Full Disclosure mailing list archives
Re: Re: ICMP Destination Unreachable Port Unreachable
From: "Adriel T. Desautels" <simon () snosoft com>
Date: Tue, 15 Aug 2006 16:55:13 -0400
Well, There's something to the traffic that I am seeing. The payloads are always changing and contain significantly different data. One of the payloads was packed full of X'es, the other was packed full of |'s. Check it out. Event: ICMP Destination Unreachable Port Unreachable Category: misc-activity Level: 3 Sensor: IDS-1 (1) Date / Time: 08/15/2006 14:14:41 Module: xxx Event ID: 5907 Original Event ID: 5864 Source: 82.246.252.214 : 0 Destination: xx.xx.xx.50 : 0 -- Payload Length: 152 000 : 00 00 00 00 45 00 00 9C 46 64 40 00 EE 11 2C 92 ....E...Fd@...,. 010 : 46 5B 83 32 52 F6 FC D6 00 35 A4 10 00 88 2B 28 F[.2R....5....+( 020 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 030 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 040 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 050 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 060 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 070 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 080 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 090 : 58 58 58 58 58 58 58 58 XXXXXXXX -- Dude VanWinkle wrote:
On 8/15/06, Julio Cesar Fort <julio () rfdslabs com br> wrote:Dude VanWinkle,<snip> ----------------------------- Looks to me like they are using port 0. http://www.grc.com/port_0.htm -JP*NEVER TRUST* Steve Gibson. I bet he smokes crack. See http://attrition.org/errata/charlatan.html#gibson for more details.thanks for the tip! Still, I cant seem to help but think there is something to this port 0 thingy http://www.networkpenetration.com/port0.html <snip> 3. Port 0 OS Fingerprinting --------------------------- As port 0 is reserverd for special use as stated in RFC 1700. Coupled with the fact that this port number is reassigned by the OS, no traffic should flow over the internet using this port. As the specifics are not clear different OS's have differnet ways of handling traffic using port 0 thus they can be fingerprinted. -------------------------------------------- I guess that is just a reaction to traffic and not actual traffic via port 0, but still nifty info -JP _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- Regards, Adriel T. Desautels SNOsoft Research Team Office: 617-924-4510 || Mobile : 857-636-8882 ---------------------------------------------- Vulnerability Research and Exploit Development BullGuard Anti-virus has scanned this e-mail and found it clean. Try BullGuard for free: www.bullguard.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- ICMP Destination Unreachable Port Unreachable Adriel T. Desautels (Aug 15)
- Re: ICMP Destination Unreachable Port Unreachable Dude VanWinkle (Aug 15)
- <Possible follow-ups>
- Re: ICMP Destination Unreachable Port Unreachable Richard Bejtlich (Aug 15)
- Re: ICMP Destination Unreachable Port Unreachable Peter Dawson (Aug 15)
- Re: ICMP Destination Unreachable Port Unreachable Julio Cesar Fort (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Dude VanWinkle (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Adriel T. Desautels (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Robert Kim Wireless Internet Advisor (Aug 16)
- Re: Re: ICMP Destination Unreachable Port Unreachable Darren Bounds (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Adriel T. Desautels (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Darren Bounds (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Adriel T. Desautels (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Dude VanWinkle (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Dude VanWinkle (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Darren Bounds (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Scott Renna (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Adriel T. Desautels (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Valdis . Kletnieks (Aug 15)