Firewall Wizards mailing list archives
Re: Help w/ Port 137 Traffic
From: "Paul D. Robertson" <proberts () patriot net>
Date: Sun, 13 Oct 2002 09:10:52 -0400 (EDT)
On Sun, 13 Oct 2002, Mikael Olsson wrote:
know- I don't run Windows, so I haven't played with doing NetBIOS stuff and don't know what the normal programming sequence is for enumerating shares, and as we don't let customers expose NetBIOS ports at all, this was never high on my list of things to worry about.I've personally never seen share enumeration being done over port 137. I have only seen it done over 139, and I guess it can be done over port 445 as well.
By "sequence" I meant "Do name lookup, then go enumerate shares." Depending on what the worm is written with, there could be a "go_check_for_shares()" that does a name lookup then enumerates the shares- sequence being a series of events, not a method. Sometimes the sequence of events can lead to clues about the author- and sometimes their toolset restricts how they perform certain functions (the last Windows malcode I had my hands on, for instance was written in Delphi- and I *know* from making feature requests and dealing with systems that can't talk SMTP right that most Delphi authors use components that they have no control over- those may have a particular sequence of events, or all the common examples of "how to do $foo" may use a particular sequence, such as "get computer name from IP address" then "go look for open shares.") I simply don't know enough about Windows programming to know if doing the name lookup gains something, or is normal, or rather is an artifact of a particular toolset (we have folks who track Windows malcode, I'm not one.) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Help w/ Port 137 Traffic Mike McCandless (Oct 13)
- Re: Help w/ Port 137 Traffic Paul D. Robertson (Oct 13)
- Re: Help w/ Port 137 Traffic Mikael Olsson (Oct 13)
- Re: Help w/ Port 137 Traffic Paul D. Robertson (Oct 13)
- Re: Help w/ Port 137 Traffic Mikael Olsson (Oct 13)
- Re: Help w/ Port 137 Traffic Paul D. Robertson (Oct 13)
- Re: Help w/ Port 137 Traffic Mikael Olsson (Oct 13)
- Re: Help w/ Port 137 Traffic Vincent Haverlant (Oct 15)
- Re: Help w/ Port 137 Traffic Mikael Olsson (Oct 13)
- Re: Help w/ Port 137 Traffic Paul D. Robertson (Oct 13)
- <Possible follow-ups>
- RE: Help w/ Port 137 Traffic Mike McCandless (Oct 13)
- RE: RE: Help w/ Port 137 Traffic Stefan Norberg (Oct 13)
- RE: RE: Help w/ Port 137 Traffic Frank Knobbe (Oct 13)
- RE: RE: Help w/ Port 137 Traffic Stefan Norberg (Oct 14)
- RE: RE: Help w/ Port 137 Traffic Stefan Norberg (Oct 13)
- Re: RE: Help w/ Port 137 Traffic R. DuFresne (Oct 13)
- Re: RE: Help w/ Port 137 Traffic Devdas Bhagat (Oct 14)
- Re: RE: Help w/ Port 137 Traffic R. DuFresne (Oct 14)