Security Incidents: NetBIOS ScopeID Traffic

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

NetBIOS ScopeID Traffic

From: Adam Pendleton <adam.pendleton () CORBETT-TECH COM>
Date: Wed, 27 Sep 2000 12:47:21 -0400

I am seeing this traffic on one of my networks, and I hope that someone
could shed some light on it.  NFR ScopeID package capture follows:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Time:               27-Sep-2000 11:55:21
NFR:                internalida
Source IP:          10.10.10.1
Source Port:        6101
Destination IP:     10.10.10.165
Destination Port:   139
ScopeID:            \xa9\x84;4\xd7\x94M,

\xad\xc3\xb4\xf0%\x15\xc2\xc2!\x8b\xb2\xb4\xe7\x84\xdb\xa4z\xb2\xb5\xc9\xe7\
xb1`\xfcC(\x93\x9aT\xf9\x81\x84\x0b\x91\x84\xa9\xd6*:\x0da\xa9V\xf6*\xdefD\x
e6p6\xef\xbe.

\xee\xae\xa2\xbd\xab\xfbx\x1c\xb3S7\xd7\xc4|\\=)\x8b/\xcdV\xb5\x93l0\xedX>j(
q\xe9\xb0\x00V\xf3\x19\xb9\x82\x00\x00\x00\x14\x04i2}\xc0\xa0B\x82\x80K\x89\
x953\x06\xee\xe6\xbf\xad\x1d9r\xa1\x90\xa3-.
                    V\xdfQ\xac&\xe4]3\x9c.

v\x82C\xa0:\x94\xeae\x8d\x02\x1cj\xb6\xbe\xac1\xee\xebK\x96\xd7\x04\x9d\xea\
xdfKB\xf1\xdf\xd9Y\x12>9""#\x94\x81\xab4\x01\x02\x0d<\x1ehN\xf0\xb4\xda\x09w
\x1f\x81\xa9\xe1I\xc7\xdf\xff\xc7\xcf\x15\xdez=\xdd\xbe{\xc8\xcal\xcc

Time:               27-Sep-2000 11:55:03
NFR:                internalida
Source IP:          10.10.10.1
Source Port:        6101
Destination IP:     10.10.10.165
Destination Port:   139
ScopeID:

v\xfb[\xbc\xb5y\x87\xc6\x8ao\xdb\xe7l\x9f\xbf\xfe\xdb\xf9\xf5{J\x96\x15n\xfd
\xbd\xa5\x95\xff\xff\xff\xff\xff\xe0\xd4\x96\xfd\xb9dr\xeb\xab\xc4\xc6\x09\x
d5TAf\xfa\xe5H\x01\xe3\xbd!u\xb8\xbf\x88K\x12\xaa\xd6\xc7=\x1d\x14\xaa\xd6\x
fe7\xf1+\x8a\xc5\xa2C\xb2\xc2\xcc\xca\xb8\xdc\xc9\xe5\xcd\xbb\xb5fa\x17\xc9\
xc7\x9e\xcc\x8dw\x1e\x92%\xb1\xaa\xcb*\x7f9\x11\x7f\x111\x7f\xce\xea\xd5\xa1
\xe7f\x92P\x0f\xb1{\xdc\xfdjd\xd1\xbc\xe1\x02i\xa7\xd6V\xd7=\xa3\x82\xa6\x0a
\xff\xff\xff\xff\xff\x8aL\xae\xdc\x8e6\xef\x19\x80\x18\x03\xa6N\xf5-~U\x9eS\
xc8\x9e%\xc1\x09
                    \x12p&\xb9\x08\x1d8\xb9*\xc0,

rI\x12lWV\x84\xb4&\x8b~y""\xc3S\x93 () \xbd\x12\xd0^h\xc3\xc2u\xdev6\xb4\x09m\x
fe\x19:

Time:               27-Sep-2000 11:54:46
NFR:                internalida
Source IP:          10.10.10.1
Source Port:        6101
Destination IP:     10.10.10.165
Destination Port:   139
ScopeID:

\xef\xc5\x00\x01%:\xda\x8eJc\x09\x19\xea\x09\xa24LX\xebNk(\x97\x8d>\x10\xa6<
\xae\xdd;X\x83\x9b%\xd8\xb3\xa6\xf3\xf3ta\xd3\xbd\xaa\xf3j\xa9\x8bF\x88\x86\
x98%\xa7r\x11\x0e*:\xdfq)\xb9v\x11$0\xf7

\x05\x9aL\xba\x95\xe2\xc7\xe5\xb7<k\x97""\x82H\x90\xb0\x85\xce\x9fA=h\x97*\x
ddQ\xddH\x8c\xdb\xa6\xe5\xad\x8b\xc6yXc\xdf\xef\xeeF\xff\xfe\xbf\xfd\xff\xff
\xe7\x0b\x87\x9c\xe6\x9d^\xbf\xaf7Q.

0\xc5\xb2\x93\x04\xa7[\x12D\xe1\x14\xdc\x8e\xe3\xef\xecr\x13\x85


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

10.10.10.1 is a Windows 2000 Raptor Firewall.  .165 is a W2k Workstation.
This doesn't look like innocent traffic to me, and this sort of traffic is
not allowed across the firewall, so it looks to me like someone on the
internal network trying a ScopeID DoS.  Any input?

Adam H. Pendleton
Manager
Security Management Center
Corbett Technologies, Inc.
Alexandria, Virginia
USA
http://www.corbett-tech.com

Si hoc legere scis nimium eruditionis habes.

By Date By Thread

Current thread:

NetBIOS ScopeID Traffic Adam Pendleton (Sep 28)