Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Repeated NETBIOS SMB DCERPC NTLMSSP asn1 overflow attempt

From: Jose Costa <joselpcosta () yahoo com br>
Date: Thu, 30 Dec 2004 12:20:29 -0300 (ART)
I'm getting that too.

Investigating...

Any news, please let me know.

Rgds,

Jose Costa

 --- Andrea Venturoli <ml () netfence it> escreveu: 

Hello.
On a network I manage I'm getting a lot of the
following messages:

Dec 29 12:00:00 mybdc snort: [1:2382:14] NETBIOS SMB
DCERPC NTLMSSP asn1 
overflow attempt [Classification: Attempted
Administrator Privilege 
Gain] [Priority: 1]: {TCP} 192.168.101.115:4269 ->
192.168.101.4:139


It started a few days ago, always from the same
client IP (Windows 2000) 
to the same server IP (Samba BDC) and every 10-15
seconds.

Given this, I suspect some not so nice process on
the client side and, 
while I believe this particular server can't be
affected by this bug, 
I'd still love to stop it.

I've captured one of such packets and here it is
below. I really lack 
the knowledge to analyse it in details, but I'd be
happy if someone with 
more experience can give me any suggestions.

  bye & Thanks
      av.

11:01:00.931765 myclient.xxxxxxxx.yy.3507 > 
mybdc.xxxxxxxx.yy.netbios-ssn: P [tcp sum ok]
209:403(194) ack 95 win 65441
 >>> NBT Packet
NBT Session Packet
Flags=0x0
Length=190 (0xbe)

SMB PACKET: SMBsesssetupX (REQUEST)
SMB Command   =  0x73
Error class   =  0x0
Error code    =  0 (0x0)
Flags1        =  0x18
Flags2        =  0x7
Tree ID       =  0 (0x0)
Proc ID       =  65279 (0xfeff)
UID           =  0 (0x0)
MID           =  64 (0x40)
Word Count    =  13 (0xd)
Com2=0x75
Res1=0x0
Off2=159 (0x9f)
MaxBuffer=16644 (0x4104)
MaxMpx=50 (0x32)
VcNumber=0 (0x0)
SessionKey=0x9347
CaseInsensitivePasswordLength=24 (0x18)
CaseSensitivePasswordLength=24 (0x18)
Res=0x0
Capabilities=0xD4
Pass1&Pass2&Account&Domain&OS&LanMan=
[000] C3 D5 24 4D 62 0F 5B B5  8D 66 66 0D BB 17 EE
01 
\303\325$Mb\017[\265 \215ff\015\273\027\356\001
[010] DE 24 BA C8 36 C7 F4 1C  2D 43 CD 48 F7 3B FE
89 
\336$\272\3106\307\364\034 -C\315H\367;\376\211
[020] 8E BB 9D 8A 05 84 45 00  02 25 05 C7 96 1A EA
D5 
\216\273\235\212\005\204E\000
\002%\005\307\226\032\352\325
[030] XX XX XX XX 00 XX XX XX  XX XX XX XX XX 00 57
69  user\000MYD 
OMAIN\000Wi
[040] 6E 64 6F 77 73 20 32 30  30 30 20 32 31 39 35
00  ndows 20 00 2195\000
[050] 57 69 6E 64 6F 77 73 20  32 30 30 30 20 35 2E
30  Windows  2000 5.0
[060] 00 00                                         
   \000\000

SMB PACKET: SMBtconX (REQUEST) (CHAINED)
smbvwv[]=
Com2=0xFF
Off2=190 (0xbe)
Flags=0x8
PassLen=1 (0x1)
Passwd&Path&Device=
PassLen=1 (0x1)
Passwd&Path&Device=
smb_bcc=20
smb_buf[]=
[000] 00 5C 5C XX XX XX XX XX  5C 49 50 43 24 00 3F
3F  \000\\MYBDC 
\IPC$\000??
[010] 3F 3F 3F 00                                   
   ???\000


  (DF) (ttl 128, id 61947, len 234)
0x0000   4500 00ea f1fb 4000 8006 bc49 c0a8 6573    
   E..... ()     I  es
0x0010   c0a8 6504 0db3 008b e351 0141 eba9 1cb4    
   ..e......Q.A....
0x0020   5018 ffa1 8b8f 0000 0000 00be ff53 4d42    
   P............SMB
0x0030   7300 0000 0018 0748 0000 0000 0000 0000    
   s......H........
0x0040   0000 0000 0000 fffe 0000 4000 0d75 009f    
   ..........@..u..
0x0050   0004 4132 0000 0047 9300 0018 0018 0000    
   ..A2...G........
0x0060   0000 00d4 0000 0062 00c3 d524 4d62 0f5b    
   .......b...$Mb.[
0x0070   b58d 6666 0dbb 17ee 01de 24ba c836 c7f4    
   ..ff......$..6..
0x0080   1c2d 43cd 48f7 3bfe 898e bb9d 8a05 8445    
   .-C.H.;........E
0x0090   0002 2505 c796 1aea d5XX XXXX XX00 XXXX    
   ..%......user.MY
0x00a0   XXXX XXXX XXXX 0057 696e 646f 7773 2032    
   DOMAIN.Windows.2
0x00b0   3030 3020 3231 3935 0057 696e 646f 7773    
   000.2195.Windows
0x00c0   2032 3030 3020 352e 3000 0004 ff00 be00    
   .2000.5.0.......
0x00d0   0800 0100 1400 005c 5cXX XXXX XXXX 5c49    
   .......\\MYBDC\I
0x00e0   5043 2400 3f3f 3f3f 3f00                   
   PC$.?????.




-------------------------------------------------------

SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT
Products from real users.
Discover which products truly live up to the hype.
Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:


https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:


http://www.geocrawler.com/redir-sf.php3?list=snort-users

 


__________________________________________________
Converse com seus amigos em tempo real com o Yahoo! Messenger 
http://br.download.yahoo.com/messenger/ 


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: