Re: [fw-wiz] Help w/ Port 137 Traffic

• Previous message: Mikael Olsson: "Re: [fw-wiz] Help w/ Port 137 Traffic"
• In reply to: Mikael Olsson: "Re: [fw-wiz] Help w/ Port 137 Traffic"
• Next in thread: Mikael Olsson: "Re: [fw-wiz] Help w/ Port 137 Traffic"
• Next in thread: Frederick M Avolio: "Re: [fw-wiz] Help w/ Port 137 Traffic"
• Reply: Mikael Olsson: "Re: [fw-wiz] Help w/ Port 137 Traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 13 Oct 2002, Mikael Olsson wrote:

> > know- I don't run Windows, so I haven't played with doing NetBIOS stuff
> > and don't know what the normal programming sequence is for enumerating
> > shares, and as we don't let customers expose NetBIOS ports at all, this
> > was never high on my list of things to worry about.
> 
> I've personally never seen share enumeration being done over port 137.
> I have only seen it done over 139, and I guess it can be done over 
> port 445 as well.

By "sequence" I meant "Do name lookup, then go enumerate shares."  
Depending on what the worm is written with, there could be a 
"go_check_for_shares()" that does a name lookup then enumerates the 
shares- sequence being a series of events, not a method.

Sometimes the sequence of events can lead to clues about the author- and 
sometimes their toolset restricts how they perform certain functions (the 
last Windows malcode I had my hands on, for instance was written in 
Delphi- and I *know* from making feature requests and dealing with systems 
that can't talk SMTP right that most Delphi authors use components that 
they have no control over- those may have a particular sequence of events, 
or all the common examples of "how to do $foo" may use a particular 
sequence, such as "get computer name from IP address" then "go look for 
open shares.")  I simply don't know enough about Windows programming to 
know if doing the name lookup gains something, or is normal, or rather is 
an artifact of a particular toolset (we have folks who track Windows 
malcode, I'm not one.)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
probertsat_private      which may have no basis whatsoever in fact."
probertsonat_private Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizardsat_private
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Next message: Mike McCandless: "[fw-wiz] RE: Help w/ Port 137 Traffic"
• Previous message: Mikael Olsson: "Re: [fw-wiz] Help w/ Port 137 Traffic"
• In reply to: Mikael Olsson: "Re: [fw-wiz] Help w/ Port 137 Traffic"
• Next in thread: Mikael Olsson: "Re: [fw-wiz] Help w/ Port 137 Traffic"
• Next in thread: Frederick M Avolio: "Re: [fw-wiz] Help w/ Port 137 Traffic"
• Reply: Mikael Olsson: "Re: [fw-wiz] Help w/ Port 137 Traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Oct 13 2002 - 06:12:19 PDT