Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recognize these packets?


  • Please log in to reply
5 replies to this topic

#1 mremski

mremski

  • Members
  • 493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:09:20 AM

Posted 01 March 2015 - 05:39 AM

Source is a Wndows 7 desktop (updates enabled, last one was the "recommended" one that changed the symbol for Lithuanian currency), wired lan connection, KIS2015, scanned with both KIS and Malware bytes.  Periodic, about 2 mins apart, broadcast at both IP and Ethernet level (broadcast dest mac in ether header, source mac matches the box they're coming from).  proto 139 is "supposed to be" NetBios session, I've gone everywhere but in the registry to disable NetBios.  This was captured on a *nix doing some routing and packet filtering, so it's not even close to making it out of the house, just curious as to what it may be (old *nix dog, have difficulty doing Windows tricks) so I can find the appropriate GUI to disable it.  As a side note, anyone know the order of evaluation for KIS 2015 firewall rules?  First or last match?  I've got rules in place on the Windows box that in theory should be preventing these from hitting the wire, but they don't seem to be doing what I want.  I've also got tcpdump raw data files that can be made available.

the IP portion of the header makes sense and seems to be consistent, the payload portion is where I'm running into a wall.

 

Thanks in advance.

 

------

Packets from Windows box, captured at input of *nix box, stripped of ethernet header

sudo tcpdump -i nfe0 -s 1500 -n -x -vvv 'src host 0.0.0.0 and dst host 255.255.255.255'
tcpdump: listening on nfe0, link-type EN10MB (Ethernet), capture size 1500 bytes
 

05:10:28.021529 IP (tos 0x0, ttl 255, id 41, offset 0, flags [none], proto unknown (139), length 72)
    0.0.0.0 > 255.255.255.255:  ip-proto-139 52
        0x0000:  4500 0048 0029 0000 ff8b bb02 0000 0000
        0x0010:  ffff ffff 0300 0100 8447 48f9 d8cf 2b49
        0x0020:  98da 5cf4 50d6 f39d 0000 0000 0000 0000
        0x0030:  0000 0000 0000 0000 cc8e 6a0b 4cfc 2b07
        0x0040:  20b4 bfcd 7086 4421
05:12:28.017515 IP (tos 0x0, ttl 255, id 42, offset 0, flags [none], proto unknown (139), length 72)
    0.0.0.0 > 255.255.255.255:  ip-proto-139 52
        0x0000:  4500 0048 002a 0000 ff8b bb01 0000 0000
        0x0010:  ffff ffff 0300 0100 e098 8aab 705f 4140
        0x0020:  a265 1194 becd e669 0000 0000 0000 0000
        0x0030:  0000 0000 0000 0000 cc8e 6a0b 4cfc 2b07
        0x0040:  20b4 bfcd 7086 4421
05:14:28.029188 IP (tos 0x0, ttl 255, id 43, offset 0, flags [none], proto unknown (139), length 72)
    0.0.0.0 > 255.255.255.255:  ip-proto-139 52
        0x0000:  4500 0048 002b 0000 ff8b bb00 0000 0000
        0x0010:  ffff ffff 0300 0100 0f98 932a 5f1e 414a
        0x0020:  9611 fa6a 4349 b221 0000 0000 0000 0000
        0x0030:  0000 0000 0000 0000 cc8e 6a0b 4cfc 2b07
        0x0040:  20b4 bfcd 7086 4421
05:16:28.025391 IP (tos 0x0, ttl 255, id 44, offset 0, flags [none], proto unknown (139), length 72)
    0.0.0.0 > 255.255.255.255:  ip-proto-139 52
        0x0000:  4500 0048 002c 0000 ff8b baff 0000 0000
        0x0010:  ffff ffff 0300 0100 c735 ca21 941c b343
        0x0020:  8057 c42c 478a f14f 0000 0000 0000 0000
        0x0030:  0000 0000 0000 0000 cc8e 6a0b 4cfc 2b07
        0x0040:  20b4 bfcd 7086 4421
 


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer


BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 PM

Posted 03 March 2015 - 02:35 PM

You are referring to NetBIOS because of the number 139 you see in your packet dumps, but that number in your dumps is not the port number, but the protocol number.

 

The IP protocol number is an 8-bit value that specifies the payload protocol, like 6 is TCP, 17 is UDP, 3 is ICMP.

139 turns out to be the Host Identity Protocol:

http://en.wikipedia.org/wiki/Host_Identity_Protocol

 

I've never seen a Windows machine produce HIP packets.

 

Here is a Wireshark dump of your first packet:

 

Internet Protocol Version 4, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255 (255.255.255.255)
    Version: 4
    Header Length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 72
    Identification: 0x0029 (41)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 255
    Protocol: HIP (139)
    Header checksum: 0xbb02 [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 0.0.0.0 (0.0.0.0)
    Destination: 255.255.255.255 (255.255.255.255)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
Host Identity Protocol
    Payload Protocol: 3
    Header Length: 0
    Fixed P-bit: 0 (Always zero)
    Packet Type: 1
    Version: 0, Reserved: 0
    Fixed S-bit: 0 (SHIM6)
    Checksum: 0x8447 (incorrect, should be 0x3024)
    HIP Controls: 0x48f9
        .... .... .... ...1 = Anonymous (Sender's HI is anonymous): True
    Sender's HIT: d8cf2b4998da5cf450d6f39d00000000
    Receiver's HIT: 000000000000000000000000cc8e6a0b
 


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 mremski

mremski
  • Topic Starter

  • Members
  • 493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:09:20 AM

Posted 04 March 2015 - 03:28 AM

Thanks Didier.  I got the same when I finally had a chance to Wireshark them.  The source mac in the the ethernet header is definitely the Windows box, of course full scans with Malwarebytes and KIS 2015 have not shown anything.  Port, protocol, both start with "p".  :)


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer


#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 PM

Posted 04 March 2015 - 11:20 AM

First thing I would do is take a look at the services (daemons) running on that Windows box.
With a bit of luck, you'll find a HIP service.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 mremski

mremski
  • Topic Starter

  • Members
  • 493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:09:20 AM

Posted 04 March 2015 - 12:08 PM

Will do.  Thanks again.


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer


#6 BartsPet

BartsPet

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 23 August 2015 - 06:41 PM

I am having the same issue.  Did you find a way to turn this protocol 139 packets off?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users