Re: nmap for Wintendo (NT/Win2K)

[Ryan Permeh <talis () millcomm com>]

custom nt packet drivers can do all of this and more, the NT rootkit
project(www.rootkit.com) has a sniffer and the ability to send raw data to a
network(along with some other stuff).  it has a client called RogueX that can
do some of the nmap type of stuff, proving that it can be done.  It's based on
an NT 4.0 NDIS packet driver.  I have been looking over this and the posibility
of writing a specific 2000 driver(the 2000 driver interface looks sweet).  on
2000, with full control over the IP header via winsock(IP_HRDINCL), you can
spoof packets, and via a driver, you can sniff them.  OR, in both nt 4.0 and
2000, you can use a driver to sniff and as a point where you can write raw
packets, like the rootkit is doing.

Ryan


Stou Sandalski wrote:

> ----- Original Message -----
> From: "Ken Williams" <Ken.Williams () ey com>
> To: <nmap-hackers () insecure org>
> Sent: Monday, 21 February, 2000 16:57
> Subject: nmap for Wintendo (NT/Win2K)
>
> <snip>
> > Any related comments or suggestions (and of course creative, humorous
> flames),
> > are welcome, such as why Windows' TCP/IP stack is brain dead, or why the
> > concept of this project is itself blasphemous, or even why the "Nmap for
> Wintendo"
> > project would be detrimental to "our war against The Evil Empire".
>
> Hey you know I was actualy thinking about that the other day, I heven't
> looked at the code of nmap yet, but since w2k supports straight up raw
> sockets that you can modify anything you want (ie roll your own tcp, ip,
> whatever else you please..), I haven't tested it out yet but thats what the
> platform sdk says, NT and 9x with winsock 2.2 support some ms crap they call
> raw sockets which lets you modify IGMP, and ICMP  packets but to modify
> anything else you need to set an option called IP_HDRINCL (I can't say that
> I have actualy writen any code for anything other then a wintel platform...
> so I don't know if this option is a win32 thing or is something coming from
> the berkeley sockets you never know with microsoft) which of course is not
> supported by anything other then w2k. I was going to suggest porting nmap to
> windoze, but I was afraid of the flame war that could have caused.
>
> Other then raw sockets I wonder how else one can do this (ie send your own
> "fake" packets), I mean how else are you going to do a syn scan? I know its
> possible to do it in NT, because Network assoc.'s Cybercop Sting, uses an NT
> box to simulate a few machines (I think soemthing like 3 - 5 max) running
> different operating systems on your network to make h4x0r 1337 d00ds think
> they hit the jackpot where in fact they are getting loged and so on so
> forth. its supposed to be able to fool fingerprinting, I have not been able
> to make it work it seems pretty unfinished and as far as my insider buddy at
> NAI said it was dead.  No matter though its obviously possible to modify the
> packets somehow, any clues?
>
> I think it would be neato to port nmap to windoze, I mean I haven't seen
> anything as cool and powerful for windows (Yeah I know about Cybercop
> scaner, and IIS's scanner thing but I mean freee with source code avaiable),
> and I would be down to help out with the porting if anyone else wants to do
> it.
>
> Stou
>
> --------------------------------------------------
> For help using this (nmap-hackers) mailing list, send a blank email to
> nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).