Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Tracking down random ICMP

from [Jean-Baptiste Marchand] Network Security [Permanent Link]
Subject: Re: Tracking down random ICMP
Date: Fri, 9 Feb 2007 01:17:01 +0100 
On Wed, Jan 24, 2007 at 02:05:55PM +1300, Bojan Zdrnja wrote:


So, in other words, for the original poster: use ListDLLs
(http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ListDlls.mspx)
which will list all processes and show you DLLs that each of them is
using. Then go through that list and eliminate all processes that are
not using Iphlpapi.dll. Now you will have a list of processes that
need to be examined further.


Even simpler, provided the Windows system is running at least Windows
XP, you can use the tasklist program with the /m option to directly find
out all the processes that have Iphlpapi.dll loaded.

Because Iphlpapi.dll is a DLL that contains common network functions,
tasklist will certainly list several processes with the DLL loaded.

You can then try to suspend one by one each process with PsSuspend from
Sysinternals and see if the ICMP activity stops or not.

If the system is receiving ICMP packets in response to the sent traffic
and if the Windows firewall is configured to log dropped traffic, you
can easily verify if suspending a process stops the ICMP traffic by
"tailing" Pfirewall.log or looking at the file size.

Both tasklist and PsSuspend work on remote systems (MSRPC over SMB is
used in that case, requires 139/tcp or 445/tcp to the remote system),
provided you have administrator credentials. Typically, you would first
establish an SMB session with net use using administrator credentials.

Jean-Baptiste Marchand
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Announcing a global view on Internet events: ATLAS, Jose Nazario
Previous by Thread:  Re: Tracking down random ICMP, Frank Knobbe
Next by Thread:  Announcing a global view on Internet events: ATLAS, Jose Nazario
Indexes:  [Date] [Thread] [Top] [All Lists]