Raw Sockets in Windows XP SP2

[for the unabridged version, see Keith's post above]

> "Sean" <news@warnocksolutions.com> wrote in message
> news:upA9U%23gWEHA.1756@TK2MSFTNGP12.phx.gbl...

> > Can anyone confirm if the SOCK_RAW api is still avaliable
> > in Windows XP SP2 RC1 or RC2? I have been using a port
> > scanner that relies on the SOCK_RAW interface and it seems
> > to no longer function. Any information on this would help.

> sounds like good news to me

Indeed Keith.

Sean ...

Microsoft is removing the ability to generate TCP traffic through
the raw socket interface. This is *exactly* what I made such a
stink about the summer before XP was released, begging them never
to put it in there in the first place.

But the "Blaster" (MS Blast) worm used XP's raw sockets to launch
a serious attack against Microsoft, and a great many others have
been seriously hurt by this. So SP2 will be neutering this
facility from XP. You'll still be able to download the free
and excellent WinPcap library to return raw packet generation
capability to selective Window machines where needed ...
which is a perfectly reasonable compromise.

--
__________________________________________________ _______________
Steve Gibson... dealing with a gazillion post SR6 release things!

[for the unabridged version, see Sean's post above]

> Can anyone confirm if the SOCK_RAW api is still avaliable in
> Windows XP SP2 RC1 or RC2? I have been using a port scanner
> that relies on the SOCK_RAW interface and it seems to no
> longer function. Any information on this would help.

Right. Microsoft's David Powell posted a reply in the private SP2
Networking newsgroup earlier today explaining that Microsoft had
surveyed applications that were using Raw Sockets under XP and
determined that they were causing much more trouble (being used
for malicious purposes) than for good. So SP2 removes XP's
ability to generate raw TCP packets.

--
__________________________________________________ _______________
Steve Gibson.

Hmmm.. funny, since most PortScanning tools use SOCK_RAW, one of which is
even recommended by Microsoft:
http://www.microsoft.com/serviceprov...rity/tools.asp (See last
item)
And last I heard, a PortScanning tool isn't malicious, it's the user that
wields it that is malicious (just like in American gun law...)

Oh well, I know the writer of Nmap is looking for a solution and no doubt
the virus/worm writers will find one quickly...
Afterall Win95 doesn't have SOCK_RAW and you can do most things on that.
And of course in MS's finest tradition, plugging one "hole" will no doubt
reveal others....
http://www.crn.com/sections/breaking...cleId=23905071

Just my 2c rant.

Later'ish
Craig



"Steve Gibson" <support@grc.com> wrote in message
news:MPG.1b453c1c7568218b989680@news.microsoft.com ...

> [for the unabridged version, see Sean's post above]
>

> > Can anyone confirm if the SOCK_RAW api is still avaliable in
> > Windows XP SP2 RC1 or RC2? I have been using a port scanner
> > that relies on the SOCK_RAW interface and it seems to no
> > longer function. Any information on this would help.

>
> Right. Microsoft's David Powell posted a reply in the private SP2
> Networking newsgroup earlier today explaining that Microsoft had
> surveyed applications that were using Raw Sockets under XP and
> determined that they were causing much more trouble (being used
> for malicious purposes) than for good. So SP2 removes XP's
> ability to generate raw TCP packets.
>
> --
> __________________________________________________ _______________
> Steve Gibson.