Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Raw sockets, MS05-019 and Windows Firewall -- Summary

from [Robin Keir] Network Security [Permanent Link]
Subject: Raw sockets, MS05-019 and Windows Firewall -- Summary
Date: Mon, 25 Apr 2005 14:33:01 -0700 
With the advent of XP SP2 and the recent MS05-019 patch, using raw
sockets for scanning from a Windows platform has proven to be very
problematic. I thought I would summarize the situation.

Based upon the presence of MS05-019 and the state of the Windows
Firewall service(s) we have to decide whether we need to stop or start
the firewall service(s). Even then there may still be issues. The logic
is as follows:

Windows 2000 is unaffected. It fully supports all raw socket actions and
 since it doesn't have the Windows Firewall/ICF we don't have any of
those associated issues.

XP SP0 should have the firewall stopped ("net stop sharedaccess"). Even
though TCP raw sockets are unaffected by the firewall the ALG service,
which is intimately tied to the firewall service on XP, prevents
discovery of several ports such as 21, 389, 1002 and 1720 when using TCP
raw sockets. Stopping the sharedaccess service thus automatically stops
the ALG service and we're good to go.

XP SP1 *without* MS05-019 functions the same as XP SP0.

XP SP1 *with* MS05-019 needs to have the sharedaccess firewall service
*running* (see http://support.microsoft.com/kb/897656) otherwise TCP raw
sockets are blocked. Because the sharedaccess service needs to be
running to enable sending of TCP packets using raw sockets we have the
problem with the ALG service blocking sending to certain ports, but it's
better than nothing.

XP SP2 *without* MS05-019 functions the same as XP SP1 without the patch
apart from a driver-level restriction on the number of
in-the-process-of-connecting TCP connections. This can affect regular
socket style scanning. The only known workaround to the driver issue is
a TCPIP.SYS hack.

XP SP2 *with* MS05-019 is unusable for raw-socket TCP scanning. It
totally blocks TCP raw sockets with or without the firewall enabled.

Windows Server 2003 acts like XP SP0. The ALG service, which is now no
longer tied to the sharedaccess (Windows Firewall) service, should be
stopped ("net stop alg").

What a mess :-)


--
Robin

--
NTBugtraq Editor's Note:

Most viruses these days use spoofed email addresses. As such, using an 
Anti-Virus product which automatically notifies the perceived sender of a 
message it believes is infected may well cause more harm than good. Someone who 
did not actually send you a virus may receive the notification and scramble 
their support staff to find an infection which never existed in the first 
place. Suggest such notifications be disabled by whomever is responsible for 
your AV, or at least that the idea is considered.
--

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Raw sockets, MS05-019 and Windows Firewall -- Summary, Robin Keir <=
Previous by Date:  Re: MS05-019 Breaks VPN, Darryl J Roberts
Next by Date:  Re: Restoring deleted security groups in AD, Eric Ayre
Previous by Thread:  Re: MS05-019 Breaks VPN, Darryl J Roberts
Next by Thread:  Re: Restoring deleted security groups in AD, Eric Ayre
Indexes:  [Date] [Thread] [Top] [All Lists]