Fyodor's new rant on Windows, Raw Sockets and Nmap
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Fyodor's new rant on Windows, Raw Sockets and Nmap

  1. #1
    King Tutorial-ankhamun
    Join Date
    Jul 2004

    Fyodor's new rant on Windows, Raw Sockets and Nmap

    Looks like one of the loop holes used to get around the lack a Raw Socket support with SP2 has been killed by another patch. I know this has been covered a bit before, but some might like to hear the extra details. Guess what it comes down to it, if you want to run Nmap with the best performance choose a *nix platform.

    Many of us were annoyed last year when Microsoft intentionally broke
    raw sockets on Windows XP, while leaving the feature enabled in
    Windows 2003. MS is well known for maintaining the upgrade treadmill
    by dubious means such gratuitous file format incompatibilities, but
    this is a new low. People pay $299.99 for WinXP Pro with working raw
    sockets, then MS cripples their systems and demands $1019 (WS2003
    retail price) to return the functionality. Of course Microsoft claims
    this change is necessary for security. That is funny, since all of
    the other major platforms Nmap supports (e.g. Mac OS X, Linux, *BSD)
    offer raw sockets and yet they haven't become the wasp nest of
    spambots, worms, and spyware that infest so many Windows boxes.

    This takes us back to 1996, when MS released Windows NT 4.0
    Workstation with a limit of 10 incoming connections per 10 minutes[1].
    They (falsely) claimed this limit was due to substantial technical
    differences between Workstation and Server, and wasn't just a way to
    force an $800 upgrade. But at least that was a new product -- MS
    didn't proactively break existing, working web servers. Soon hackers
    discovered that the "substantial technical differences" were just a
    registry key setting. MS backed down and removed the limitation.

    Well, they haven't backed down this time! I know that some of you
    have been avoiding SP2 to keep your system fully functional. MS made
    a blocking tool available to Enterprises, but they overrode it on
    April 12 and forced the upgrade through Automatic Update anyway[2].
    And now they have quietly snuck the raw sockets restriction in with
    their latest critical security patch (MS05-019). The loophole that
    allowed users to defeat the limitation by stopping the ICS service has
    also been closed by MS05-019. I have appended an informative
    NTBugtraq post by Robin Keir on this topic. Pick your poison: Install
    MS05-019 and cripple your OS, or ignore the hotfix and remain
    vulnerable to remote code execution and DoS.

    Nmap has not supported dialup nor any other non-ethernet connections
    on Windows since this silly limitation was added. The new TCP
    connection limit also substantially degrades connect() scan. Nmap
    users should avoid thinking that all platforms are supported equally.
    If you have any choice, run Nmap on Linux, Mac OS X, Open/FreeBSD, or
    Solaris rather than Windows. Nmap will run faster and more reliably.
    Or you can try convincing MS to fix their TCP stack. Good luck with

    Rand mode off,

    [1] http://tim.oreilly.com/articles/10-conn.html
    [2] http://it.slashdot.org/article.pl?si...id=172&tid=218

    From: Robin Keir <robin@KEIR.NET>
    Subject: MS05-019 breaks TCP raw socket sends
    Date: Tue, 12 Apr 2005 20:37:02 -0700

    Today's bugfix MS05-019 ("Vulnerabilities in TCP/IP Could Allow Remote
    Code Execution and Denial of Service" - KB893066) appears to break TCP
    raw socket sends on XP (tested with SP1 and SP2). Windows Server 2003
    appears unaffected.

    It is a documented fact that TCP raw socket sends were disabled with
    XP SP2. This was easily circumvented by disabling the Windows Firewall
    service ("net stop sharedaccess"). It now appears that with the
    MS05-019 hotfix a similar situation has arisen whereby TCP raw socket
    sends are prevented, not only in SP2 but also SP1 (and probably
    SP0). This does *not* seem to be able to be overcome by stopping the
    firewall service(s).

    I don't know if this was intentional but I don't see any reference to
    this behavior.

    Incidentally, with Windows Server 2003 MS had "accidentally" also
    disabled TCP raw socket sends as with XP SP2 until they were notified
    of this unintentional regression and "fixed" it in RC2 and the final
    release. One wonders whether they "accidentally" used a component from
    XP SP2 in this hotfix causing this undesirable behavior.


    Sent through the nmap-hackers mailing list

  2. #2
    Senior Member
    Join Date
    Feb 2005
    While unfair, people will adapt and find a different program rather than completely switch OSes for a singular problem.

    Same thing would apply even if this was winamp. People will simply use a different program.
    \"It is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change.\"
    - Charles Darwin

  3. #3
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Maybe, but is there anything that compares to the features of Nmap on the Windows platform? That does SYS, Ack, FIN, XMAS Scans, OS detection, version detection all in one tool? Quite frankly, I can't see a pen-tester being without a *nix box of some kind.

  4. #4
    Senior Member
    Join Date
    Apr 2004
    Doesn't foundstone's superscan basically do that? IIRC, it's basically nmap for windows. At least I use it that way.
    [H]ard|OCP <--Best hardware/gaming news out there--|
    pwned.nl <--Gamers will love this one --|
    Light a man a fire and you\'ll keep him warm for a day, Light a man ON fire and you\'ll keep him warm the rest of his life.

  5. #5
    Senior Member
    Join Date
    Feb 2005
    all in one tool
    See, that's the handicap right there. There are multiple tools on Windows that will accomplish the same goals as nmap, you just have to use then in conjunction with one another. Nothing wrong with that at all, especially if you are up-to-par on data collection entry for easy recording. And if you do minimalization penetration testing, then crafting packets by hand specifically for Xmas and FIN testing should be a walk in the park.

    I dislike many all-in-one tools because if that tool breaks completely, then I will be stuck not knowing what other alternatives are out there to accomplish the job per feature.
    \"It is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change.\"
    - Charles Darwin

  6. #6
    Regal Making Handler
    Join Date
    Jun 2002
    I can't see a pen-tester being without a *nix box of some kind.
    Custome live CD would seem to be the answer
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington

    As I have said before, how many of the millions of Windows users have ever heard of nmap? Of those who have, how many actually use it?

    Raw sockets do present a potential security weakness, and are best not provided to the general "off the shelf" Windows customers. They have no use whatsoever for raw sockets support.

    What I do not understand is why it is not available off the CD or to be deliberately activated. Like make a positive decision that you want to run raw sockets. That would give the best of both worlds?

    After all it is available with professional distributions like 2003 server, because that is not Joe Public's off the shelf choice of OS?

    just my thoughts

  8. #8
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Foundstone's superscan suffers the same problems as nmap, because it also uses raw sockets, and will be similarly affected.

    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  9. #9
    Senior Member
    Join Date
    Dec 2004
    Originally posted here by jinxy
    Custome live CD would seem to be the answer
    I use live CD distro for pen tesing. Nessus is terribly slow on a CD distro utilizing RAM. Slow to the point that is does not fulfill the needs I require to get the job done.

  10. #10
    Senior Member
    Join Date
    Jan 2002
    You also have to read this post very carefully:
    Nmap has not supported dialup nor any other non-ethernet connections
    on Windows since this silly limitation was added.
    Which IMPLIES that it still works correctly on ethernet connections.

    And as the majority of users will be using it on ethernet (well, almost everybody), it just isn't a problem.

    YES, it works correctly on dial-up connections under (for example) Linux or Mac, but most people who are using nmap are security professionals scanning corporate networks on ethernet**.

    If they *really* need to scan using a dial-up connection, they can always either get a Linux box, or use a hardware router to route their dial-up into ethernet, and then use nmap under Windows anyway.


    ** Or so we hope

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts