lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 15 Aug 2006 19:24:02 -0400
From: "Darren Bounds" <dbounds@...il.com>
To: "Adriel T. Desautels" <simon@...soft.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Re: ICMP Destination Unreachable Port
	Unreachable

I'm confused about a couple things:

1) You say you knew the nature of the packet yet in your original message
you stated "Neither the source IP or the target IP have any ports associated
with them in this event. Any ideas would be appreciated.".

- The packet you dumped was an ICMP port unreachable. There will never be a
port associated with an ICMP packet.
- ICMP unreachable messages contain a payload with the IP header of the
packet generating the error and at least 64 bits (8 bytes) of original data
datagram. There are ports associated with UDP and therefore inspection of
the embedded UDP packet tells you quite a bit. i.e. It was using ports 16229
and 2597 as source and destination.

2) You * out the first 3 octets of the destination IP address in the event
but leave the IP address in the ICMP payload (70.91.131.49). Why?


--

Thanks,
Darren Bounds

On 8/15/06, Adriel T. Desautels <simon@...soft.com> wrote:
>
> Darren,
>    I did notice what type of packet it was and I also know what the
> packet signifies. The issue that I am having is that there has never
> been any outbound UDP activity to the host that is replying to this
> network. The payloads of the ICMP packets are a bit weird too,
> containing either X'es or |'s or encoded strings. What I am trying to
> figure out is if anyone here recognizes these types of payloads and
> knows what could be generating them?
>
> so just to be clear...
>
> I want info about the payload not about ICMP!
>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ