Home page logo
/

Nmap Announce mailing list archives

Foundry Networks Networking Devices Padded Bytes with ICMP Port Unreachable(s) - The 12 Bytes from No Where
From: "Ofir Arkin" <ofir () sys-security com>
Date: Wed, 6 Dec 2000 17:33:14 +0100

Foundry Networks networking devices will pad extra 12 bytes of data with
their ICMP Port Unreachable Error messages. Our first example is with a
ServerIron switch running software version 7.1.02T12 eliciting an ICMP Port
Unreachable error message:

[root () godfather]# hping2 -2 -c 1 y.y.y.y
eth0 default routing interface selected (according to /proc)
HPING y.y.y.y (eth0 y.y.y.y): udp mode set, 28 headers + 0 data bytes
ICMP Port Unreachable from y.y.y.y (y.y.y.y)

--- y.y.y.y hping statistic ---
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
[root () godfather]#


12:08:47.793503 eth0 > x.x.x.x.2498 > y.y.y.y.0: udp 0 (ttl 64, id 44437)
                         4500 001c ad95 0000 4011 885f xxxx xxxx
                         yyyy yyyy 09c2 0000 0008 b13f

12:08:48.240208 eth0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 0
unreachable Offending pkt: x.x.x.x.2498 > y.y.y.y.0: udp 0 (ttl 51, id
44437) (ttl 51, id 17453)
                         4500 0044 442d 0000 3301 feaf yyyy yyyy
                         xxxx xxxx 0303 739c 0000 0000 4500 001c
                         ad95 0000 3311 955f xxxx xxxx yyyy yyyy
                         09c2 0000 0008 b13f dd2c 2a16 38e1 7646
                         7aaa 9d41

From the tcpdump trace we can see that the offending packet’s IP header and
the first 8 data bytes were echoed correctly. Right after those, 12 bytes
were padded, that came from no where.

The next example is with Foundry Networks BigIron 8000 running software
version 6.6.05T51. With this test I have sent a UDP datagram with 80 bytes
of data to a closed UDP port on the BigIron 8000:

[root () godfather /root]# hping2 -2 -c 3 -d 80 y.y.y.y
ppp0 default routing interface selected (according to /proc)
HPING y.y.y.y  (ppp0 y.y.y.y  ): udp mode set, 28 headers + 80 data bytes
ICMP Port Unreachable from y.y.y.y  (y.y.y.y)
ICMP Port Unreachable from y.y.y.y  (y.y.y.y)
ICMP Port Unreachable from y.y.y.y  (y.y.y.y)

--- y.y.y.y  hping statistic ---
3 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
[root () godfather /root]#


11:40:36.694235 ppp0 > x.x.x.x.2779 > y.y.y.y.0: udp 80 (ttl 64, id 25211)
                         4500 006c 627b 0000 4011 2e7a xxxx xxxx
                         yyyy yyyy 0adb 0000 0058 3d09 5858 5858
                         5858 5858 5858 5858 5858 5858 5858 5858
                         5858 5858 5858 5858 5858 5858 5858 5858
                         5858 5858 5858 5858 5858 5858 5858 5858
                         5858 5858 5858 5858 5858 5858 5858 5858
                         5858 5858 5858 5858 5858 5858

11:40:37.913018 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 0
unreachable Offending pkt: x.x.x.x.2779 > y.y.y.y.0: udp 80 (ttl 52, id
25211) (ttl 52, id 60504)
                         4500 0044 ec58 0000 3401 b0d4 yyyy yyyy
                         xxxx xxxx 0303 edf3 0000 0000 4500 006c
                         627b 0000 3411 3a7a xxxx xxxx yyyy yyyy
                         0adb 0000 0058 3d09 1c1d 1e1f 2021 2223
                         2425 2627

Again, the offending packet’s IP Header and the first 8 data bytes are
quoted correctly. 12 data bytes are padded right after.

A nice pattern that allows us to identify Foundry Networks networking
devices.


This post was sent to Bugtraq as well.


Ofir Arkin
ofir () sys-security com
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA

Copyright 2000 Sys-Security.com & Ofir Arkin   All rights reserved


--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).


  By Date           By Thread  

Current thread:
  • Foundry Networks Networking Devices Padded Bytes with ICMP Port Unreachable(s) - The 12 Bytes from No Where Ofir Arkin (Dec 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault