Fyodor on Raw Sockets

Many of us were annoyed last year when Microsoft intentionally broke
raw sockets on Windows XP, while leaving the feature enabled in
Windows 2003. MS is well known for maintaining the upgrade treadmill
by dubious means such gratuitous file format incompatibilities, but
this is a new low. People pay $299.99 for WinXP Pro with working raw
sockets, then MS cripples their systems and demands $1019 (WS2003
retail price) to return the functionality. Of course Microsoft claims
this change is necessary for security. That is funny, since all of
the other major platforms Nmap supports (e.g. Mac OS X, Linux, *BSD)
offer raw sockets and yet they haven't become the wasp nest of
spambots, worms, and spyware that infest so many Windows boxes.

This takes us back to 1996, when MS released Windows NT 4.0
Workstation with a limit of 10 incoming connections per 10 minutes[1].
They (falsely) claimed this limit was due to substantial technical
differences between Workstation and Server, and wasn't just a way to
force an $800 upgrade. But at least that was a new product — MS
didn't proactively break existing, working web servers. Soon hackers
discovered that the “substantial technical differences” were just a
registry key setting. MS backed down and removed the limitation.

Well, they haven't backed down this time! I know that some of you
have been avoiding SP2 to keep your system fully functional. MS made
a blocking tool available to Enterprises, but they overrode it on
April 12 and forced the upgrade through Automatic Update anyway[2].
And now they have quietly snuck the raw sockets restriction in with
their latest critical security patch (MS05-019). The loophole that
allowed users to defeat the limitation by stopping the ICS service has
also been closed by MS05-019. I have appended an informative
NTBugtraq post by Robin Keir on this topic. Pick your poison: Install
MS05-019 and cripple your OS, or ignore the hotfix and remain
vulnerable to remote code execution and DoS.

Nmap has not supported dialup nor any other non-ethernet connections
on Windows since this silly limitation was added. The new TCP
connection limit also substantially degrades connect() scan. Nmap
users should avoid thinking that all platforms are supported equally.
If you have any choice, run Nmap on Linux, Mac OS X, Open/FreeBSD, or
Solaris rather than Windows. Nmap will run faster and more reliably.
Or you can try convincing MS to fix their TCP stack. Good luck with

Rand mode off,

[1] http://tim.oreilly.com/articles/10-conn.html
[2] http://it.slashdot.org/article.pl?sid=05/04/06/1657216&tid=201&tid=172&tid=218

Leave a Reply

Your email address will not be published.