lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <497E7B5A-5A0A-434F-A851-18FEE648DC19@lcssecuritygroup.com>
Date: Tue, 15 Aug 2006 19:33:10 -0400
From: Scott Renna <srenna@...securitygroup.com>
To: "Darren Bounds" <dbounds@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Re: ICMP Destination Unreachable Port
	Unreachable

common mistake

On Aug 15, 2006, at 7:24 PM, Darren Bounds wrote:

> I'm confused about a couple things:
>
> 1) You say you knew the nature of the packet yet in your original  
> message you stated "Neither the source IP or the target IP have any  
> ports associated with them in this event. Any ideas would be  
> appreciated.".
>
> - The packet you dumped was an ICMP port unreachable. There will  
> never be a port associated with an ICMP packet.
> - ICMP unreachable messages contain a payload with the IP header of  
> the packet generating the error and at least 64 bits (8 bytes) of  
> original data datagram. There are ports associated with UDP and  
> therefore inspection of the embedded UDP packet tells you quite a  
> bit. i.e. It was using ports 16229 and 2597 as source and destination.
>
> 2) You * out the first 3 octets of the destination IP address in  
> the event but leave the IP address in the ICMP payload  
> (70.91.131.49). Why?
>
>
> --
>
> Thanks,
> Darren Bounds
>
> On 8/15/06, Adriel T. Desautels <simon@...soft.com> wrote:
> Darren,
>    I did notice what type of packet it was and I also know what the
> packet signifies. The issue that I am having is that there has never
> been any outbound UDP activity to the host that is replying to this
> network. The payloads of the ICMP packets are a bit weird too,
> containing either X'es or |'s or encoded strings. What I am trying to
> figure out is if anyone here recognizes these types of payloads and
> knows what could be generating them?
>
> so just to be clear...
>
> I want info about the payload not about ICMP!
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ