February 27th, 2003, 04:16 PM
The "CKAAAAAA" is the netbios name query wildcard. (More proof of a samba box??)
Take a look here: ( look at sample number 6)
...
February 27th, 2003, 02:42 PM
str34m3r
A DNS lookup isn't a netbios name lookup and this is a netbios name query NOT a dns "name query". (which I belive is the point your trying to make??)
If I remember correctly Windows...
February 27th, 2003, 01:30 AM
I know the feeling. I too joined the site looking to interact with more security pros, but instead find the site filled with students ( nothing wrong with this I'm just not in the teaching mode if...
February 26th, 2003, 06:03 PM
That's part of Grim (Ping Companion ) features, so I win unless you can prove you didn't read my post or we're both wrong. :)
February 26th, 2003, 11:26 AM
So, Don are you ever going to tell us what the packet capture was all about or is this thread just going to die on the vine like the other one?
Security forum..hmmmmmmmm........ Guess I'll stick...
February 25th, 2003, 01:38 PM
Window size can change based on network congestion (sender based flow control IE: congestion window which is not advertised. Look into "slow start" or "congestion avoidance" in TCP/IP) or the buffer...
February 20th, 2003, 06:51 PM
It's netbios traffic (a name query), notice ......
212.x.x.x->200.x.x.x
Time 9:10:35:689
0000: 00 07 50 F6 0F 60 00 30 65 2E B5 C0 08 00 45 00 ..P..`.0e.....E.
0010: 00 4E EC 68 00 00 65 11...
February 19th, 2003, 05:02 PM
10dedfish
TCPdump has a brother called Windump which runs on Windows systems or you can simply move the dump to a *nix system. However, I didn't go back thru the tread to check how he got the...
February 17th, 2003, 05:20 PM
A good analysis TS :)
The 10.x.x.x subnet is a private subnet and therefore should not be routable across the public domain. It will be forwarded to it's destination because the routers do not...
February 17th, 2003, 02:13 PM
Do you have a packet capture of this traffic you could post?
It's hard to tell what's going on based on your logs, however it's not a scan from the internet since the source IP is a reserved one....
February 14th, 2003, 04:22 PM
I too find the "wintask" packets interesting. Notice that both syn packets contain an ack which means this is a responce to something.
It looks like the attacker is testing the FTP server...
February 14th, 2003, 03:02 PM
My 2 cents .....
My first look at the packet capture doesn't support fragmentation. ( I performed a translation of the hex dump provided)
First, there is no fragmentation offset in any of the...
February 10th, 2003, 07:09 AM
Also, using Algen's methods to get access to the NTFS paritition, you could remove (copy to a floppy and then delete) the SAM file which will reset the admin. account password to a blank one. Note...
February 10th, 2003, 06:52 AM
Hey, I'm a new guy and I would just like to say "Hello". :cool:
I look forward to learning many interesting things at this site.
February 10th, 2003, 06:31 AM
I have seen routers send packets with a source ip in the 10.x.x.x range. The IP type of 89 (it's not a port number, see post #4) and the multicast address of 224.0.0.5 point to a router using OSPF....