funsec mailing list archives
Re: question on scanning for conflicker
From: Jason Ross <algorythm () gmail com>
Date: Wed, 1 Apr 2009 00:13:19 -0400
On Tue, Mar 31, 2009 at 21:13, RandallM <randallm () fidmail com> wrote:
what is a common thing to notice about scanning for conflicker? One site said a simple scan can disquish between clean and unclean ..: "Another option is to actively scan for Conficker machines. There is a way to distinguish infected machines from clean ones based on the error code for some specially crafted RPC messages. Conficker tries to filter out further exploitation attempts which results in uncommon responses" http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker Therefore, does this mean it gives what kind of response back..closes the response or what? What "error code " will it produce?
Hosts which have been 'patched' by conficker send back a different
response than those which are not infected, whether or not they've
been patched with MS08-067. The python based scanner from the authors
of the article quoted checks for this specific response:
if (len(response)>=16):
result = struct.unpack('IIII', response[:16])
if result[1]==0x5c450000 and result[3]==0x00000057:
print '[WARNING] %s seems to be infected by Conficker!' % ip
<snip>
Anyone input for me?
Below is a capture of the packets sent by the smb scanner tool and the
associated responses from a host infected with conficker.c (note
packet 16 specifically). Not sure if this really answers the questions
you have, hopefully it helps a little anyway (if it doesn't, i blame
lack of sleep and insufficient quantity of caffeine consumption on my
part ;-)
--
jason
== packet capture (tshark -x -i wlan0 port 445) ==
1 0.000000 10.0.1.102 -> 10.0.1.138 TCP 49589 > microsoft-ds
[SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=12795859 TSER=0 WS=6
0000 00 1c df 03 8d dc 00 1c bf 45 a0 78 08 00 45 00 .........E.x..E.
0010 00 3c 4b 63 40 00 40 06 4c ff 0a 00 01 66 d0 69 .<Kc@.@.L....f.i
0020 c6 8a c1 b5 01 bd 44 bb 74 b0 00 00 00 00 a0 02 ......D.t.......
0030 16 d0 d1 62 00 00 02 04 05 b4 04 02 08 0a 00 c3 ...b............
0040 3f d3 00 00 00 00 01 03 03 06 ?.........
2 0.006598 10.0.1.138 -> 10.0.1.102 TCP microsoft-ds > 49589
[SYN, ACK] Seq=0 Ack=1 Win=17520 Len=0 MSS=1460 WS=0 TSV=0 TSER=0
0000 00 1c bf 45 a0 78 00 1c df 03 8d dc 08 00 45 00 ...E.x........E.
0010 00 40 1e 92 40 00 7f 06 3a cc d0 69 c6 8a 0a 00 .@..@...:..i....
0020 01 66 01 bd c1 b5 41 9b c4 e9 44 bb 74 b1 b0 12 .f....A...D.t...
0030 44 70 cb c2 00 00 02 04 05 b4 01 03 03 00 01 01 Dp..............
0040 08 0a 00 00 00 00 00 00 00 00 01 01 04 02 ..............
3 0.006628 10.0.1.102 -> 10.0.1.138 TCP 49589 > microsoft-ds
[ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=12795861 TSER=0
0000 00 1c df 03 8d dc 00 1c bf 45 a0 78 08 00 45 00 .........E.x..E.
0010 00 34 4b 64 40 00 40 06 4d 06 0a 00 01 66 d0 69 .4Kd@.@.M....f.i
0020 c6 8a c1 b5 01 bd 44 bb 74 b1 41 9b c4 ea 80 10 ......D.t.A.....
0030 00 5c 10 0a 00 00 01 01 08 0a 00 c3 3f d5 00 00 .\..........?...
0040 00 00 ..
4 0.006776 10.0.1.102 -> 10.0.1.138 SMB Negotiate Protocol Request
0000 00 1c df 03 8d dc 00 1c bf 45 a0 78 08 00 45 00 .........E.x..E.
0010 00 67 4b 65 40 00 40 06 4c d2 0a 00 01 66 d0 69 .gKe@.@.L....f.i
0020 c6 8a c1 b5 01 bd 44 bb 74 b1 41 9b c4 ea 80 18 ......D.t.A.....
0030 00 5c 9f 81 00 00 01 01 08 0a 00 c3 3f d5 00 00 .\..........?...
0040 00 00 00 00 00 2f ff 53 4d 42 72 00 00 00 00 00 ...../.SMBr.....
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060 94 58 00 00 00 00 00 0c 00 02 4e 54 20 4c 4d 20 .X........NT LM
0070 30 2e 31 32 00 0.12.
5 0.011667 10.0.1.138 -> 10.0.1.102 SMB Negotiate Protocol Response
0000 00 1c bf 45 a0 78 00 1c df 03 8d dc 08 00 45 00 ...E.x........E.
0010 00 a3 1e 93 40 00 7f 06 3a 68 d0 69 c6 8a 0a 00 ....@...:h.i....
0020 01 66 01 bd c1 b5 41 9b c4 ea 44 bb 74 e4 80 18 .f....A...D.t...
0030 44 3d 18 33 00 00 01 01 08 0a 00 00 56 cf 00 c3 D=.3........V...
0040 3f d5 00 00 00 6b ff 53 4d 42 72 00 00 00 00 80 ?....k.SMBr.....
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060 94 58 00 00 00 00 11 00 00 03 0a 00 01 00 04 11 .X..............
0070 00 00 00 00 01 00 00 00 00 00 fd e3 00 00 2e ba ................
0080 1c 51 86 b2 c9 01 c4 ff 08 26 00 9a 7c d6 36 81 .Q.......&..|.6.
0090 ce d8 fb 57 00 4f 00 52 00 4b 00 47 00 52 00 4f ...W.O.R.K.G.R.O
00a0 00 55 00 50 00 00 00 48 00 4f 00 4d 00 45 00 00 .U.P...H.O.M.E..
00b0 00 .
6 0.011694 10.0.1.102 -> 10.0.1.138 TCP 49589 > microsoft-ds
[ACK] Seq=52 Ack=112 Win=5888 Len=0 TSV=12795862 TSER=22223
0000 00 1c df 03 8d dc 00 1c bf 45 a0 78 08 00 45 00 .........E.x..E.
0010 00 34 4b 66 40 00 40 06 4d 04 0a 00 01 66 d0 69 .4Kf@.@.M....f.i
0020 c6 8a c1 b5 01 bd 44 bb 74 e4 41 9b c5 59 80 10 ......D.t.A..Y..
0030 00 5c b8 97 00 00 01 01 08 0a 00 c3 3f d6 00 00 .\..........?...
0040 56 cf V.
7 0.014027 10.0.1.102 -> 10.0.1.138 SMB Session Setup AndX
Request, User: anonymous
0000 00 1c df 03 8d dc 00 1c bf 45 a0 78 08 00 45 00 .........E.x..E.
0010 00 83 4b 67 40 00 40 06 4c b4 0a 00 01 66 d0 69 ..Kg@.@.L....f.i
0020 c6 8a c1 b5 01 bd 44 bb 74 e4 41 9b c5 59 80 18 ......D.t.A..Y..
0030 00 5c 3c b7 00 00 01 01 08 0a 00 c3 3f d7 00 00 .\<.........?...
0040 56 cf 00 00 00 4b ff 53 4d 42 73 00 00 00 00 08 V....K.SMBs.....
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ................
0060 94 58 00 00 00 00 0d ff 00 00 00 ff ff 02 00 94 .X..............
0070 58 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 X...............
0080 00 0e 00 00 00 70 6f 73 69 78 00 70 79 73 6d 62 .....posix.pysmb
0090 00 .
8 0.029355 10.0.1.138 -> 10.0.1.102 SMB Session Setup AndX Response
0000 00 1c bf 45 a0 78 00 1c df 03 8d dc 08 00 45 00 ...E.x........E.
0010 00 90 1e 94 40 00 7f 06 3a 7a d0 69 c6 8a 0a 00 ....@...:z.i....
0020 01 66 01 bd c1 b5 41 9b c5 59 44 bb 75 33 80 18 .f....A..YD.u3..
0030 43 ee ff ed 00 00 01 01 08 0a 00 00 56 cf 00 c3 C...........V...
0040 3f d7 00 00 00 58 ff 53 4d 42 73 00 00 00 00 88 ?....X.SMBs.....
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ................
0060 94 58 01 08 00 00 03 ff 00 58 00 00 00 2f 00 57 .X.......X.../.W
0070 69 6e 64 6f 77 73 20 35 2e 31 00 57 69 6e 64 6f indows 5.1.Windo
0080 77 73 20 32 30 30 30 20 4c 41 4e 20 4d 61 6e 61 ws 2000 LAN Mana
0090 67 65 72 00 57 4f 52 4b 47 52 4f 55 50 00 ger.WORKGROUP.
9 0.032666 10.0.1.102 -> 10.0.1.138 SMB Tree Connect AndX
Request, Path: \\*SMBSERVER\IPC$
0000 00 1c df 03 8d dc 00 1c bf 45 a0 78 08 00 45 00 .........E.x..E.
0010 00 7c 4b 68 40 00 40 06 4c ba 0a 00 01 66 d0 69 .|Kh@.@.L....f.i
0020 c6 8a c1 b5 01 bd 44 bb 75 33 41 9b c5 b5 80 18 ......D.u3A.....
0030 00 5c 0e 50 00 00 01 01 08 0a 00 c3 3f db 00 00 .\.P........?...
0040 56 cf 00 00 00 44 ff 53 4d 42 75 00 00 00 00 08 V....D.SMBu.....
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ................
0060 94 58 01 08 00 00 04 ff 00 00 00 00 00 01 00 19 .X..............
0070 00 00 5c 5c 2a 53 4d 42 53 45 52 56 45 52 5c 49 ..\\*SMBSERVER\I
0080 50 43 24 00 3f 3f 3f 3f 3f 00 PC$.?????.
10 0.034341 10.0.1.138 -> 10.0.1.102 SMB Tree Connect AndX Response
0000 00 1c bf 45 a0 78 00 1c df 03 8d dc 08 00 45 00 ...E.x........E.
0010 00 66 1e 95 40 00 7f 06 3a a3 d0 69 c6 8a 0a 00 .f..@...:..i....
0020 01 66 01 bd c1 b5 41 9b c5 b5 44 bb 75 7b 80 18 .f....A...D.u{..
0030 43 a6 c6 a6 00 00 01 01 08 0a 00 00 56 cf 00 c3 C...........V...
0040 3f db 00 00 00 2e ff 53 4d 42 75 00 00 00 00 88 ?......SMBu.....
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 08 ................
0060 94 58 01 08 00 00 03 ff 00 2e 00 01 00 05 00 49 .X.............I
0070 50 43 00 00 PC..
11 0.038222 10.0.1.102 -> 10.0.1.138 SMB NT Create AndX Request,
Path: \browser
0000 00 1c df 03 8d dc 00 1c bf 45 a0 78 08 00 45 00 .........E.x..E.
0010 00 94 4b 69 40 00 40 06 4c a1 0a 00 01 66 d0 69 ..Ki@.@.L....f.i
0020 c6 8a c1 b5 01 bd 44 bb 75 7b 41 9b c5 e7 80 18 ......D.u{A.....
0030 00 5c 57 da 00 00 01 01 08 0a 00 c3 3f dd 00 00 .\W.........?...
0040 56 cf 00 00 00 5c ff 53 4d 42 a2 00 00 00 00 18 V....\.SMB......
0050 01 00 00 00 00 00 00 00 00 00 00 00 00 00 01 08 ................
0060 94 58 01 08 00 00 18 ff 00 00 00 00 08 00 16 00 .X..............
0070 00 00 00 00 00 00 9f 01 02 00 00 00 00 00 00 00 ................
0080 00 00 00 00 00 00 03 00 00 00 01 00 00 00 40 00 ..............@.
0090 00 00 02 00 00 00 03 09 00 5c 62 72 6f 77 73 65 .........\browse
00a0 72 00 r.
12 0.045916 10.0.1.138 -> 10.0.1.102 SMB NT Create AndX Response,
FID: 0x4001, FID: 0x4001
0000 00 1c bf 45 a0 78 00 1c df 03 8d dc 08 00 45 00 ...E.x........E.
0010 00 bf 1e 96 40 00 7f 06 3a 49 d0 69 c6 8a 0a 00 ....@...:I.i....
0020 01 66 01 bd c1 b5 41 9b c5 e7 44 bb 75 db 80 18 .f....A...D.u...
0030 43 46 3a 39 00 00 01 01 08 0a 00 00 56 cf 00 c3 CF:9........V...
0040 3f dd 00 00 00 87 ff 53 4d 42 a2 00 00 00 00 98 ?......SMB......
0050 01 00 00 00 00 00 00 00 00 00 00 00 00 00 01 08 ................
0060 94 58 01 08 00 00 2a ff 00 87 00 00 01 40 01 00 .X....*......@..
0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090 00 00 80 00 00 00 00 10 00 00 00 00 00 00 00 00 ................
00a0 00 00 00 00 00 00 02 00 ff 05 00 00 00 00 00 00 ................
00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00c0 00 00 00 9b 01 12 00 9b 01 12 00 00 00 .............
13 0.051168 10.0.1.102 -> 10.0.1.138 DCERPC Bind: call_id: 1 SRVSVC V3.0
0000 00 1c df 03 8d dc 00 1c bf 45 a0 78 08 00 45 00 .........E.x..E.
0010 00 ca 4b 6a 40 00 40 06 4c 6a 0a 00 01 66 d0 69 ..Kj@.@.Lj...f.i
0020 c6 8a c1 b5 01 bd 44 bb 75 db 41 9b c6 72 80 18 ......D.u.A..r..
0030 00 6c d1 d7 00 00 01 01 08 0a 00 c3 3f e0 00 00 .l..........?...
0040 56 cf 00 00 00 92 ff 53 4d 42 25 00 00 00 00 00 V......SMB%.....
0050 01 00 00 00 00 00 00 00 00 00 00 00 00 00 01 08 ................
0060 94 58 01 08 00 00 10 00 00 48 00 00 04 e0 ff 00 .X.......H......
0070 00 00 00 00 00 00 00 00 00 00 00 4a 00 48 00 4a ...........J.H.J
0080 00 02 00 26 00 01 40 4f 00 5c 50 49 50 45 5c 00 ...&..@O.\PIPE\.
0090 05 00 0b 03 10 00 00 00 48 00 00 00 01 00 00 00 ........H.......
00a0 b8 10 b8 10 00 00 00 00 01 00 00 00 00 00 01 00 ................
00b0 c8 4f 32 4b 70 16 d3 01 12 78 5a 47 bf 6e e1 88 .O2Kp....xZG.n..
00c0 03 00 00 00 04 5d 88 8a eb 1c c9 11 9f e8 08 00 .....]..........
00d0 2b 10 48 60 02 00 00 00 +.H`....
14 0.053295 10.0.1.138 -> 10.0.1.102 DCERPC Bind_ack: call_id: 1
accept max_xmit: 4280 max_recv: 4280
0000 00 1c bf 45 a0 78 00 1c df 03 8d dc 08 00 45 00 ...E.x........E.
0010 00 b4 1e 97 40 00 7f 06 3a 53 d0 69 c6 8a 0a 00 ....@...:S.i....
0020 01 66 01 bd c1 b5 41 9b c6 72 44 bb 76 71 80 18 .f....A..rD.vq..
0030 42 b0 fd c2 00 00 01 01 08 0a 00 00 56 cf 00 c3 B...........V...
0040 3f e0 00 00 00 7c ff 53 4d 42 25 00 00 00 00 80 ?....|.SMB%.....
0050 01 00 00 00 00 00 00 00 00 00 00 00 00 00 01 08 ................
0060 94 58 01 08 00 00 0a 00 00 44 00 00 00 00 00 38 .X.......D.....8
0070 00 00 00 44 00 38 00 00 00 00 00 45 00 00 05 00 ...D.8.....E....
0080 0c 03 10 00 00 00 44 00 00 00 01 00 00 00 b8 10 ......D.........
0090 b8 10 7a 2f 00 00 0e 00 5c 50 49 50 45 5c 62 72 ..z/....\PIPE\br
00a0 6f 77 73 65 72 00 01 00 00 00 00 00 00 00 04 5d owser..........]
00b0 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60 02 00 ..........+.H`..
00c0 00 00 ..
15 0.053697 10.0.1.102 -> 10.0.1.138 SRVSVC NetPathCanonicalize request
0000 00 1c df 03 8d dc 00 1c bf 45 a0 78 08 00 45 00 .........E.x..E.
0010 00 e2 4b 6b 40 00 40 06 4c 51 0a 00 01 66 d0 69 ..Kk@.@.LQ...f.i
0020 c6 8a c1 b5 01 bd 44 bb 76 71 41 9b c6 f2 80 18 ......D.vqA.....
0030 00 7d 91 31 00 00 01 01 08 0a 00 c3 3f e0 00 00 .}.1........?...
0040 56 cf 00 00 00 aa ff 53 4d 42 25 00 00 00 00 00 V......SMB%.....
0050 01 00 00 00 00 00 00 00 00 00 00 00 00 00 01 08 ................
0060 94 58 01 08 00 00 10 00 00 60 00 00 04 e0 ff 00 .X.......`......
0070 00 00 00 00 00 00 00 00 00 00 00 4a 00 60 00 4a ...........J.`.J
0080 00 02 00 26 00 01 40 67 00 5c 50 49 50 45 5c 00 ...&..@g.\PIPE\.
0090 05 00 00 03 10 00 00 00 60 00 00 00 01 00 00 00 ........`.......
00a0 48 00 00 00 00 00 1f 00 01 00 00 00 02 00 00 00 H...............
00b0 00 00 00 00 02 00 00 00 61 00 00 00 06 00 00 00 ........a.......
00c0 00 00 00 00 06 00 00 00 5c 00 2e 00 2e 00 5c 00 ........\.....\.
00d0 00 00 00 00 02 00 00 00 02 00 00 00 00 00 00 00 ................
00e0 02 00 00 00 5c 00 00 00 01 00 00 00 01 00 00 00 ....\...........
16 0.065004 10.0.1.138 -> 10.0.1.102 SRVSVC NetPathCanonicalize
response, Error: Unknown DOS error 0x5c450000[Long frame (8 bytes)]
0000 00 1c bf 45 a0 78 00 1c df 03 8d dc 08 00 45 00 ...E.x........E.
0010 00 98 1e 98 40 00 7f 06 3a 6e d0 69 c6 8a 0a 00 ....@...:n.i....
0020 01 66 01 bd c1 b5 41 9b c6 f2 44 bb 77 1f 80 18 .f....A...D.w...
0030 42 02 6e 7f 00 00 01 01 08 0a 00 00 56 cf 00 c3 B.n.........V...
0040 3f e0 00 00 00 60 ff 53 4d 42 25 00 00 00 00 80 ?....`.SMB%.....
0050 01 00 00 00 00 00 00 00 00 00 00 00 00 00 01 08 ................
0060 94 58 01 08 00 00 0a 00 00 28 00 00 00 00 00 38 .X.......(.....8
0070 00 00 00 28 00 38 00 00 00 00 00 29 00 00 05 00 ...(.8.....)....
0080 02 03 10 00 00 00 28 00 00 00 01 00 00 00 10 00 ......(.........
0090 00 00 00 00 00 00 02 00 00 00 00 00 45 5c 01 00 ............E\..
00a0 00 00 57 00 00 00 ..W...
17 0.066081 10.0.1.102 -> 10.0.1.138 SMB Tree Disconnect Request
0000 00 1c df 03 8d dc 00 1c bf 45 a0 78 08 00 45 00 .........E.x..E.
0010 00 5b 4b 6c 40 00 40 06 4c d7 0a 00 01 66 d0 69 .[Kl@.@.L....f.i
0020 c6 8a c1 b5 01 bd 44 bb 77 1f 41 9b c7 56 80 18 ......D.w.A..V..
0030 00 7d 5f df 00 00 01 01 08 0a 00 c3 3f e4 00 00 .}_.........?...
0040 56 cf 00 00 00 23 ff 53 4d 42 71 00 00 00 00 00 V....#.SMBq.....
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 08 ................
0060 94 58 01 08 00 00 00 00 00 .X.......
18 0.078931 10.0.1.138 -> 10.0.1.102 SMB Tree Disconnect Response
0000 00 1c bf 45 a0 78 00 1c df 03 8d dc 08 00 45 00 ...E.x........E.
0010 00 5b 1e 99 40 00 7f 06 3a aa d0 69 c6 8a 0a 00 .[..@...:..i....
0020 01 66 01 bd c1 b5 41 9b c7 56 44 bb 77 46 80 18 .f....A..VD.wF..
0030 41 db 1d da 00 00 01 01 08 0a 00 00 56 cf 00 c3 A...........V...
0040 3f e4 00 00 00 23 ff 53 4d 42 71 00 00 00 00 80 ?....#.SMBq.....
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 08 ................
0060 94 58 01 08 00 00 00 00 00 .X.......
19 0.080254 10.0.1.102 -> 10.0.1.138 SMB Logoff AndX Request
0000 00 1c df 03 8d dc 00 1c bf 45 a0 78 08 00 45 00 .........E.x..E.
0010 00 5f 4b 6d 40 00 40 06 4c d2 0a 00 01 66 d0 69 ._Km@.@.L....f.i
0020 c6 8a c1 b5 01 bd 44 bb 77 46 41 9b c7 7d 80 18 ......D.wFA..}..
0030 00 7d 5a 8f 00 00 01 01 08 0a 00 c3 3f e7 00 00 .}Z.........?...
0040 56 cf 00 00 00 27 ff 53 4d 42 74 00 00 00 00 00 V....'.SMBt.....
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060 94 58 01 08 00 00 02 ff 00 00 00 00 00 .X...........
20 0.083332 10.0.1.138 -> 10.0.1.102 SMB Logoff AndX Response
0000 00 1c bf 45 a0 78 00 1c df 03 8d dc 08 00 45 00 ...E.x........E.
0010 00 5f 1e 9a 40 00 7f 06 3a a5 d0 69 c6 8a 0a 00 ._..@...:..i....
0020 01 66 01 bd c1 b5 41 9b c7 7d 44 bb 77 71 80 18 .f....A..}D.wq..
0030 41 b0 18 89 00 00 01 01 08 0a 00 00 56 d0 00 c3 A...........V...
0040 3f e7 00 00 00 27 ff 53 4d 42 74 00 00 00 00 80 ?....'.SMBt.....
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060 94 58 01 08 00 00 02 ff 00 27 00 00 00 .X.......'...
21 0.083489 10.0.1.102 -> 10.0.1.138 TCP 49589 > microsoft-ds
[FIN, ACK] Seq=705 Ack=703 Win=8000 Len=0 TSV=12795880 TSER=22224
0000 00 1c df 03 8d dc 00 1c bf 45 a0 78 08 00 45 00 .........E.x..E.
0010 00 34 4b 6e 40 00 40 06 4c fc 0a 00 01 66 d0 69 .4Kn@.@.L....f.i
0020 c6 8a c1 b5 01 bd 44 bb 77 71 41 9b c7 a8 80 11 ......D.wqA.....
0030 00 7d b3 86 00 00 01 01 08 0a 00 c3 3f e8 00 00 .}..........?...
0040 56 d0 V.
22 0.097466 10.0.1.138 -> 10.0.1.102 TCP microsoft-ds > 49589
[FIN, ACK] Seq=703 Ack=706 Win=16816 Len=0 TSV=22224 TSER=12795880
0000 00 1c bf 45 a0 78 00 1c df 03 8d dc 08 00 45 00 ...E.x........E.
0010 00 34 1e 9b 40 00 7f 06 3a cf d0 69 c6 8a 0a 00 .4..@...:..i....
0020 01 66 01 bd c1 b5 41 9b c7 a8 44 bb 77 72 80 11 .f....A...D.wr..
0030 41 b0 72 52 00 00 01 01 08 0a 00 00 56 d0 00 c3 A.rR........V...
0040 3f e8 ?.
23 0.097502 10.0.1.102 -> 10.0.1.138 TCP 49589 > microsoft-ds
[ACK] Seq=706 Ack=704 Win=8000 Len=0 TSV=12795883 TSER=22224
0000 00 1c df 03 8d dc 00 1c bf 45 a0 78 08 00 45 00 .........E.x..E.
0010 00 34 4b 6f 40 00 40 06 4c fb 0a 00 01 66 d0 69 .4Ko@.@.L....f.i
0020 c6 8a c1 b5 01 bd 44 bb 77 72 41 9b c7 a9 80 10 ......D.wrA.....
0030 00 7d b3 82 00 00 01 01 08 0a 00 c3 3f eb 00 00 .}..........?...
0040 56 d0 V.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Current thread:
- question on scanning for conflicker RandallM (Mar 31)
- Re: question on scanning for conflicker Toralv_Dirro (Mar 31)
- Re: question on scanning for conflicker Jason Ross (Mar 31)