lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 15 Aug 2006 18:59:48 -0400
From: "Darren Bounds" <dbounds@...il.com>
To: "Adriel T. Desautels" <simon@...soft.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Re: ICMP Destination Unreachable Port
	Unreachable

Adriel,

I was replying to Dude VanWinkle, who's been chasing down the src/dst port 0
unnecessarily.

On 8/15/06, Adriel T. Desautels <simon@...soft.com> wrote:
>
> Darren,
>    I did notice what type of packet it was and I also know what the
> packet signifies. The issue that I am having is that there has never
> been any outbound UDP activity to the host that is replying to this
> network. The payloads of the ICMP packets are a bit weird too,
> containing either X'es or |'s or encoded strings. What I am trying to
> figure out is if anyone here recognizes these types of payloads and
> knows what could be generating them?
>
> so just to be clear...
>
> I want info about the payload not about ICMP!
>
> Darren Bounds wrote:
> > Dude,
> >
> > In case you've failed to notice, this is an ICMP port unreachable
> > message.
> > It's sent in response to a UDP packet destined for an unavailable UDP
> > port.
> > The port '0' referenced in the event source/destination is meaningless
> as
> > ICMP doesn't use source and destination ports (it is always '0').
> >
> > The payload of the ICMP unreachable message contains original IP
> > header (of
> > the initial UDP packet) and at least 64 bits (8 bytes) of original data
> > datagram. The size of data echoed will vary depending on the
> > implementation.
> >
> >
> >
> >
> > On 8/15/06, Dude VanWinkle <dudevanwinkle@...il.com> wrote:
> >>
> >> On 8/15/06, Julio Cesar Fort <julio@...slabs.com.br> wrote:
> >> > Dude VanWinkle,
> >> >
> >> > > <snip>
> >> > > -----------------------------
> >> > > Looks to me like they are using port 0.
> >> > > http://www.grc.com/port_0.htm
> >> > > -JP
> >> >
> >> > *NEVER TRUST* Steve Gibson. I bet he smokes crack. See
> >> > http://attrition.org/errata/charlatan.html#gibson for more details.
> >>
> >>
> >> thanks for the tip!
> >>
> >> Still, I cant seem to help but think there is something to this port 0
> >> thingy
> >>
> >> http://www.networkpenetration.com/port0.html
> >>
> >> <snip>
> >>
> >> 3. Port 0 OS Fingerprinting
> >> ---------------------------
> >> As port 0 is reserverd for special use as stated in RFC 1700. Coupled
> >> with the fact that this port number is reassigned by the OS, no
> >> traffic should flow over the internet using this port. As the
> >> specifics are not clear different OS's have differnet ways of handling
> >> traffic using port 0 thus they can be fingerprinted.
> >>
> >> --------------------------------------------
> >>
> >> I guess that is just a reaction to traffic and not actual traffic via
> >> port 0, but still nifty info
> >>
> >> -JP
> >>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
>
> --
>
> Regards,
>    Adriel T. Desautels
>    SNOsoft Research Team
>    Office: 617-924-4510 || Mobile : 857-636-8882
>
>    ----------------------------------------------
>    Vulnerability Research and Exploit Development
>
>
>
>
>
> BullGuard Anti-virus has scanned this e-mail and found it clean.
> Try BullGuard for free: www.bullguard.com
>
>
>


-- 

Thank you,
Darren Bounds

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ