[Snort-users] Very interesting packet

Bill Pennington billp at ...60...
Mon Jul 31 14:16:56 EDT 2000


Another thought...

The NAI guys released this advisory on the 27th. Since I doubt NAI
releases exploit code perhaps someone already knew of this vulnerabilty
or they saw this and got an idea. It is basicly a DOS using Netbios Name
Conflict packets.

Just another guess :-) 


http://packetstorm.securify.com/advisories/nai/COVERT-2000-09.netbios

Fyodor wrote:
> 
> ~ :Anyone know how to decode the NetBIOS data in the packet?
> 
> if you are talking about those funky `CACACA..` strings in the packets,
> then the basic idea would be:
> you substitute 0x41 from each pair of characters in the packet and then
> or them like final = (a << 4) | b; (and you will get 0x20 for each `CA'
> pair ;-))
> 
> for `descrambling' the whole netbios packet(s) have a look on rfc 1001,
> 1002. They are old but do not seem to be obsoleted yet.

-- 


Bill Pennington
Senior IT Manager
Rocketcash
billp at ...60...
http://www.rocketcash.com




More information about the Snort-users mailing list