COULOMBE, TROY wrote: > > Priscilla, > thanks for the quick reply :) > > yes, so far all 3 sniffers havent revealed much [ethereal, > sniffer, & my > fav: etherpeek-nx] > > all show the decodes for RPC, but this is a Win2k box talking > MS-RPC [port > 135, initially] > > somehow, someway an upper port is getting assigned [4541 for > example] from > the server > > anywho, I'm t/s the win2k-box talking to vpn clients [also > Wintel] and there > seem to be a large number of tcp-rst happening on the higher > ports upon > initial connection ::: syn, rst, syn, rst > > I don't think it's black-hat activity as it was the users > complaining...so > I'm just trying to make sure the client is communicating "back" > on the > proper port the server assigned...but I cant seem to nail down > where the > port is in the payload... > > I do see the server send to the client the server's IP adder, > but in > "character format" [which to me is crazy] so the server sends > "31 00 30 00 > 2e 00 31 00 30 00 2e 00 31 00 30 00 2e 00 33 00 36 00" for > "10.10.10.36" 31 > being the hex equiv of the ascii char "1" 00 being the buffer > space, 30 > being the "0" and 2e being the "." of the "10."
That is similar to the FTP PORT command, which puts the IP address in ASCII characters, separated by commas, for some unknown reason. Following the address is the port number in ASCII characters with a comma between the first and second byte. Port number is a 16-bit field. To get it into two bytes, divide the decimal value by 256. Put that it in the first part in ASCII characters. Put the remainder in the second part. So if it were an FTP Port command, 4541 would look like this: 4541/256 = 17 with 189 left over 1 = 31 in ASCII 7 = 37 comma = 2C 1 = 31 8 = 38 9 = 39 so you would see PORT blah blah 31 37 2C 31 38 39 Do you see anyting resembling that?? Maybe with nulls inbetween, since they are doing nulls in between for the IP address, and maybe a period instead of a comma? Priscilla > > man, gives new respect to the folks who do reverse eng. :) > > I'll keep hacking at it... but I'm still hoping for a URL :) > > TroyC > > > -----Original Message----- > From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 26, 2003 3:10 PM > To: [EMAIL PROTECTED] > Subject: RE: RPC Endpoint Mapper [7:63916] > > > In the olden days, in a Unix world, RPC required PortMappter. > Maybe you > could look that up? Not sure if there's a space, i.e. Port > Mapper. I don't > think there is. > > It's a separate protocol for assigning port numbers. You should > see evidence > of it on your Sniffer if it still exists. > > What operating system are you talking about? Windows does RPC > too but I > don't know it very well. > > Priscilla > > COULOMBE, TROY wrote: > > > > Anyone know of a good resource on RPC endpoint mapper? I > > trying to find > > where in the packet the server tells the client which [new] > > port to come > > back on. Using a sniffer, but I cant seem to nail down where > > in the payload > > the "future" port is passed to the client. > > > > a google search of "rpc endpoint mapper sniffer" has resulted > > in a lot of > > conversations about how RPC works, but not at the packet level > > :( > > > > don't mind RTFMing...but so far I can't find a good URL > > > > at least the FTP protocol "states" which port :) > > > > Thanks, > > TroyC > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63942&t=63916 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
