Re: Unusual volume: UDP:137 probes

From: Scott McGee (scottmcgeeat_private)
Date: Mon Sep 30 2002 - 11:27:02 PDT

Next message: Bamm (Robert) Visscher: "RE: Unusual volume: UDP:137 probes"

Previous message: Scott McGee: "Re: Unusual volume: UDP:137 probes"
In reply to: Mark Forsyth: "RE: Unusual volume: UDP:137 probes"
Next in thread: Mark Forsyth: "RE: Unusual volume: UDP:137 probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Here are some example tcpdumps of the netbios probes:

tcpdump -xX -v -i eth1 udp port 137

11:10:54.373723 200-158-48-226.dsl.telesp.net.br.1025 >
ca-crlsca-cuda2-c6a.crlsca.adelphia.net.netbios-ns:  [udp sum ok]
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0x100
OpCode=0
NmFlags=0x1
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=*               NameType=0x00 (Workstation)
QuestionType=0x21
QuestionClass=0x1

 (ttl 102, id 22089, len 78)
0x0000   4500 004e 5649 0000 6611 c8a8 c89e 30e2
E..NVI..f.....0.
0x0010   4446 f7e6 0401 0089 003a 85f9 0100 0010
DF.......:......
0x0020   0001 0000 0000 0000 2043 4b41 4141 4141
.........CKAAAAA
0x0030   4141 4141 4141 4141 4141 4141 4141 4141
AAAAAAAAAAAAAAAA
0x0040   4141 4141 4141 4141 4100 0021 0001             AAAAAAAAA..!..

11:12:25.241600 209.136.250.227.1030 >
ca-crlsca-cuda2-c6a.crlsca.adelphia.net.netbios-ns:  [udp sum ok]
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0x100
OpCode=0
NmFlags=0x1
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=*               NameType=0x00 (Workstation)
QuestionType=0x21
QuestionClass=0x1

 (ttl 46, id 7690, len 78)
0x0000   4500 004e 1e0a 0000 2e11 65fc d188 fae3
E..N......e.....
0x0010   4446 f7e6 0406 0089 003a b308 0100 0010
DF.......:......
0x0020   0001 0000 0000 0000 2043 4b41 4141 4141
.........CKAAAAA
0x0030   4141 4141 4141 4141 4141 4141 4141 4141
AAAAAAAAAAAAAAAA
0x0040   4141 4141 4141 4141 4100 0021 0001             AAAAAAAAA..!..


| >
| > Packet contents seem to be "normal".
|
| Yep. Look normal here too.
|


Scott


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Bamm (Robert) Visscher: "RE: Unusual volume: UDP:137 probes"
Previous message: Scott McGee: "Re: Unusual volume: UDP:137 probes"
In reply to: Mark Forsyth: "RE: Unusual volume: UDP:137 probes"
Next in thread: Mark Forsyth: "RE: Unusual volume: UDP:137 probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 30 2002 - 14:19:10 PDT