Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

XP SP2 RAW Sockets and MS05-019

Status
Not open for further replies.
bofhrevenge2

bofhrevenge2

MIS
May 29, 2004
1,336
GB
This email has been doing the rounds on NTBUGTRAQ and i thought it might be a good read for a few people in this forum.


With the advent of XP SP2 and the recent MS05-019 patch, using raw
sockets for scanning from a Windows platform has proven to be very
problematic. I thought I would summarize the situation.

Based upon the presence of MS05-019 and the state of the Windows
Firewall service(s) we have to decide whether we need to stop or start
the firewall service(s). Even then there may still be issues. The logic
is as follows:

Windows 2000 is unaffected. It fully supports all raw socket actions and
since it doesn't have the Windows Firewall/ICF we don't have any of
those associated issues.

XP SP0 should have the firewall stopped ("net stop sharedaccess"). Even
though TCP raw sockets are unaffected by the firewall the ALG service,
which is intimately tied to the firewall service on XP, prevents
discovery of several ports such as 21, 389, 1002 and 1720 when using TCP
raw sockets. Stopping the sharedaccess service thus automatically stops
the ALG service and we're good to go.

XP SP1 *without* MS05-019 functions the same as XP SP0.

XP SP1 *with* MS05-019 needs to have the sharedaccess firewall service
*running* (see otherwise TCP raw
sockets are blocked. Because the sharedaccess service needs to be
running to enable sending of TCP packets using raw sockets we have the
problem with the ALG service blocking sending to certain ports, but it's
better than nothing.

XP SP2 *without* MS05-019 functions the same as XP SP1 without the patch
apart from a driver-level restriction on the number of
in-the-process-of-connecting TCP connections. This can affect regular
socket style scanning. The only known workaround to the driver issue is
a TCPIP.SYS hack.

XP SP2 *with* MS05-019 is unusable for raw-socket TCP scanning. It
totally blocks TCP raw sockets with or without the firewall enabled.

Windows Server 2003 acts like XP SP0. The ALG service, which is now no
longer tied to the sharedaccess (Windows Firewall) service, should be
stopped ("net stop alg").

What a mess :)


"Sometimes, a cigar is just a cigar." - Sigmund Freud
 
The intention for Service Pack 2 was to remove raw sockets completely; some clever folks discovered it could be worked around. Hence, MS05-019 removed the workaround.

In any case, this is not a mistake by Microsoft; for security reasons they really wanted to remove raw sockets. The "need" for raw sockets is debatable; it is my own guess that this decision will not be reversed for XP SP2, and if so, certainly not soon. A final decision for Longhorn has not been made.

 
You are absolutely correct it was very deliberate and MS have hinted they may do the same for Win2k3 server.

"Sometimes, a cigar is just a cigar." - Sigmund Freud
 
Status
Not open for further replies.

Similar threads

Flinx
  • Locked
  • Question
backup fails with error code 0x81000019 and possible fix 1
Replies
5
Views
2K
Flinx
Flinx
Flinx
  • Locked
  • Question
the SAGA of trying to get a computer to sleep and wake up on a schedule
Replies
1
Views
2K
Flinx
Flinx
hikermann
  • Locked
  • Question
WordPerfect 12 and Windows 10 Fighting
Replies
1
Views
348
Mike Lewis
Mike Lewis
RonL2
  • Locked
  • Question
win 7 Chrome and Opera
Replies
4
Views
457
Mike Lewis
Mike Lewis
Thespian
  • Locked
  • Question
Transfer files and applications from a hard drive to a new system
Replies
4
Views
402
gbaughma
gbaughma

Part and Inventory Search

Sponsor

Back
Top