m.alzhrani network security p.andrew glamorgan
TRANSCRIPT
8/8/2019 M.alzhrani Network Security P.andrew Glamorgan
http://slidepdf.com/reader/full/malzhrani-network-security-pandrew-glamorgan 1/21
Final mark awarded ______
UNIVERSITY OF GLAMORGAN
Assessment Cover Sheet and Feedback Form
2009/10
Module Code:SY4S02 Module Title:NETWORK SECURITY Lecturer:PROF A BLYTH
Assignment No:
1 OF 2
No. of pages in total including
this page: 3
Maximum Word Count: 2,500
Word c ount:2581 w
Assignment Title: NETWORK SECURITY FULL TIME COURSE WORK 1
Tasks: see attached
Section A: Record of Submission
Record of Submission and Plagiarism Declaration
I declare that this assignment is my own work and that the sources of information and material I
have used (including the internet) have been fully identified and properly acknowledged as
required in the referencing guidelines provided.
Student Number:09001603
You are required to acknowledge that you have read the above statement by writing your
student number(s) above.
(If this is a group assignment, please provide the student numbers of ALL group members)
Details of Submission
Note that all work handed in after the submission date and within 5 working days will be
capped at 40%. No marks will be awarded if the assignment is submitted after the late
submission date unless mitigating circumstances are applied for and accepted.
y IT IS YOUR RESPONSIBILITY TO KEEP A RECORD OF ALL WORK SUBMITTED.
y An electronic copy of your work should be submitted via Blackboard.
y Work should also be submitted to the member of academic staff responsible for setting your
work.
y Work not submitted to the lecturer responsible may, exceptionally , be submitted (on the
submission date) to the reception of the Faculty of Advanced Technology, which is on the
8/8/2019 M.alzhrani Network Security P.andrew Glamorgan
http://slidepdf.com/reader/full/malzhrani-network-security-pandrew-glamorgan 2/21
2nd floor of G block (Room G221) where a receipt will be issued.
Mitigating Circumstances: if there are any exceptional circumstances which may have
affected your ability to undertake or submit this assignment, make sure you contact the
Faculty Advice Shop on 01443 482540 (G221).
Section B: Marking and Assessment
This assignment will be marked out of 100%
This assignment contributes to 50% of the total module marks.
This assignment is bonded / non- bonded. Details: BONDED
It is estimated that you should
spend approximately
70 hours on this assignment.
Date Set: 12TH Oct 2009 Submission Date: 4TH Dec 2009 Feedback Date: 8TH Jan 2009
Learning Outcomes
This assignment addresses the following learning outcome(s) of the
module:
y To demonstrate a systematic understanding of the principles of
security in networks and distributed systems;
y To classify and explain the methods by which computers within
a distributed system communicate;
y To evaluate critically how services are delivered to one another
in a secure manner.
Marking SchemeMarks
Available
Marks
Awarded
1. Introduction and outline of the problems that you haveidentified.
15
2. A detailed description of your proposed solution to the
problems identified.
65
8/8/2019 M.alzhrani Network Security P.andrew Glamorgan
http://slidepdf.com/reader/full/malzhrani-network-security-pandrew-glamorgan 3/21
8/8/2019 M.alzhrani Network Security P.andrew Glamorgan
http://slidepdf.com/reader/full/malzhrani-network-security-pandrew-glamorgan 4/21
3.4 Logical Organisation /5
Poor organisation of arguments.
Excellent organisation of arguments.The report is crisp, clear and well
presented.
Comments:
3.5 Bibliography / References /5
Poor use of
references
Excellent use of references.
Comments:
8/8/2019 M.alzhrani Network Security P.andrew Glamorgan
http://slidepdf.com/reader/full/malzhrani-network-security-pandrew-glamorgan 5/21
ASSESSMENT CRITERIA
Performance Level Criteria
Introduction and
outline of the
problems.
A detailed description of
your solution.
Conclusion Logical Organis
Fail
(<40%)
No clear
understanding
demonstrated.
Key concepts and ideas
missing.
No evidence of
summary and
conclusions.
Confusing stru
and no argume
to the point.
Pass(40%-49%)
Some omissions and
errors of keymaterials.
Some relevant factual
knowledge and/orawareness of issues; a
few errors may be
present.
Poor summary and
conclusions.
Not well struct
enough to makpoint though.
(50%-59%)
Key concepts
introduced, with keys
arguments outlined.
A detailed description of
the topic, showing
insight. Issues are dealt
with in a detailed and
systematic way
Evidence of
summary and
conclusions linked
into
countermeasures.
Evidence of pla
and thought st
development o
argumentation
Merit
(60%-69%)
Clear statement of
the problem/issues
and the argumentused to address them
An accurate and
comprehensive account
is given of relevantmaterial in a way that
demonstrates
Clear evidence of
summary and
conclusions. Aclear statement of
countermeasures.
Well-planned s
and developme
the argument.
8/8/2019 M.alzhrani Network Security P.andrew Glamorgan
http://slidepdf.com/reader/full/malzhrani-network-security-pandrew-glamorgan 6/21
understanding.
Distinction
(70% +)
An excellent
statement of theproblem and the
proposed solution.
A systematic explanation
of the topic, whichdemonstrates an
excellent understanding
of the issues.
Excellent summary
and conclusions.There is clear
evidence of
original thinking
Structure that
maps the deveof the argumen
8/8/2019 M.alzhrani Network Security P.andrew Glamorgan
http://slidepdf.com/reader/full/malzhrani-network-security-pandrew-glamorgan 7/21
Contents
1. Introduction ................................ ................................ ................................ ........... 8
1.1Authintication process ................................ ................................ .......................8
2. Methodology of the analysis ................................ ................................ ................. 9
3.Packets analysis: ................................ ................................ ................................ ... 10
3.1Client server interaction: ................................ ................................ ................11
1-Client->Server Request (First Level Encoding) 11
2- Server > Client response (session acknowledgement ) 12
3- Client > server Request (Negotiate C IFS dialect ) 12
4- Client <server Response (SMB _NEGOT I ATE ) 13
5- Client>server Request (SESSION_SETUP) 14
6- Client<server Response (SESSION SETUP) 15
7- Client>server Request (TRANSACT ION) 16
8- Client<server Response (TRANSACT ION) 17
4. Scenario: ................................ ................................ ................................ ..............17
5. Conclusion: ................................ ................................ ................................ ..........18
6.Reference: ................................ ................................ ................................ .......19-20
Table of Figures
TABLE 1.2 (C MCNAB 2007) ............................... . ................... ............. ............................ . 9 FIGURE 1.3 (SANDERS, 2007) ............................... . ................... ............. ........................... 10 FIGURE 2 ................................ ................................ ................................ .................... 11 FIGURE 3 ................................ ................................ ................................ .................... 12
8/8/2019 M.alzhrani Network Security P.andrew Glamorgan
http://slidepdf.com/reader/full/malzhrani-network-security-pandrew-glamorgan 8/21
M. Alzhrani 09001603, Network Security, Glamorgan University, 2009
8
1. Introduction
Technology in recent years has evolved at an amazingly fast rate to dominate
almost all ways of life. The world has become a global village, where news and
accidents are relayed throughout the whole world in a matter of just seconds. Such
intercommunication requires an intelligent transportation system, as (Comer, 2006)
describes the Internet, " ...the entire technology has been designed to foster communication..."
As the Internet continues extending in a complex manner, network protocols must
be addressed in order to classify communication, data transfer and systemic order.
One of these protocols functions as an application layer called SMB/CIFS, where it
functions through NetBIOS software. It runs over windows computers, as (Hertel,
2003) describes, " These systems participate in NBT networks by directly handling the
TCP and UDP packets". In addition, NetBIOS or NBT function in the session layer (see
table 1.1) as it is assigning stations names to each particular devise or service.
Typically, a client request for a share operation in the network could be sent,
received, opened or a read command, depending on the account given privileges.
This command is processed by a protocol known as Common Internet File System
(CIFS), which is the advanced copy of the Server Message Block (SMB); all of these
operations are sent and carried away by TCP/IP protocol.
It has been said that there is a fundamental serious design flaw, which can be used
to derive a considerable amount of data from a network without raising any
attention. "Microsoft's software is fatally flawed from a security perspective "
(Scambray & McClure, 2007). This essential flaw is located in the Microsoft SMB,
where it could be exploited by enumerating the target server share list and acquiring
vital information via the authentication process. Such a breach is usually patched or
replaced entirely. In this report, I will analyze the packets, and demonstrate the
relative protocols that are associated with the authentication process.
(Sanders, 2007)
1.1Authintication process
To begin with, network sharing systems in this analysis are using firstly,
NetBIOS (Network Basic Input Output System), which is interface software that was
created to manage the network hardware, and it can initiate, start, end and execute
an order. NetBIOS also broadcast sessions via SMB/CIFS protocols.
8/8/2019 M.alzhrani Network Security P.andrew Glamorgan
http://slidepdf.com/reader/full/malzhrani-network-security-pandrew-glamorgan 9/21
M l i t it l i it
Sec
¡
¢
£ y
¤ CIFS and S
¥ B
¤ which broadcas
¦ through port (139) that be
£ ongs to
NetBIOS service¤ as shown in (Table1.2). All of these services and protocols work on
the TCP/IP protocol. When a CIFS asks for a broadcast, messages are transported by
establishing a connection using NetBIOS session service as specified in RFC 1001 and
RFC 1002 (Microsoft handbook).
Tabl§
1 ̈2
©
C
Nab 2007
NetBIOS Session is the usual transporter for the SMB packet via the TCP/IP, although
there are three main basic types of NetBIOS as the RFC 1001 and 1002 describes
(Name service, Datagram service and session service). Our concern will be with the
session service. These types of services are responsible for starting a connection by
using the NetBIOS over the TCP. To further elaborate, at every re
uest to a network
or file sharing, the session service starts ac
uiring names for the user/client in the
local network; it could be a unique or shared one, depending on the broadcasting
mechanism, and group names could be shared by more than one client, contrary to
unique ones registering one for each network. (Hertel, 2003)
Based on the security mode, authentication varies. This case study is a
challenge/response one, and in this case an attacker may get the password hash
after sniffing a network and locating both the challenge key and response key. These
keys are used to decrypt the original password through a certain algorithm. This
algorithm is known to both the client and the server, and therefore, when an
intruder tries to break into a system and he knows the keys, the password could be
decrypted by various tools and websites (Hertel, 2003).
2
thodolo
of th
anal
sis
Interestingly, layered packets and Command batching include more than one
protocol or command. Thus, our methodology in this analysis will follow a specific
structure, in order to cover each small and important part. ach packet
ill be
anal
zed based on the p ! io ! it
of the info ! " ation; the vital information will be
documented in tables, pictures or plainte# t. The role of these analyses will follow the
ne # t table in a very particular way $
8/8/2019 M.alzhrani Network Security P.andrew Glamorgan
http://slidepdf.com/reader/full/malzhrani-network-security-pandrew-glamorgan 10/21
M l i t it l i it
(Avian Research, 1997)
3 % Packets anal&
sis:
In our analysis, the first three packets connection will start with a full duple '
TCP connection initiated by the client, NetBIOS session request (Three way
handshake) over TCP, as it is described below:
Fi
(
u) e 1
0 3 (Sanders1 2007
2
08/16-15:27:17.820587 193.63.129.192:1843 -> 193.63.129.187:139
TCP TTL: 128 TOS: 0' 0 ID: 48195 IpLen: 20 DgmLen: 44 DF
******S* Seq: 0' F1908361 Ack: 0
' 0 Win: 0
' 2000 TcpLen: 24
TCP Options (1) => MSS: 1460
The packet was sent from network IP-Class (C) at 08/16-15:27:17.820587 from
193.63.129.192 throughout the port 1843. This is considered to be the attacker orthe client, the packet goes straight to the domain controller or the main server
193.63.129.187 received on port 139. (On3 4 5
h6
7
8 9
@
5
@
5 6 p o
7
5 h
6 hand
A h
6 A B C 8 3 3 b
6
ana3 4
z6
d 5 o avo
8 d
9 6 p
6 5 8 5 8 on).
Code Explanation
TCP TTL:128 TCP Protocol, time to live, which is 128
TOS:0D 0 The type of service
ID:48195 The packet id is : 48195
8/8/2019 M.alzhrani Network Security P.andrew Glamorgan
http://slidepdf.com/reader/full/malzhrani-network-security-pandrew-glamorgan 11/21
M l i t it l i it
IpLen:20 The IP length is 20
DgmLen:44 DF (DF) means "don't fragment."
******S* Here we see the packet Three way
handshake starting with synchronize to the
target ip
Ack: 0E
0 Acknowledge value here is 0 because it's the first one
Win: 0E 2000 The buff er size the host provides
TcpLen: 24 The TCP Packet Length
TCP Options (1) => MSS: 1460 This is the maximum size of segment packet
can handle before using fragmentation
The following response comes from the server with syn/ack, which indicates that the
server received the client's syn and is ready to make a link with it. Although the
header contains the same structure, the numbers change with each request. In this
packet, it is shown that the Sequence (ISN - Initial Sequence Numbers) equals
0xF1908361 where we can see in the next packet that the Ack number is the sequence number of the next bytewhich is 0xF1908362 (see figure2).
FiF
ure 2
It is commonly known that if the server came back with acknowledge message, then
the connection has been established[MSDN]. The NetBIOS session service already
established a TCP connection via port 139 to send SMB packet, the listener receives a
SG SSION REQUEST via TCP, his replay; however, is a POSITIVE SESSION RESPONSE in
this case. (RFC1001, 1987)
1-Client->Server Request (First Level Encoding)
FiH
ure 3
8/8/2019 M.alzhrani Network Security P.andrew Glamorgan
http://slidepdf.com/reader/full/malzhrani-network-security-pandrew-glamorgan 12/21
M l i t it l i it
Packet 1
Description: In this packet, in its role it should contain both client and server
NetBIOS name, and an integer to explain his job. TCP packet must be established in
order to transport the CIFS request to the receiver,which is known as 'calling the
server', therefore, detailed analysis for the Hex took place (Blyth, 2009) (See
appendix A) and resulted in:
Server service NetBIOS name: J4-ITRL-14
Client/workstation NetBIOS name: J4-ITRL-19
The purpose of the packet is 81 00 00 44 -this shoI
s that a connection to share is
wanted from the receiver network. Finally, the IP of the server must be known to
perform the previous connection successfully as we will see in the response packet
(RFC1002, 1987).
2- Server > Client response (session acknowledgement )
Packet 2: 0x82
Description: The first byte 82 indicates, according to figure 3, that this packet is a
response to a successful connection between server and client(Blyth, 2009).
3- Client > server Request (N egotiate CIF S dialect )
Packet 3: SMB_COM _NEGOTIATE
8/8/2019 M.alzhrani Network Security P.andrew Glamorgan
http://slidepdf.com/reader/full/malzhrani-network-security-pandrew-glamorgan 13/21
8/8/2019 M.alzhrani Network Security P.andrew Glamorgan
http://slidepdf.com/reader/full/malzhrani-network-security-pandrew-glamorgan 14/21
M l i t it l i it
4
Description: At this packet a dialect been chosen by the server, and this along with
an 8byte long key, is returned to the client in order to define the user identity at the
next packet.
Challenge key is: 0X103F5ED8E2243A26
AN 8 BYTE CHALLENGE FROM THE SERVER to the client. The encrypted key is used by
the client to send back a hash key to the server(S Harris et al, 2007).
5- Client>server Request (SE SSION _SETUP )
Packet 5: SMB_COM _SESSION _SETUP _ANDX
Description:
An important part of this packet and future ones:Co Q Q and batchinR
is a network
technique used to reduce network bandwidth by merging two packets in one.In this
packet, the client must send a password and a user name to gain access, in this case
we verif y by the UID field in the next packet; if it does include the UID, then this
packet must include a password, even if it appears like a zero (Microsoft handbook).
8/8/2019 M.alzhrani Network Security P.andrew Glamorgan
http://slidepdf.com/reader/full/malzhrani-network-security-pandrew-glamorgan 15/21
M l i t it l i it
5
At this level the responses for the pervious challenge key should be present,
following instructions, no obvious password or challenge were sent in this packet.
The password, user and domain are set to Null, which is what Microsoft describes as
Nell session. A fundamental flaw allows an anonymoususer to start a command and
receive a replay. An anonymous user, however, could enumerate a share list as a
Windows NT f eature, " Also k noS
n as NT U U
sessi on connecti ons"(Microsoft support).
Also, an interesting code has been set in the client capabilities,
smb.server _cap.level _2 _oplocks; this proves that even if authentication is granted, it
is read only privileges (Novell, 2006). The Anonymous account name indicates that it
is a legitimate login. The server resource share path is \\J4-ITRL-14\IPC$ with the IPC
service type, and it is built on top of the tree connect coV V
and- this command is
due because it can access a pipe name or file system (CIFS/1.0, 1997).
6- Client< server Response (SE SSION SETUP )
Packet 6: SMB_COM _SESSION _SETUP _ANDX
Description: No errors were found at this stage, although an error would arise if
there were no password, but in this case the password is not required. Instead 16
8/8/2019 M.alzhrani Network Security P.andrew Glamorgan
http://slidepdf.com/reader/full/malzhrani-network-security-pandrew-glamorgan 16/21
M l i t it l i it
bits UID is initiated at this response, and will continue to the last packet, to identif y
the user authentication. The native OS, LAN type and Domain is revealed in the code
as shown in the analysis, and the IPC is available on the server to start the sharing
process (CodeFX, 2001).
In addition, a patched command response also took place with the value 75
[TREE _CONNECT] whereas " A tree connect is perf ormed t o access anW
resource, be it
a filesystem, a pri nter, or a named pi pe." (Ithron, 2000).
7- Client>server Request (TRANS ACTION )
Packet 7: SMB_COM _TRANSACTION 0x25
Description: A client request is initiated by the Remote Administration Protocol
(RAP) (0x0068). The command must be send to the server through PIPE/LANMAN,
whereas a (Remote Procedure Call-RPC) (Application Programming Interface-API)
call is committed, this is sent on the SMB TRANSACTION 0x25 command (Ithron,
2000). The RAP request, however, is a NetServerEnum2 according to the packet,
where it asks the server to list the available sharesor to brows the list of users; this
transaction is through "WrLehDO" path, another specification in the packet, the last
4 bytes of the packet are the types of services (Microsoft handbook).
8/8/2019 M.alzhrani Network Security P.andrew Glamorgan
http://slidepdf.com/reader/full/malzhrani-network-security-pandrew-glamorgan 17/21
M l i t it l i it
7
8- Client< server Response (TRANS ACTION )
Packet 8: SMB_COM _TRANSACTION 0x25
Description: The server responses contain the list of the available servers on the
network; it is relatively obvious that the answer to the process is in this packet,
where we can find the list of shares as explained in the analysis table.
4. Scenario:
J4-ITRL-19 started TCP/IP connection via port 193; this is shown in the 3hand cheek.
The second action is a NetBIOS session request to access the hidden share path\\ J4-
ITRL-14 \IPC$ at the local main server. The TREE ANDX gives it the ability to connect
through. A transf er channel is an open throw PIPE/LANMAN where an API call
enumerates the server list of shares.
o NBT Session Client Request SMB Negotiate Protocol Request
SMB Session Setup Request
SMB Tree Connect (to \\ J4-IX Y ̀
-14 \IPC$)
RAP call
RAP response (share/brows list)
8/8/2019 M.alzhrani Network Security P.andrew Glamorgan
http://slidepdf.com/reader/full/malzhrani-network-security-pandrew-glamorgan 18/21
M l i t it l i it
5. Conclusion:
Many types of evidence have been revealed during the analysis. The most notable
ones are the Null session login process, IPC Tree connect, and, more interestingly,
the PIPE/LANMAN has also shown that a lot more detail would give claws in the
committed action. All of the previous list of evidences, and the scenario, are
meaningless without the last packet; where the purpose of this dump is exposed.
Thus, from the latest data, I strongly believe it is an exploitation of a fundamental
basic flaw in the Microsoft windows NT4.0 box on a local network, where an
anonymous user can breach the network share list or to view the browse list, and
can enumerate the domain controller.
Since Microsoft considers that the Null session process in obtaining the list of shares
is a normal function, justified by the necessity of the Domain controller to identif y
the active users, it is then rational that some would claim it was complying with
hacking intentions. Intention, however, is another concern I am unable to examine in
detail- as far as we know it is a legal operation committed in user level security,
which does not require any password, with an anonymous account to gain access to
the list of shares on the master server. Hackers, however, could employ tools and
take advantage of the null session process. They would be likely to obtain a variety of
information about a network, as revealed previously in this analysis, such as net use
and net view command (Xfocus, 2001); it is ridiculously easy to launch the Null
session attack, as shown below.
In conclusion, series indicators show that the pervious packets are an information
gathering operation, and the targeted network has been exploited by a ma jor
vulnerability in Windows NTLM authentication process. " And , o f course, t here has
been a l ot o f work on f undament als-patchi ng cod e-lev el vul ner abilities on a regul ar
basis" (Scambray & McClure, 2007). Therefore, there is more than one solution tothe specified weakness; restriction on the null access could be beneficial, but not
entirely, where remote access is exploitable, closing port 139 could be efficient, but
not in a sharing environment. Microsoft solved this issue by adding trusted users to
local groups and disabled the anonymous function in the new released packs.
Moreover, and I would recommend upgrading the box to the last patched virgin of
windows box; parallel with configuring the firewall to certain roles, in order to deter
a potential enumeration process.
8/8/2019 M.alzhrani Network Security P.andrew Glamorgan
http://slidepdf.com/reader/full/malzhrani-network-security-pandrew-glamorgan 19/21
M. Alzhrani 09001603, Network Security, Glamorgan University, 2009
19
Reference:
Andrew Blyth, 2009, " The Common Internet File Systems (C IFS) and the Server
Message Block (SMB)", lecture notes distributed in the topic SY4S02 Network
security, Glamorgan University, Pontypridd on 12 Oct 2009.
Avian Research, January 1997, C IFS: Common Insecurities Fail Scrutiny .
CIFS DRAFT1, Mar 1997, a Common Internet File System (C IFS/1.0) Protocol,
available: http://www.microsoft.com/about/legal/protocols/BSTD/CIFS/draft-leach-
cifs-v1-spec-02.txt , Last accessed 21th
of Oct.
CodeFX, 2001, C IFS Explained , Available:
http://www.codefx.com/CIFS_Explained.htm , Last accessed 19th
Oct 2009.
Christopher Hertel, Aug 11 2003, Implementing C IFS: The Common Internet File
System, Prentice Hall, 672 pages.
C McNab, 2007, Network Security Assessment: Know Your Network , second edition,
O'Reilly.
Chris Sanders, May 2007, Practical Packet Analysis Using Wireshark to Solve Real -
World Network Problems.
Douglas E. Comer, 1995, Internetworking with TCP/IP, Vol 1: Principles, Protocols,
and Architecture, Prentice Hall Inc.
Ithron, 2000, Everything Developer , Available:
http://everything2.com/title/CIFS%253A+Common+Insecurities+Fail+Scrutiny+%252
83%2529 , Last accessed 23th Oct 2009.
IBM Corporation, Port 139 NetBIOS, available:
http://www.iss.net/security_center/advice/Exploits/Ports/139/default.htm , Last
accessed 18th of Oct.
J Sambary & S McClure, Dec 2007, Hill Hacking Exposed Windows 3rd, Windows
Security Secrets & Solutions Edition, McGraw.
Microsoft Corporation, Microsoft Networks, SMB F ILE SHARING PROTOCOL,
Document Version 6.0p, Jan 1996, available:
http://www.samba.org/samba/ftp/specs/smbpub.txt , Last accessed 23th of Oct.
Microsoft handbook, MSDN Common Internet File System (CIFS) File Access
Protocol, available:
http://www.microsoft.com/downloads/details.aspx?FamilyID=c4adb584-7ff0-4acf-
bd91-5f7708adb23c , Last accessed 20th
Oct 2009.
8/8/2019 M.alzhrani Network Security P.andrew Glamorgan
http://slidepdf.com/reader/full/malzhrani-network-security-pandrew-glamorgan 20/21
M. Alzhrani 09001603, Network Security, Glamorgan University, 2009
20
Microsoft support, March 2007, Restricting information available to anonymous
logon users, Available: http://support.microsoft.com/?scid=kb%3Ben-
us%3B143474&x=7&y=10 , Last accessed 26th Oct 2009.
Novell, Mar 2006, OpLocks on NetWare, available:
http://wiki.novell.com/index.php/OpLocks_on_NetWare , Last accessed 26th Oct
2009.
NetBIOS Working Group, March 1987, Request for Comments: 1001 [RFC], available:
http://ubiqx.org/cifs/rfc-draft/rfc1001.html , Last accessed 25th
of Oct.
Network Working Group, Mar 1987, RFC1002 - Protocol standard for a NetBIOS
service on a TCP/UDP, Available: http://www.faqs.org/rfcs/rfc1002.html , Last
accessed 27th
Oct 2009.
S Harris, A Harper, C Eagle, J Ness, 2007 ,Gray Hat Hacking, The ethical hacker
Handbook , 2edition , McGraw.
Xfocus, 2001, Atlanta, Georgia, available:
http://www.xfocus.net/articles/200305/smbrelay.html , Last accessed 24th of Oct.
APPENDIX A
81 00 00 44 20 45 4B 44 45 43 4E 45 4A 46 45 46 ...D EKDECNEJFEF
43 45 4D 43 4E 44 42 44 45 43 41 43 41 43 41 43 CEMCNDBDECACACAC
41 43 41 43 41 00 20 45 4B 44 45 43 4E 45 4A 46 ACACA. EKDECNEJF
45 46 43 45 4D 43 4E 44 42 44 4A 43 41 43 41 43 EFCEMCNDBDJCACAC
41 43 41 43 41 41 41 00 ACACAAA.
EKDECNEJFEFCEMCNDBDECACACACACACA EKDECNEJFEFCEMCNDBDJCACACACACAAA =32 integer+
32 Integer
IT'S = J4-ITRL-14
E=0x41-0x45=0x04
K=0x41-0x4B=0x0A=4A=J
D=0x41-0x44=0x03
E=0x41-0x45=0x04=34=4
C=0x41-0x43=0x02
N=0x41-0x4E=0x0D=2D=-
E=0x41-0x45=0x04
J=0x41-0x4A=0x09=49=I
F=0x41-0x46=0x05
E=0x41-0x45=0x04=54=T
F=0x41-0x46=0x05
C=0x41-0x43=0x02=52=R
E=0x41-0x45=0x04
M=0x41-0x4D=0x0C=4C=L
8/8/2019 M.alzhrani Network Security P.andrew Glamorgan
http://slidepdf.com/reader/full/malzhrani-network-security-pandrew-glamorgan 21/21
M. Alzhrani 09001603, Network Security, Glamorgan University, 2009
C=0x41-0x43=0x02
N=0x41-0x4E=0x0D=2D=-
D=0x41-0x44=0x03
B=0x41-0x42=0x01=31=1
D=0x41-0x44=0x03
E=0x41-0x45=0x04=34=4
C=0x41-0x43=0x02
A=0x41-0x41=0x0=02=START OF TEXTC=0x41-0x43=0x02
A=0x41-0x41=0x0=02= START OF TEXT
C=0x41-0x43=0x02
A=0x41-0x41=0x0=02= START OF TEXT
C=0x41-0x43=0x02
A=0x41-0x41=0x0=02= START OF TEXT
C=0x41-0x43=0x02
A=0x41-0x41=0x0=02= START OF TEXT
C=0x41-0x43=0x02
A=0x41-0x41=0x0=02= START OF TEXT
IT'S = J4-ITRL-19
E=0x41-0x45=0x04K=0x41-0x4B=0x0A=4A=J
D=0x41-0x44=0x03
E=0x41-0x45=0x04=34=4
C=0x41-0x43=0x02
N=0x41-0x4E=0x0D=2D=-
E=0x41-0x45=0x04
J=0x41-0x4A=0x09=49=I
F=0x41-0x46=0x05
E=0x41-0x45=0x04=54=T
F=0x41-0x46=0x05
C=0x41-0x43=0x02=52=R
E=0x41-0x45=0x04
M=0x41-0x4D=0x0C=4C=LC=0x41-0x43=0x02
N=0x41-0x4E=0x0D=2D=-
D=0x41-0x44=0x03
B=0x41-0x42=0x01=31=1
D=0x41-0x44=0x03
J=0x41-0x4A=0x09=39=9
C=0x41-0x43=0x02
A=0x41-0x41=0x0=02= START OF TEXT
C=0x41-0x43=0x02
A=0x41-0x41=0x0=02= START OF TEXT
C=0x41-0x43=0x02
A=0x41-0x41=0x0=02= START OF TEXT
C=0x41-0x43=0x02
A=0x41-0x41=0x0=02= START OF TEXT
C=0x41-0x43=0x02
A=0x41-0x41=0x0=02= START OF TEXT
A=0x41-0x41=0x0
A=0x41-0x41=0x0=00=NULL