OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Benjamin Krueger (rooufies.org)
Date: Sat Jun 23 2001 - 21:06:21 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Fri, Jun 22, 2001 at 09:11:40PM -0400, Edwin Chiu wrote:
    > Quoting Galitz <galitzuclink.berkeley.edu>:
    > > So, I read the above URL, but I am curious. Steve
    > > states:
    > >
    > >
    > > Microsoft's engineers never fully implemented the complete
    > > "Unix Sockets" specification in any of the previous version
    > > of Windows.
    > >
    > > And goes to say that a MS Windows pre-2000 or XP box cannot
    > > generate spoofed packets without the attacker (or security
    > > auditor) using special device drivers.
    > >
    > > My question is... what the heck is he talking about? Is
    > > this true? Is it not possible to generate spoofed traffic
    > > on an NT box using only the OS and no new drivers to be
    > > installed? What missing functionality is being alluded
    > > to here?
    >
    > I believe he is referring to Raw Sockets, something that is
    > implemented in Winsock 2.0 and available for download for
    > all versions of Windows, or 9x/NT. Although I always thought
    > NT allowed you to create Raw Sockets.
    >
    > Regards,
    > Edwin

    While Winsock 2.0 does have some support for this (winsock 2.0
    allows raw icmp sockets, but not raw IP), few machines
    are ever upgraded to winsock 2.0. It isn't part of the
    standard updates from windowsupdate.microsoft.com and I don't
    believe it ships with any of the service packs. I'd say that
    puts it in the catagory of "special device drivers" that aren't
    there by default. The whole original argument was that 95, 98,
    and NT all ship without raw socket support by default, and are
    rarely updated to winsock 2.0, therefore these trojan bots can't
    reasonably expect raw sockets and the ability to spoof.

    The big deal is that 2k does, and more importantly, XP will,
    have support for raw sockets (enabling spoofing) by default.
    Millions of shiney new end user XP machines on cable and dsl
    that let a trojan bot spoof with their default stack.
    This is the future kids...

    Benjamin Krueger
    Rogue Unix Weenie

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    http://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users