Re: pitching in on the port 138 idea

["DePriest, Jason R." <jrdepriest () gmail com>]

On Tue, Sep 9, 2008 at 7:20 AM, mike <> wrote:
> hey
>
> i hope to get some more of you out there on board in this idea of trying to get info from the datagram port 138 
> service. a friend of mine and i spent the day crafting several packets to initiate a response. we got the packet 
> fields down to being almost flawless, except when it came to the nagging issue of the scope id! i was constantly 
> getting protocol dissector errors related to the netbios name not being a proper first-level encoding. this was even 
> after i had done the proper 32 byte mangle and added the scope at the end. i am lost at this point
>
> i wish to pursue this with or without you guys simply because we have a tool like nmap that can easily dump the NAME 
> table on 137 and SHARES on 139/445 and i simply feel the next step in the NETBIOS enumeration should be to retreive 
> the users BROWSER table, which is held on port 138. this can be done, i just know it! all that i have read tells me 
> it can be done. i just don't know enough about why i am getting the errors i am seeing. i know i should be able to 
> retreive info because, for one, there is no security in place, as in , using an auth level to gain access. also, it 
> even uses, in some cases, tcp for transfering MASTER BROWSER information and forcing elections. i appologize if i am 
> taking up time in an "nmap only" related discussion, but i can see this being very viable if ever figured out and 
> finally implemented. no tool i know of right now can dump info from this elusive service. let nmap be the first
>
> m|ke

Can you share some of your methodology such as specific hping2 / scapy
/ raw packet creation you are attempting?

Also, if packet captures would be helpful to you, what exactly would you need?

-Jason

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org