-
In certain cases when a windows machine isn't able to get an answer using DNS (port 53), it will attempt to use port 137 and/or port 139 to get at least some sort of name to associate with that IP address. I've seen it happen live on my work network so there's really no way you can tell me it doesn't happen.
I'm not sure exactly what versions of windows do it, and I'm not sure weird and twisted configuration has to be in place. The system I saw this behavior on was a Windows NT box which was dual homed (against policy). The box was using netbios on both 137 and 139 to try to resolve an IP address it saw on its second network. The lookups threw up a flag which is how we came to know about his dual homed box.
-
The "CKAAAAAA" is the netbios name query wildcard. (More proof of a samba box??)
Take a look here: ( look at sample number 6)
http://216.239.53.100/search?q=cache...n&ie=UTF-8</a>
More info here:
http://www.sans.org/y2k/061500.htm
Possible pre attack scan??? Info here: ( notice the high source port )
http://archives.neohapsis.com/archiv...0-01/0222.html
edit str34m3r I thought I just said the same thing!!! :)
I not trying to tell you it DOESN'T do it only why the packets are not the same but perform the same function. :) (notice the use of the WILDCARD "CKAAAAA" sent to the target's port of 137. This type of packet should only been seen going to port 137 , if someone has info on these packets beening sent to 139 PLEASE provide info as I would be very interested in looking into that.) In other word this is NOT a name query (IE: name to IP resolution) but a NAMES query (IE: A query for a listing of netbios names at that host)
HEHEHHE...you've been on this board too long talkng to too many kiddies :D I'm not trying to attack you or prove you wrong. Frankly, I don't care enough for that. But if we ALL take a moment to listen to others we might ALL learn a new thing or two. So if you disagree please explain why and I'll be willing to listen and learn.
Like I said to don the other day..I not interested in "teaching" anyone anything but I would love to share information with other pros.
end of long rant!!!
-
That ladies and germs is the crux of the matter. Once should only see this type of traffic on
port 137. Anything else and one should start digging.
