Sorry I don't have a URL that explains how Windows RPC on a server hands out a port number for the client to use. Anyone else?
However, I will help you reverse engineer it! ;-) Are you guessing that the port number is in that same packet that has the IP address in ASCII. That would be my guess, if it's anythign like the FTP PORT command. Can you send us the entire packet in hex for the one with port 4541 or some other port you tell us in advance?? Could a firewall or smart IDS be sending back the resets?? Just a thought. Priscilla COULOMBE, TROY wrote: > > Priscilla, > thanks for the quick reply :) > > yes, so far all 3 sniffers havent revealed much [ethereal, > sniffer, & my > fav: etherpeek-nx] > > all show the decodes for RPC, but this is a Win2k box talking > MS-RPC [port > 135, initially] > > somehow, someway an upper port is getting assigned [4541 for > example] from > the server > > anywho, I'm t/s the win2k-box talking to vpn clients [also > Wintel] and there > seem to be a large number of tcp-rst happening on the higher > ports upon > initial connection ::: syn, rst, syn, rst > > I don't think it's black-hat activity as it was the users > complaining...so > I'm just trying to make sure the client is communicating "back" > on the > proper port the server assigned...but I cant seem to nail down > where the > port is in the payload... > > I do see the server send to the client the server's IP adder, > but in > "character format" [which to me is crazy] so the server sends > "31 00 30 00 > 2e 00 31 00 30 00 2e 00 31 00 30 00 2e 00 33 00 36 00" for > "10.10.10.36" 31 > being the hex equiv of the ascii char "1" 00 being the buffer > space, 30 > being the "0" and 2e being the "." of the "10." > > man, gives new respect to the folks who do reverse eng. :) > > I'll keep hacking at it... but I'm still hoping for a URL :) > > TroyC > > > -----Original Message----- > From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 26, 2003 3:10 PM > To: [EMAIL PROTECTED] > Subject: RE: RPC Endpoint Mapper [7:63916] > > > In the olden days, in a Unix world, RPC required PortMappter. > Maybe you > could look that up? Not sure if there's a space, i.e. Port > Mapper. I don't > think there is. > > It's a separate protocol for assigning port numbers. You should > see evidence > of it on your Sniffer if it still exists. > > What operating system are you talking about? Windows does RPC > too but I > don't know it very well. > > Priscilla > > COULOMBE, TROY wrote: > > > > Anyone know of a good resource on RPC endpoint mapper? I > > trying to find > > where in the packet the server tells the client which [new] > > port to come > > back on. Using a sniffer, but I cant seem to nail down where > > in the payload > > the "future" port is passed to the client. > > > > a google search of "rpc endpoint mapper sniffer" has resulted > > in a lot of > > conversations about how RPC works, but not at the packet level > > :( > > > > don't mind RTFMing...but so far I can't find a good URL > > > > at least the FTP protocol "states" which port :) > > > > Thanks, > > TroyC > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63933&t=63916 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
