First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

NBNS, ICMP followed by DHCP

Hello everyone, I'm fairly new into the topic of analysing network traffic. I'm currently analysing a capture for learning purposes and there's some communication that I can't follow nor find a clear explanation to what is happening.

It seems to be a TELNET communication between two machines A (192.168.251.1) and B (192.168.251.11) in the same network. A initiates the TCP connection which gets accepted by B followed by the initiation of the TELNET connection. What comes next it's not clear to me. B queries machine A NetBios Name Service with NBSTAT. An ICMP packet is sent as response stating that port on A is unreachable. This is repeated two more times.

My guess: there's a third machine (C), outside this network, that is initiating the TELNET communication to B, and A is a router forwarding packets from C to B. B detects someone is requesting access and asks A (the router) if C is within the NetBIOS valid list of resources. A, however, is not running NBNS and UDP port 137 is, therefore, not reachable.

After the NBNS packets there are two DHCP packets. B sends a DHCP request to A and gets acknowledged. Is machine B just refreshing the time lease for the same address? Are these scenarios connected?

PedroGomes's avatar
3
PedroGomes
asked 2020-04-14 23:10:53 +0000
grahamb's avatar
23.8k
grahamb
updated 2020-04-15 10:04:45 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Can you share the packet capture?

Chuckc's avatar Chuckc (2020-04-15 00:22:52 +0000) edit
more
  • delete

Sure @bubbasnmp, here's a shareable link: https://drive.google.com/open?id=16Aa...

PedroGomes's avatar PedroGomes (2020-04-15 00:27:31 +0000) edit
more
  • delete
add a comment see more comments

2 Answers

0

As the DHCP lease time is only 10 minutes, you will be seeing the renewal process from the client every 5 minutes. I don't think the scenarios are connected in any way other than they simply involve the same hosts.

Rooster_50's avatar
254
Rooster_50
answered 2020-04-15 01:43:53 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0
  1. Statistics -> Capture File Properties - capture is dated 2010-10-08 (it's been around a while)
  2. Statistics -> Conversations or Statistics -> Endpoints - the devices are both VMs (00:0c:29)
  3. Right click on Frame #4 (TELNET) and select Follow->TCP Stream:
    • client is sending X11 DISPLAY info - backtrack:0.0 - predecessor to Kali (linux client)
    • response is coming back as Microsoft Telnet Server (Windows server)
    • telnet and ssh servers will often do a name lookup of the client making the connection.
      In this case it's a Windows server so doing NBNS
  4. The domain name in the DHCP ACK is for a college/university - perhaps where the capture was done.
Chuckc's avatar
3k
Chuckc
answered 2020-04-15 01:48:15 +0000, updated 2020-04-15 01:52:20 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks for the answer, it sure helped me understand better and search for more info with the right keywords. One more thing, why would Windows server do a DHCP request to the Linux client?

PedroGomes's avatar PedroGomes (2020-04-15 15:00:47 +0000) edit
more
  • delete

It might be the DHCP server for that subnet.
Hard to say without packets showing the initial DHCP config of the Windows machine.

Chuckc's avatar Chuckc (2020-04-15 16:06:41 +0000) edit
more
  • delete

The DHCP request/ACK seem to be totally unrelated to the telnet login. When you use the filter !(dhcp || icmp || tcp.len==0) you will see that the timeout of each NBNS request is 1.5 seconds and 1.5 sec after the last NBNS attempt the telnet connection continues. The DHCP renewal just happens to take place during the NBNS tries.

SYN-bit's avatar SYN-bit (2020-04-15 21:07:03 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer