to /proc)
> > HPING houston (eth0 x.x.x.x): udp mode set, 28 headers + 520 data bytes
> >
> > --- Ntbox hping statistic ---
> > 59 packets tramitted, 0 packets received, 100% packet loss
> > round-trip min/avg/max = 0.0/0.0/0.0 ms
> >
> > Against a Solaris 2.6 box not running Samba I get:
> >
> > [root at ...189... hping2-beta54]# ./hping2 sunbox -2 -p 138 -N 29702 -E pack
> > -d 520
> > eth0 default routing interface selected (according to /proc)
> > HPING apollo (eth0 x.x.x.x): udp mode set, 28 headers + 520 data bytes
> > ICMP Port Unreachable from x.x.x.x  (sunbox.rocketcash.com)
> > ICMP Port Unreachable from x.x.x.x  (sunbox.rocketcash.com)
> > ICMP Port Unreachable from x.x.x.x  (sunbox.rocketcash.com)
> > ICMP Port Unreachable from x.x.x.x  (sunbox.rocketcash.com)
> > ICMP Port Unreachable from x.x.x.x  (sunbox.rocketcash.com)
> >
> > --- sunbox hping statistic ---
> > 5 packets tramitted, 0 packets received, 100% packet loss
> > round-trip min/avg/max = 0.0/0.0/0.0 ms
> >
> > A RedHat 6.1 box not running Samba:
> >
> > [root at ...189... hping2-beta54]# ./hping2 RHbox -2 -p 138 -N 29702 -E pack -d
> > 520
> > eth0 default routing interface selected (according to /proc)
> > HPING brutus (eth0 x.x.x.x): udp mode set, 28 headers + 520 data bytes
> > ICMP Port Unreachable from x.x.x.x  (rhbox.rocketcash.com)
> > ICMP Port Unreachable from x.x.x.x  (rhbox.rocketcash.com)
> > ICMP Port Unreachable from x.x.x.x  (rhbox.rocketcash.com)
> > ICMP Port Unreachable from x.x.x.x  (rhbox.rocketcash.com)
> >
> > --- rhbox hping statistic ---
> > 4 packets tramitted, 0 packets received, 100% packet loss
> > round-trip min/avg/max = 0.0/0.0/0.0 ms
> >
> > On a RH 6.1 box running Samba:
> >
> > root at ...189... hping2-beta54]# ./hping2 sambabox -2 -p 138 -N 29702 -E pack
> > -d 520
> > eth0 default routing interface selected (according to /proc)
> > HPING kryten (eth0 x.x.x.x): udp mode set, 28 headers + 520 data bytes
> >
> > --- sambabox hping statistic ---
> > 6 packets tramitted, 0 packets received, 100% packet loss
> > round-trip min/avg/max = 0.0/0.0/0.0 ms
> >
> > Interesting...
> >
> > Lance Spitzner wrote:
> > >
> > > Found a system in Korea sequentially scanning on all of
> > > my systems on port 138, UDP.  What is the purpose of this
> > > packet? This was reported as IDS181, but I highly doubt
> > > that is what the packet is for.  Any ideas?
> > >
> > > 1.  Lots of NOOPs, but is this exploit code for NT?
> > >
> > > 2.  Read the ASCII in the beginning of the packets.
> > >
> > >      IF PROBE IS SUCCESSFUL WE WILL GET ICMP BACK
> > >
> > > 3. If not exploit code, are they trying to determine what
> > >    systems are up?  If so, this does NOT make since.  Window
> > >         systems by default listen on port 138.  So there would
> > >         be no ICMP error message back.  This scan would only work
> > >         for Unix systems not listening on port 138
> > >
> > > Okay guru's, what do you think this is?
> > >
> > > Thanks!
> > >
> > > 07/20-04:16:00.101120 158.44.116.211:1025 -> 172.16.1.103:138
> > > UDP TTL:120 TOS:0x0 ID:29702
> > > Len: 520
> > > 81 00 00 44 20 45 46 45 4D 45 4A 46 45 45 46 43  ...D EFEMEJFEEFC
> > > 41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 43  ACACACACACACACAC
> > > 41 43 41 43 41 00 20 43 4B 46 44 45 4E 45 43 46  ACACA. CKFDENECF
> > > 44 45 46 46 43 46 47 45 46 46 43 43 41 43 41 43  DEFFCFGEFFCCACAC
> > > 41 43 41 43 41 43 41 00 49 46 50 52 4F 42 45 49  ACACACA.IFPROBEI
> > > 53 53 55 43 43 45 53 53 46 55 4C 57 45 57 49 4C  SSUCCESSFULWEWIL
> > > 4C 47 45 54 49 43 4D 50 42 41 43 4B 0A 90 90 90  LGETICMPBACK....
> > > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
> > >
> > > Lance Spitzner
> > > http://www.enteract.com/~lspitz/papers.html
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > http://lists.sourceforge.net/mailman/listinfo/snort-users
> >
> > --
> >
> >
> > Bill Pennington
> > Senior IT Manager
> > Rocketcash
> > billp at ...60...
> > http://www.rocketcash.com
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
> >
> 
> Lance Spitzner
> http://www.enteract.com/~lspitz/papers.html
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 


Bill Pennington
Senior IT Manager
Rocketcash
billp at ...60...
http://www.rocketcash.com




More information about the Snort-users mailing list