Page 2 of 2 FirstFirst 12
Results 11 to 13 of 13

Thread: Packet decode required

  1. February 27th, 2003, 02:51 PM #11
    str34m3r
    Guest
    In certain cases when a windows machine isn't able to get an answer using DNS (port 53), it will attempt to use port 137 and/or port 139 to get at least some sort of name to associate with that IP address. I've seen it happen live on my work network so there's really no way you can tell me it doesn't happen.

    I'm not sure exactly what versions of windows do it, and I'm not sure weird and twisted configuration has to be in place. The system I saw this behavior on was a Windows NT box which was dual homed (against policy). The box was using netbios on both 137 and 139 to try to resolve an IP address it saw on its second network. The lookups threw up a flag which is how we came to know about his dual homed box.
    Reply With Quote Reply With Quote
  2. February 27th, 2003, 04:16 PM #12
    obake_hakkaa
    obake_hakkaa is offline
    Junior Member
    Join Date
    Feb 2003
    Posts
    15
    The "CKAAAAAA" is the netbios name query wildcard. (More proof of a samba box??)


    Take a look here: ( look at sample number 6)

    http://216.239.53.100/search?q=cache...n&ie=UTF-8</a>


    More info here:

    http://www.sans.org/y2k/061500.htm

    Possible pre attack scan??? Info here: ( notice the high source port )

    http://archives.neohapsis.com/archiv...0-01/0222.html


    edit str34m3r I thought I just said the same thing!!!

    I not trying to tell you it DOESN'T do it only why the packets are not the same but perform the same function. (notice the use of the WILDCARD "CKAAAAA" sent to the target's port of 137. This type of packet should only been seen going to port 137 , if someone has info on these packets beening sent to 139 PLEASE provide info as I would be very interested in looking into that.) In other word this is NOT a name query (IE: name to IP resolution) but a NAMES query (IE: A query for a listing of netbios names at that host)

    HEHEHHE...you've been on this board too long talkng to too many kiddies I'm not trying to attack you or prove you wrong. Frankly, I don't care enough for that. But if we ALL take a moment to listen to others we might ALL learn a new thing or two. So if you disagree please explain why and I'll be willing to listen and learn.

    Like I said to don the other day..I not interested in "teaching" anyone anything but I would love to share information with other pros.

    end of long rant!!!
    Ferengi Rules of Acquisition:

    Rule 59 Free advice is seldom cheap.
    Reply With Quote Reply With Quote
  3. February 27th, 2003, 06:28 PM #13
    don
    don is offline
    Senior Member
    Join Date
    Dec 2002
    Posts
    110
    That ladies and germs is the crux of the matter. Once should only see this type of traffic on
    port 137. Anything else and one should start digging.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules