Nmap Announce mailing list archives
Raw sockets, MS05-019 and Windows Firewall -- Summary
From: Fyodor <fyodor () insecure org>
Date: Mon, 25 Apr 2005 15:31:32 -0700
In my Saturday raw sockets rant, I included a message from Robin Keir describing how MS05-019 breaks raw sockets even for pre-SP2 WinXP machines. He has now done more research and sent me the following mail summarizing how windows platforms (Win2K, WinXP, Win2003) interact with service patches, hotfixes, and the sharedaccess service to restrict (or not) raw sockets. For the executive summary, read just the final line of his email. From: Robin Keir <robin () keir net> Date: Mon, 25 Apr 2005 14:33:01 -0700 Subject: Raw sockets, MS05-019 and Windows Firewall -- Summary With the advent of XP SP2 and the recent MS05-019 patch, using raw sockets for scanning from a Windows platform has proven to be very problematic. I thought I would summarize the situation. Based upon the presence of MS05-019 and the state of the Windows Firewall service(s) we have to decide whether we need to stop or start the firewall service(s). Even then there may still be issues. The logic is as follows: Windows 2000 is unaffected. It fully supports all raw socket actions and since it doesn't have the Windows Firewall/ICF we don't have any of those associated issues. XP SP0 should have the firewall stopped ("net stop sharedaccess"). Even though TCP raw sockets are unaffected by the firewall the ALG service, which is intimately tied to the firewall service on XP, prevents discovery of several ports such as 21, 389, 1002 and 1720 when using TCP raw sockets. Stopping the sharedaccess service thus automatically stops the ALG service and we're good to go. XP SP1 *without* MS05-019 functions the same as XP SP0. XP SP1 *with* MS05-019 needs to have the sharedaccess firewall service *running* (see http://support.microsoft.com/kb/897656) otherwise TCP raw sockets are blocked. Because the sharedaccess service needs to be running to enable sending of TCP packets using raw sockets we have the problem with the ALG service blocking sending to certain ports, but it's better than nothing. XP SP2 *without* MS05-019 functions the same as XP SP1 without the patch apart from a driver-level restriction on the number of in-the-process-of-connecting TCP connections. This can affect regular socket style scanning. The only known workaround to the driver issue is a TCPIP.SYS hack. XP SP2 *with* MS05-019 is unusable for raw-socket TCP scanning. It totally blocks TCP raw sockets with or without the firewall enabled. Windows Server 2003 acts like XP SP0. The ALG service, which is now no longer tied to the sharedaccess (Windows Firewall) service, should be stopped ("net stop alg"). What a mess :-) -- Robin _______________________________________________ Sent through the nmap-hackers mailing list http://cgi.insecure.org/mailman/listinfo/nmap-hackers
Current thread:
- Raw sockets, MS05-019 and Windows Firewall -- Summary Fyodor (Apr 25)
- <Possible follow-ups>
- Re- Raw sockets, MS05-019 and Windows Firewall -- Summary David Olsen (Apr 25)