Nmap Development mailing list archives
Re: Raw sockets in Windows Client vs Windows Server?
From: Fyodor <fyodor () insecure org>
Date: Thu, 6 Sep 2012 12:40:26 -0700
On Thu, Aug 23, 2012 at 07:24:51PM +0200, Luis MartinGarcia. wrote:
Hi all, As you all know, raw sockets are restricted on Windows Client machines. For that reason, on Windows, Nmap injects packets at the Ethernet level. While this works, it limits the type of network devices and network configurations that users can have if they want to run Nmap. However, Windows Server 2003, 2008, 2008R2 (and probably the new 2012) do not limit raw sockets (at least according to http://msdn.microsoft.com/en-us/library/windows/desktop/ms740548%28v=vs.85%29.aspx). So my email is basically to see if there is any interest on differentiating Windows Client and Windows server, or it isn't worth the pain. I'm not saying I want to work on this myself, just that we could add an item to the todo list if there is any interest. What do you think?
Hi Luis, that is a very good point. Pretty much whenever I encounter an MS employee, I give them my "raw sockets rant". I have an email version that I send when encountering them online too. It has so far been 8 years of futility, but I'm still trying :). Enabling the functionality just for Windows Server is an interesting idea. I wish we had stats on what percentage of Nmap Windows runs are on systems that have raw sockets available. Is it 1%? 10%? I suppose we could look at web download user agents, but folks may download on a client machine and then upload to a server. The "platform" (of the source machine, not the target) reported in OS fingerprint submissions would work well except that it isn't so granular. It generally just reports "i686-pc-windows-windows". If someone wants to work on it, I think it would be a great project and one we'd probably want to integrate into Nmap. But we might not want to put it on the official todo until/unless we get some indication from MS that they're going to re-enable raw sockets on Windows client versions. Here is the argument that I send to MS folks whenever I get the chance: While I have your ear, I'd like to make one suggestion which could enable Nmap to run as well on Windows as it does on Linux and Mac machines: You may recall that, for claimed security reasons, Microsoft restricted the raw IP sockets API in Windows XP SP2 and those restrictions have continued all the way up to and including Windows 7 (except for Windows Server releases). We quickly modified Nmap to encapsulate IP packets in ethernet frames instead and to send those via NDIS. That works in 95%+ of the cases, since most people are using ethernet or compatible systems like WiFi. That 95% rate is fine for malware, which couldn't care less about supporting users on the margins. But legitimate tools like Nmap strive to support every user we can. Back when Windows supported raw IP sockets, we were able to support all sorts of non-ethernet systems, including PPP, RAS, VPNs, and many other tunneling protocols. We still receive regular "bug reports" from Windows users on non-ethernet connections. This problem only occurs on Windows because that is the only OS which decided to restrict raw sockets. They are still well supported on Linux, Mac OS X, Solaris, *BSD, and even my Nokia N900 cell phone. Despite supporting raw sockets, these platforms haven't been beseiged by malware utilizing that capability. Normal TCP sockets are just fine for almost all malware, and they don't even require administrative/root access to use. And if malware does need to send raw packets for some reason, it can use the same (ethernet) workaround that Nmap has been using since 2004. Again, malware doesn't care about those 5% on non-ethernet devices. Microsoft Windows itself comes with two tools that benefit from using raw sockets: tracert.exe and ping.exe. This demonstrates that the feature is still there--it is just heavily restricted so that it isn't really useful for anything beyond those two tools. In particular, TCP packets aren't supported. Even if MS believes that the restrictions were necessary back in 2004, the security landscape has changed dramatically since then. Microsoft could make a good argument that their security improvements in Windows 7 make these limitations unnecessary. In particular, Windows 7 does a solid job separating Administrator and non-administrative roles. Back in 2004, on the other hand, almost everyone ran their XP applications as Administrator. So limiting raw sockets to administrators only would be much more meaningful protection now. I hope you will reconsider the Windows raw sockets limitations. Nmap has millions of users on Windows who would benefit from this capability, and hundreds of other software tools could make use of it too. It's worth noting that the raw sockets limitation wasn't inspired by actual security incidents. Someone named Steve Gibson was just speculating that material amounts of malware might start to use raw sockets and he made a big fuss. However, we haven't seen that in the ensuing 8 years on Mac or Linux and so I think it is safe for MS to restore the functionality. Cheers, Fyodor _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Raw sockets in Windows Client vs Windows Server? Luis MartinGarcia. (Aug 23)
- Re: Raw sockets in Windows Client vs Windows Server? Fyodor (Sep 06)