[unisog] I may have spoken too soon (Windows message)

Bill Martin bmartin at luc.edu
Fri Oct 11 02:14:27 GMT 2002


While sniffing from the destination, I discovered the following:

One packet
UDP 138 NetBIOS Datagram
Mailslot\Messngr

This is contrary to what I posted early (found on the net) and even conflicts w/ Steve's findings.



-Bill Martin-
Sr. Systems Analyst
Loyola University Chicago
bmartin at luc.edu

>>> "Steve Bernard" <sbernard at gmu.edu> 10/10/02 04:54PM >>>
=<snip>=
When the NET SEND command is used, on W2k, it first sends out NetBIOS Name
Service over UDP packets from port 137 to the target on port 137. After 12
of these pairs, in my tests, un-encapsulating UDP packets are sent from an
arbitrary high port on the sender to port 135 on the target. If you know the
message that is being sent you can match that on the first couple of UDP
packets, it's in plain-text.
=<snip>=




More information about the unisog mailing list