Re: arp packet payload

• Previous message: wirepair: "ms03-043 questions"
• Maybe in reply to: Bram Matthys (Syzop): "Re: arp packet payload"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: vuln-dev@securityfocus.com
Date: Mon, 03 Nov 2003 15:39:45 +0000

----- Original Message -----
From: "Russell Harding" <hardingr@cunap.com>
To: "sebastian" <reitenba@fh-brandenburg.de>
Cc: <vuln-dev@securityfocus.com>
Sent: Friday, October 31, 2003 10:42 PM
Subject: Re: arp packet payload

>Hello,
>
> I encountered similar data while wirless sniffing.
>
>However, this is not an accidental uninitialized padding. These packets
>are part of XP's Upnp service.

  No, you're wrong. It absolutely IS an ARP packet, with un-zeroed trailer
padding which I agree IS from a UPnP multicast datagram, but the packet
itself is ARP. Notice how the http request is truncated, for goodness sake!
  Bear in mind the ethernet header is not displayed in the packet dump here,
so don't be thrown off by that 0x0800: that is NOT an ethernet frame type
field.

> > 00:44:36.309866 arp who-has 192.168.5.254 tell 192.168.5.164
> > 0x0000 0001 0800 0604 0001 00c0 9f20 d3cd c0a8 ................
> > 0x0010 05a4 0000 0000 0000 c0a8 05fe 4d2d 5345 ............M-SE
> > 0x0020 4152 4348 202a 2048 5454 502f 312e ARCH.*.HTTP/1.

0x0001 = ARP hardware type = ethernet
0x0800 = ARP protocol type = 0x0800 indicating ARP for IP addresses
0x06 = ARP hardware address size - six for ethernet MAC
0x04 = ARP protocol address size - four for IP address length...
0x0001 = ARP operation: 1 = arp REQUEST.

followed by

6 bytes sender MAC 00-c0-9f-20-d3-cd, 4 bytes sender IP c0.a8.05.a4
6 bytes target MAC 00-00-00-00-00-00 (unknown), 4 bytes target IP
c0.a8.05.fe

The rest is padding to the ethernet minimum frame size (60 bytes), less 14
bytes header = packet body size of 46. As you say, the padding comes from a
UPnP request, but it absolutely IS padding.

And in reply to the OP:

>On Fri, 31 Oct 2003, sebastian wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > hi list,
> >
> > don't know wheater it's mentioned anywhere or old news but here we go:
> >
> > captured following arp packet last night:
> >
> >
> > nice packet, but what makes me curious is the payload. where is it taken
>from?
> > are there also passwords and other "secret" things, which may be
> > unintentionally sent out to the.
> > i think the source is a windows xp box.
> >
> > cheers
> > sebastian

  Yep, it's well known, and has been for years. See messages 1 and 26 in
this thread from December last year:

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&threadm=Xns92DBCB57DB3D8IWishIWas%40marashouse.org&rnum=2&prev=/groups%3Fq%3Dhackers%2Bmalicious%2Bpop%2Bquiz%26ie%3DISO-8859-1%26hl%3Den

and also this post from May 2001

http://www.tcpdump.org/lists/workers/2001/05/msg00056.html

as well as the 'Etherleak' advisory from @stake earlier this year.

        DaveK

_________________________________________________________________
Sign-up for a FREE BT Broadband connection today!
http://www.msn.co.uk/specials/btbroadband

• Previous message: wirepair: "ms03-043 questions"
• Maybe in reply to: Bram Matthys (Syzop): "Re: arp packet payload"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]