[lug] using tcpdump to emulate effects of packet dump

D. Stimits stimits at comcast.net
Thu Jul 17 22:07:49 MDT 2003


jd wrote:

> netsend
>
> or
>
> smbclient -M
>
> this will be suffcant to spam most people....however there is a newer
> style that uses rpc i guess. I would just classify the traffic and then
> only allow it from my ups
>
> here is some fun i had with my roomate...had to edit the text for the
> list though.....

smbclient is using something on I think port 135 or 137 through 139. 
This message service has *multiple* ways in, it is not a single API. 
Ports 135 and 137:139 are already blocked 100% to and from the outside 
world. ZoneAlarm also deals with those ports. What I need is to clone 
the tcpdump packet and send it to port 1026 of my local test machine and 
see it pop up. Then start developing a tool that will neutralize it from 
windows, and publish the tool for free. In no case has bybyeads.com been 
hitting a port below 1024.

I was hoping that a raw packet dump or hex readout of bytes in the UDP 
spam packet could be sent out without writing a new tool, but apparently 
not. I'll write a linux based simple UDP blind sender that only sends 
this copy of their bytes on UDP to the test machine (hopefully it will 
"do the right thing", it will be harder if a simple clone of the UDP 
packet data is only part of reproducing it).

D. Stimits, stimits AT comcast DOT net

>
>
> .#! /usr/bin/perl -w
>
> $z = '1';
> while($z){
> open( PIPE, "|/usr/bin/smbclient -M THEBUSCUIT");
> print PIPE "\n";
> $it = ;
> print PIPE "SEE THIS TEXT BJ?";
>
> close(PIPE);
> print "IT =  $it";
> }
>
>
> hth,
> jd






More information about the LUG mailing list