Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: ICMP Destination Unreachable Port Unreachable

From: "Adriel T. Desautels" <simon () snosoft com>
Date: Tue, 15 Aug 2006 16:55:13 -0400
Well,
    There's something to the traffic that I am seeing. The payloads are
always changing and contain significantly different data. One of the
payloads was packed full of X'es, the other was packed full of |'s.
Check it out.

Event: ICMP Destination Unreachable Port Unreachable
Category: misc-activity
Level: 3

Sensor: IDS-1 (1)
Date / Time: 08/15/2006 14:14:41

Module: xxx

Event ID: 5907
Original Event ID: 5864

Source: 82.246.252.214 : 0
Destination: xx.xx.xx.50 : 0

--
Payload Length: 152

000 : 00 00 00 00 45 00 00 9C 46 64 40 00 EE 11 2C 92   ....E...Fd@...,.
010 : 46 5B 83 32 52 F6 FC D6 00 35 A4 10 00 88 2B 28   F[.2R....5....+(
020 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
030 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
040 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
050 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
060 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
070 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
080 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX
090 : 58 58 58 58 58 58 58 58                           XXXXXXXX
--



Dude VanWinkle wrote:

On 8/15/06, Julio Cesar Fort <julio () rfdslabs com br> wrote:

Dude VanWinkle,


<snip>
-----------------------------
Looks to me like they are using port 0.
http://www.grc.com/port_0.htm
-JP


*NEVER TRUST* Steve Gibson. I bet he smokes crack. See
http://attrition.org/errata/charlatan.html#gibson for more details.



thanks for the tip!

Still, I cant seem to help but think there is something to this port 0
thingy

http://www.networkpenetration.com/port0.html

<snip>

3. Port 0 OS Fingerprinting
---------------------------
As port 0 is reserverd for special use as stated in RFC 1700. Coupled
with the fact that this port number is reassigned by the OS, no
traffic should flow over the internet using this port. As the
specifics are not clear different OS's have differnet ways of handling
traffic using port 0 thus they can be fingerprinted.

--------------------------------------------

I guess that is just a reaction to traffic and not actual traffic via
port 0, but still nifty info

-JP

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



-- 

Regards, 
    Adriel T. Desautels
    SNOsoft Research Team
    Office: 617-924-4510 || Mobile : 857-636-8882

    ----------------------------------------------
    Vulnerability Research and Exploit Development





BullGuard Anti-virus has scanned this e-mail and found it clean.
Try BullGuard for free: www.bullguard.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: