| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 15 Aug 2006 18:53:09 -0400
From: "Adriel T. Desautels" <simon@...soft.com>
To: Darren Bounds <dbounds@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Re: ICMP Destination Unreachable
Port Unreachable
Darren,
I did notice what type of packet it was and I also know what the
packet signifies. The issue that I am having is that there has never
been any outbound UDP activity to the host that is replying to this
network. The payloads of the ICMP packets are a bit weird too,
containing either X'es or |'s or encoded strings. What I am trying to
figure out is if anyone here recognizes these types of payloads and
knows what could be generating them?
so just to be clear...
I want info about the payload not about ICMP!
Darren Bounds wrote:
> Dude,
>
> In case you've failed to notice, this is an ICMP port unreachable
> message.
> It's sent in response to a UDP packet destined for an unavailable UDP
> port.
> The port '0' referenced in the event source/destination is meaningless as
> ICMP doesn't use source and destination ports (it is always '0').
>
> The payload of the ICMP unreachable message contains original IP
> header (of
> the initial UDP packet) and at least 64 bits (8 bytes) of original data
> datagram. The size of data echoed will vary depending on the
> implementation.
>
>
>
>
> On 8/15/06, Dude VanWinkle <dudevanwinkle@...il.com> wrote:
>>
>> On 8/15/06, Julio Cesar Fort <julio@...slabs.com.br> wrote:
>> > Dude VanWinkle,
>> >
>> > > <snip>
>> > > -----------------------------
>> > > Looks to me like they are using port 0.
>> > > http://www.grc.com/port_0.htm
>> > > -JP
>> >
>> > *NEVER TRUST* Steve Gibson. I bet he smokes crack. See
>> > http://attrition.org/errata/charlatan.html#gibson for more details.
>>
>>
>> thanks for the tip!
>>
>> Still, I cant seem to help but think there is something to this port 0
>> thingy
>>
>> http://www.networkpenetration.com/port0.html
>>
>> <snip>
>>
>> 3. Port 0 OS Fingerprinting
>> ---------------------------
>> As port 0 is reserverd for special use as stated in RFC 1700. Coupled
>> with the fact that this port number is reassigned by the OS, no
>> traffic should flow over the internet using this port. As the
>> specifics are not clear different OS's have differnet ways of handling
>> traffic using port 0 thus they can be fingerprinted.
>>
>> --------------------------------------------
>>
>> I guess that is just a reaction to traffic and not actual traffic via
>> port 0, but still nifty info
>>
>> -JP
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
--
Regards,
Adriel T. Desautels
SNOsoft Research Team
Office: 617-924-4510 || Mobile : 857-636-8882
----------------------------------------------
Vulnerability Research and Exploit Development
BullGuard Anti-virus has scanned this e-mail and found it clean.
Try BullGuard for free: www.bullguard.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists