lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <44E234B1.5090801@snosoft.com>
Date: Tue, 15 Aug 2006 16:55:13 -0400
From: "Adriel T. Desautels" <simon@...soft.com>
To: Dude VanWinkle <dudevanwinkle@...il.com>
Cc: Julio Cesar Fort <julio@...slabs.com.br>, full-disclosure@...ts.grok.org.uk
Subject: Re: Re: ICMP Destination Unreachable
	Port	Unreachable

Well,
    There's something to the traffic that I am seeing. The payloads are
always changing and contain significantly different data. One of the
payloads was packed full of X'es, the other was packed full of |'s.
Check it out.

Event: ICMP Destination Unreachable Port Unreachable
Category: misc-activity
Level: 3

Sensor: IDS-1 (1)
Date / Time: 08/15/2006 14:14:41

Module: xxx

Event ID: 5907
Original Event ID: 5864

Source: 82.246.252.214 : 0
Destination: xx.xx.xx.50 : 0

--
Payload Length: 152

000 : 00 00 00 00 45 00 00 9C 46 64 40 00 EE 11 2C 92   ....E...Fd@...,.
010 : 46 5B 83 32 52 F6 FC D6 00 35 A4 10 00 88 2B 28   F[.2R....5....+(
020 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
030 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
040 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
050 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
060 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
070 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
080 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
090 : 58 58 58 58 58 58 58 58                           XXXXXXXX
--



Dude VanWinkle wrote:
> On 8/15/06, Julio Cesar Fort <julio@...slabs.com.br> wrote:
>> Dude VanWinkle,
>>
>> > <snip>
>> > -----------------------------
>> > Looks to me like they are using port 0.
>> > http://www.grc.com/port_0.htm
>> > -JP
>>
>> *NEVER TRUST* Steve Gibson. I bet he smokes crack. See
>> http://attrition.org/errata/charlatan.html#gibson for more details.
>
>
> thanks for the tip!
>
> Still, I cant seem to help but think there is something to this port 0
> thingy
>
> http://www.networkpenetration.com/port0.html
>
> <snip>
>
> 3. Port 0 OS Fingerprinting
> ---------------------------
> As port 0 is reserverd for special use as stated in RFC 1700. Coupled
> with the fact that this port number is reassigned by the OS, no
> traffic should flow over the internet using this port. As the
> specifics are not clear different OS's have differnet ways of handling
> traffic using port 0 thus they can be fingerprinted.
>
> --------------------------------------------
>
> I guess that is just a reaction to traffic and not actual traffic via
> port 0, but still nifty info
>
> -JP
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


-- 

Regards, 
    Adriel T. Desautels
    SNOsoft Research Team
    Office: 617-924-4510 || Mobile : 857-636-8882

    ----------------------------------------------
    Vulnerability Research and Exploit Development





BullGuard Anti-virus has scanned this e-mail and found it clean.
Try BullGuard for free: www.bullguard.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ