Full Disclosure mailing list archives

Re: SP2 and NMAP

From: James Tucker <jftucker () gmail com>
Date: Fri, 13 Aug 2004 11:15:01 +0100

If you are going to try and bash Microsoft for doing something, maybe
you should at least look at some of the documents surrounding the
reasons for doing it, and then be accurate:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk.mspx#XSLTsection127121120120
and a documented attack which utilised the windows raw socket functionality:
http://www.grc.com/dos/drdos.htm

If you read the above Microsoft doc you will see that they have not
"disabled raw packets" but disabled commonly abused types of raw
packet. If anyone has a genuine business application which uses
spoofed source raw UDP packets or customised TCP data, I will frankly
be disgusted. It is coding of that sort which destroys the IT
industry; there are applications for this functionality elsewhere, but
there are no real business interface applications which should require
such functionality from the protocol stacks.

Functionality comes at the cost of simplicity. Just as you can't
accurately measure the position of an electron without affecting its
speed; and you cannot make software more feature full, without making
it more complex (and for most users therefore harder to use).

If you are using NMAP for local security checks, and XP is your
primary desktop OS then I would highly recommend putting your scanner
on another system. A large number of the exploits available for less
patched versions of Windows will be able to infect your scanning
machine as well (via local lan exploits). Whilst most malware is not
sophisticated enough to get in and take out the NMAP logs, the
possibility (and thus risk) is there. Use a secure-by-default OS and
add limited and carefully veto'd systems to it for your IDS solutions.
Cost is not an issue here as many options for the systems in question
are free.

On Thu, 12 Aug 2004 08:01:23 -0500, PJ <pj114 () megapathdsl net> wrote:

FYI... The current NMAP (Windows) version is now broken when applying SP2.
MS has disabled the use of RAW packets... Details can be found on
insecure.org (by Fyodor).
.... But then NMAP also ran on Win95 which did not support RAW packets - thus
maybe a patched version will be available in the future.

Before someone says it ... I will.  You should be running Linux anyway if
you want real functionality.

PJ

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Service Pack 2, don't discuss it here. Niek Baakman (Aug 12)
- Re: Service Pack 2, don't discuss it here. Tom Russell (Aug 12)
  - Re: Service Pack 2, don't discuss it here. A.V. (Aug 12)
  - Re: Service Pack 2, don't discuss it here. Harlan Carvey (Aug 12)
    - Re: Service Pack 2, don't discuss it here. Niek Baakman (Aug 12)
  - SP2 and NMAP PJ (Aug 12)
    - Re: SP2 and NMAP James Tucker (Aug 13)
    - Re: SP2 and NMAP Mike Nice (Aug 13)
    - RE: SP2 and NMAP Geo. (Aug 13)