Snort mailing list archives
Re: Repeated NETBIOS SMB DCERPC NTLMSSP asn1 overflow attempt
From: Jose Costa <joselpcosta () yahoo com br>
Date: Thu, 30 Dec 2004 12:20:29 -0300 (ART)
I'm getting that too. Investigating... Any news, please let me know. Rgds, Jose Costa --- Andrea Venturoli <ml () netfence it> escreveu:
Hello. On a network I manage I'm getting a lot of the following messages: Dec 29 12:00:00 mybdc snort: [1:2382:14] NETBIOS SMB DCERPC NTLMSSP asn1 overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} 192.168.101.115:4269 -> 192.168.101.4:139 It started a few days ago, always from the same client IP (Windows 2000) to the same server IP (Samba BDC) and every 10-15 seconds. Given this, I suspect some not so nice process on the client side and, while I believe this particular server can't be affected by this bug, I'd still love to stop it. I've captured one of such packets and here it is below. I really lack the knowledge to analyse it in details, but I'd be happy if someone with more experience can give me any suggestions. bye & Thanks av. 11:01:00.931765 myclient.xxxxxxxx.yy.3507 > mybdc.xxxxxxxx.yy.netbios-ssn: P [tcp sum ok] 209:403(194) ack 95 win 65441 >>> NBT Packet NBT Session Packet Flags=0x0 Length=190 (0xbe) SMB PACKET: SMBsesssetupX (REQUEST) SMB Command = 0x73 Error class = 0x0 Error code = 0 (0x0) Flags1 = 0x18 Flags2 = 0x7 Tree ID = 0 (0x0) Proc ID = 65279 (0xfeff) UID = 0 (0x0) MID = 64 (0x40) Word Count = 13 (0xd) Com2=0x75 Res1=0x0 Off2=159 (0x9f) MaxBuffer=16644 (0x4104) MaxMpx=50 (0x32) VcNumber=0 (0x0) SessionKey=0x9347 CaseInsensitivePasswordLength=24 (0x18) CaseSensitivePasswordLength=24 (0x18) Res=0x0 Capabilities=0xD4 Pass1&Pass2&Account&Domain&OS&LanMan= [000] C3 D5 24 4D 62 0F 5B B5 8D 66 66 0D BB 17 EE 01 \303\325$Mb\017[\265 \215ff\015\273\027\356\001 [010] DE 24 BA C8 36 C7 F4 1C 2D 43 CD 48 F7 3B FE 89 \336$\272\3106\307\364\034 -C\315H\367;\376\211 [020] 8E BB 9D 8A 05 84 45 00 02 25 05 C7 96 1A EA D5 \216\273\235\212\005\204E\000 \002%\005\307\226\032\352\325 [030] XX XX XX XX 00 XX XX XX XX XX XX XX XX 00 57 69 user\000MYD OMAIN\000Wi [040] 6E 64 6F 77 73 20 32 30 30 30 20 32 31 39 35 00 ndows 20 00 2195\000 [050] 57 69 6E 64 6F 77 73 20 32 30 30 30 20 35 2E 30 Windows 2000 5.0 [060] 00 00 \000\000 SMB PACKET: SMBtconX (REQUEST) (CHAINED) smbvwv[]= Com2=0xFF Off2=190 (0xbe) Flags=0x8 PassLen=1 (0x1) Passwd&Path&Device= PassLen=1 (0x1) Passwd&Path&Device= smb_bcc=20 smb_buf[]= [000] 00 5C 5C XX XX XX XX XX 5C 49 50 43 24 00 3F 3F \000\\MYBDC \IPC$\000?? [010] 3F 3F 3F 00 ???\000 (DF) (ttl 128, id 61947, len 234) 0x0000 4500 00ea f1fb 4000 8006 bc49 c0a8 6573 E..... () I es 0x0010 c0a8 6504 0db3 008b e351 0141 eba9 1cb4 ..e......Q.A.... 0x0020 5018 ffa1 8b8f 0000 0000 00be ff53 4d42 P............SMB 0x0030 7300 0000 0018 0748 0000 0000 0000 0000 s......H........ 0x0040 0000 0000 0000 fffe 0000 4000 0d75 009f ..........@..u.. 0x0050 0004 4132 0000 0047 9300 0018 0018 0000 ..A2...G........ 0x0060 0000 00d4 0000 0062 00c3 d524 4d62 0f5b .......b...$Mb.[ 0x0070 b58d 6666 0dbb 17ee 01de 24ba c836 c7f4 ..ff......$..6.. 0x0080 1c2d 43cd 48f7 3bfe 898e bb9d 8a05 8445 .-C.H.;........E 0x0090 0002 2505 c796 1aea d5XX XXXX XX00 XXXX ..%......user.MY 0x00a0 XXXX XXXX XXXX 0057 696e 646f 7773 2032 DOMAIN.Windows.2 0x00b0 3030 3020 3231 3935 0057 696e 646f 7773 000.2195.Windows 0x00c0 2032 3030 3020 352e 3000 0004 ff00 be00 .2000.5.0....... 0x00d0 0800 0100 1400 005c 5cXX XXXX XXXX 5c49 .......\\MYBDC\I 0x00e0 5043 2400 3f3f 3f3f 3f00 PC$.?????.
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
__________________________________________________ Converse com seus amigos em tempo real com o Yahoo! Messenger http://br.download.yahoo.com/messenger/ ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Repeated NETBIOS SMB DCERPC NTLMSSP asn1 overflow attempt Andrea Venturoli (Dec 29)
- Re: Repeated NETBIOS SMB DCERPC NTLMSSP asn1 overflow attempt Jose Costa (Dec 30)