Re: Raw sockets in Windows Client vs Windows Server?

[Fyodor <fyodor () insecure org>]

On Thu, Aug 23, 2012 at 07:24:51PM +0200, Luis MartinGarcia. wrote:
> Hi all,
>
> As you all know, raw sockets are restricted on Windows Client machines.
> For that reason, on Windows, Nmap injects packets at the Ethernet level.
> While this works, it limits the type of network devices and network
> configurations that users can have if they want to run Nmap.
>
> However, Windows Server 2003, 2008, 2008R2 (and probably the new 2012)
> do not limit raw sockets (at least according to
> http://msdn.microsoft.com/en-us/library/windows/desktop/ms740548%28v=vs.85%29.aspx).
>
> So my email is basically to see if there is any interest on
> differentiating Windows Client and Windows server, or it isn't worth the
> pain. I'm not saying I want to work on this myself, just that we could
> add an item to the todo list if there is any interest. What do you think?

Hi Luis, that is a very good point.  Pretty much whenever I encounter
an MS employee, I give them my "raw sockets rant".  I have an email
version that I send when encountering them online too.  It has so far
been 8 years of futility, but I'm still trying :).

Enabling the functionality just for Windows Server is an interesting
idea.  I wish we had stats on what percentage of Nmap Windows runs are
on systems that have raw sockets available.  Is it 1%?  10%?  I
suppose we could look at web download user agents, but folks may
download on a client machine and then upload to a server.  The
"platform" (of the source machine, not the target) reported in OS
fingerprint submissions would work well except that it isn't so
granular.  It generally just reports "i686-pc-windows-windows".

If someone wants to work on it, I think it would be a great project
and one we'd probably want to integrate into Nmap.  But we might not
want to put it on the official todo until/unless we get some
indication from MS that they're going to re-enable raw sockets on
Windows client versions.  Here is the argument that I send to MS folks
whenever I get the chance:

While I have your ear, I'd like to make one suggestion which could
enable Nmap to run as well on Windows as it does on Linux and Mac
machines:

You may recall that, for claimed security reasons, Microsoft
restricted the raw IP sockets API in Windows XP SP2 and those
restrictions have continued all the way up to and including Windows 7
(except for Windows Server releases).  We quickly modified Nmap to
encapsulate IP packets in ethernet frames instead and to send those
via NDIS.  That works in 95%+ of the cases, since most people are
using ethernet or compatible systems like WiFi.  That 95% rate is fine
for malware, which couldn't care less about supporting users on the
margins.  But legitimate tools like Nmap strive to support every user
we can.  Back when Windows supported raw IP sockets, we were able to
support all sorts of non-ethernet systems, including PPP, RAS, VPNs,
and many other tunneling protocols.  We still receive regular "bug
reports" from Windows users on non-ethernet connections.

This problem only occurs on Windows because that is the only OS which
decided to restrict raw sockets.  They are still well supported on
Linux, Mac OS X, Solaris, *BSD, and even my Nokia N900 cell phone.
Despite supporting raw sockets, these platforms haven't been beseiged
by malware utilizing that capability.  Normal TCP sockets are just
fine for almost all malware, and they don't even require
administrative/root access to use.  And if malware does need to send
raw packets for some reason, it can use the same (ethernet) workaround
that Nmap has been using since 2004.  Again, malware doesn't care
about those 5% on non-ethernet devices.

Microsoft Windows itself comes with two tools that benefit from using
raw sockets: tracert.exe and ping.exe.  This demonstrates that the
feature is still there--it is just heavily restricted so that it isn't
really useful for anything beyond those two tools.  In particular, TCP
packets aren't supported.

Even if MS believes that the restrictions were necessary back in 2004,
the security landscape has changed dramatically since then.  Microsoft
could make a good argument that their security improvements in Windows
7 make these limitations unnecessary.  In particular, Windows 7 does a
solid job separating Administrator and non-administrative roles.  Back
in 2004, on the other hand, almost everyone ran their XP applications
as Administrator.  So limiting raw sockets to administrators only
would be much more meaningful protection now.

I hope you will reconsider the Windows raw sockets limitations.  Nmap
has millions of users on Windows who would benefit from this
capability, and hundreds of other software tools could make use of it
too.

It's worth noting that the raw sockets limitation wasn't inspired by
actual security incidents.  Someone named Steve Gibson was just
speculating that material amounts of malware might start to use raw
sockets and he made a big fuss.  However, we haven't seen that in the
ensuing 8 years on Mac or Linux and so I think it is safe for MS to
restore the functionality.

Cheers,
Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/