Snort mailing list archives
Re: GRC.com attack and TCP stacks
From: Matt Watchinski <matt () farm9 com>
Date: Sun, 24 Jun 2001 15:29:02 -0700
Not really the future more like last year. You can dynamically load eeye libnet port and winpcap and create RawIP packets. Just no one has taken the time to do it yet. -matt Benjamin Krueger wrote:
On Fri, Jun 22, 2001 at 09:11:40PM -0400, Edwin Chiu wrote:Quoting Galitz <galitz () uclink berkeley edu>:So, I read the above URL, but I am curious. Steve states: Microsoft's engineers never fully implemented the complete "Unix Sockets" specification in any of the previous version of Windows. And goes to say that a MS Windows pre-2000 or XP box cannot generate spoofed packets without the attacker (or security auditor) using special device drivers. My question is... what the heck is he talking about? Is this true? Is it not possible to generate spoofed traffic on an NT box using only the OS and no new drivers to be installed? What missing functionality is being alluded to here?I believe he is referring to Raw Sockets, something that is implemented in Winsock 2.0 and available for download for all versions of Windows, or 9x/NT. Although I always thought NT allowed you to create Raw Sockets. Regards, EdwinWhile Winsock 2.0 does have some support for this (winsock 2.0 allows raw icmp sockets, but not raw IP), few machines are ever upgraded to winsock 2.0. It isn't part of the standard updates from windowsupdate.microsoft.com and I don't believe it ships with any of the service packs. I'd say that puts it in the catagory of "special device drivers" that aren't there by default. The whole original argument was that 95, 98, and NT all ship without raw socket support by default, and are rarely updated to winsock 2.0, therefore these trojan bots can't reasonably expect raw sockets and the ability to spoof. The big deal is that 2k does, and more importantly, XP will, have support for raw sockets (enabling spoofing) by default. Millions of shiney new end user XP machines on cable and dsl that let a trojan bot spoof with their default stack. This is the future kids... Benjamin Krueger Rogue Unix Weenie _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- GRC.com attack and TCP stacks Galitz (Jun 22)
- Re: GRC.com attack and TCP stacks Edwin Chiu (Jun 22)
- Re: GRC.com attack and TCP stacks Benjamin Krueger (Jun 23)
- Re: GRC.com attack and TCP stacks Matt Watchinski (Jun 24)
- Re: GRC.com attack and TCP stacks Jason Robertson (Jun 24)
- Re: GRC.com attack and TCP stacks Benjamin Krueger (Jun 23)
- <Possible follow-ups>
- RE: GRC.com attack and TCP stacks Mayers, Philip J (Jun 25)
- Re: GRC.com attack and TCP stacks Edwin Chiu (Jun 22)