[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Re: ICMP Destination Unreachable Port Unreachable

To: Darren Bounds <dbounds@xxxxxxxxx>
Subject: Re: [Full-disclosure] Re: ICMP Destination Unreachable Port Unreachable
From: "Adriel T. Desautels" <simon@xxxxxxxxxxx>
Date: Tue, 15 Aug 2006 19:55:26 -0400

Darren, my apologies. ;]

Darren Bounds wrote:
> Adriel,
>
> I was replying to Dude VanWinkle, who's been chasing down the src/dst
> port 0
> unnecessarily.
>
> On 8/15/06, Adriel T. Desautels <simon@xxxxxxxxxxx> wrote:
>>
>> Darren,
>>    I did notice what type of packet it was and I also know what the
>> packet signifies. The issue that I am having is that there has never
>> been any outbound UDP activity to the host that is replying to this
>> network. The payloads of the ICMP packets are a bit weird too,
>> containing either X'es or |'s or encoded strings. What I am trying to
>> figure out is if anyone here recognizes these types of payloads and
>> knows what could be generating them?
>>
>> so just to be clear...
>>
>> I want info about the payload not about ICMP!
>>
>> Darren Bounds wrote:
>> > Dude,
>> >
>> > In case you've failed to notice, this is an ICMP port unreachable
>> > message.
>> > It's sent in response to a UDP packet destined for an unavailable UDP
>> > port.
>> > The port '0' referenced in the event source/destination is meaningless
>> as
>> > ICMP doesn't use source and destination ports (it is always '0').
>> >
>> > The payload of the ICMP unreachable message contains original IP
>> > header (of
>> > the initial UDP packet) and at least 64 bits (8 bytes) of original
>> data
>> > datagram. The size of data echoed will vary depending on the
>> > implementation.
>> >
>> >
>> >
>> >
>> > On 8/15/06, Dude VanWinkle <dudevanwinkle@xxxxxxxxx> wrote:
>> >>
>> >> On 8/15/06, Julio Cesar Fort <julio@xxxxxxxxxxxxxxx> wrote:
>> >> > Dude VanWinkle,
>> >> >
>> >> > > <snip>
>> >> > > -----------------------------
>> >> > > Looks to me like they are using port 0.
>> >> > > http://www.grc.com/port_0.htm
>> >> > > -JP
>> >> >
>> >> > *NEVER TRUST* Steve Gibson. I bet he smokes crack. See
>> >> > http://attrition.org/errata/charlatan.html#gibson for more details.
>> >>
>> >>
>> >> thanks for the tip!
>> >>
>> >> Still, I cant seem to help but think there is something to this
>> port 0
>> >> thingy
>> >>
>> >> http://www.networkpenetration.com/port0.html
>> >>
>> >> <snip>
>> >>
>> >> 3. Port 0 OS Fingerprinting
>> >> ---------------------------
>> >> As port 0 is reserverd for special use as stated in RFC 1700. Coupled
>> >> with the fact that this port number is reassigned by the OS, no
>> >> traffic should flow over the internet using this port. As the
>> >> specifics are not clear different OS's have differnet ways of
>> handling
>> >> traffic using port 0 thus they can be fingerprinted.
>> >>
>> >> --------------------------------------------
>> >>
>> >> I guess that is just a reaction to traffic and not actual traffic via
>> >> port 0, but still nifty info
>> >>
>> >> -JP
>> >>
>> >> _______________________________________________
>> >> Full-Disclosure - We believe in it.
>> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> >> Hosted and sponsored by Secunia - http://secunia.com/
>> >>
>> >
>> >
>> >
>> >
>> ------------------------------------------------------------------------
>> >
>> > _______________________________________________
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>> -- 
>>
>> Regards,
>>    Adriel T. Desautels
>>    SNOsoft Research Team
>>    Office: 617-924-4510 || Mobile : 857-636-8882
>>
>>    ----------------------------------------------
>>    Vulnerability Research and Exploit Development
>>
>>
>>
>>
>>
>> BullGuard Anti-virus has scanned this e-mail and found it clean.
>> Try BullGuard for free: www.bullguard.com
>>
>>
>>
>
>


-- 

Regards, 
    Adriel T. Desautels
    SNOsoft Research Team
    Office: 617-924-4510 || Mobile : 857-636-8882

    ----------------------------------------------
    Vulnerability Research and Exploit Development





BullGuard Anti-virus has scanned this e-mail and found it clean.
Try BullGuard for free: www.bullguard.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Re: ICMP Destination Unreachable Port Unreachable
  - From: Julio Cesar Fort
- Re: [Full-disclosure] Re: ICMP Destination Unreachable Port Unreachable
  - From: Dude VanWinkle
- Re: [Full-disclosure] Re: ICMP Destination Unreachable Port Unreachable
  - From: Darren Bounds
- Re: [Full-disclosure] Re: ICMP Destination Unreachable Port Unreachable
  - From: Adriel T. Desautels
- Re: [Full-disclosure] Re: ICMP Destination Unreachable Port Unreachable
  - From: Darren Bounds

Prev by Date: Re: [Full-disclosure] Re: ICMP Destination Unreachable Port Unreachable
Next by Date: Re: [Full-disclosure] Re: ICMP Destination Unreachable Port Unreachable
Previous by thread: Re: [Full-disclosure] Re: ICMP Destination Unreachable Port Unreachable
Next by thread: Re: [Full-disclosure] Re: ICMP Destination Unreachable Port Unreachable
Index(es):
- Date
- Thread