3d Traceroute Raw sockets

Challenge the net:
3d Traceroute

Freeware: 2.4.39.2 Release date: 2008-03-24
PRO: 2.4.39.2 Release date: 2008-03-24
Freeware Beta 2.3.33.56 Release date: 2008-01-06
PRO Beta 2.3.34.58 Release date: 2008-03-07


3d Traceroute FREE
Introduction
Feature matrix
Usage tips
Screen shots
Download
Media Alert

3d Traceroute PRO
More features
Buy

be up to date
N e w s
Newsletter
Contact
History

Fun Stuff
Kismet Client
IP Space Animation
TerraView
THE MUG

Links
Disruptor OL
Outlook Spam Protection
/0 56
Fotokopierer Zwo

Raw sockets?

Easy world: you want to send a ICMP or UDP packet? Want to create a TCP data stream? No problem: ask the operating system to do it. You get back a handle, send your data, voila. That's it. No hassle with building the needed protocol headers, doing checksum stuff and all the other jobs. Your OS does it. That's it's job.

But sometimes you need to interact with this process. So almost every OS offers a 'low level' solution: raw sockets. At this level the application must do all the things noted above, the OS just passes the data.

Some people might consider this as a security hole. Because it is possible to 'fake data'. For example you could send out data with a different source IP number (think of a snail mail letter: write a fake return address on the envelope) or send special types of data (search for 'SYNC FLOOD' in google).

Basically 'raw sockets' are needed for a lot of things: imagine, you want to write 'low level net applications' like network brigdes, traffic monitors or network sniffers (detect evil traffic on your net). It would be a lot harder to do without raw sockets. So on almost every operating system raw sockets are available. Not only Windows...

Raw sockets!

So there are some limitation in usage: You have to be a member of the Admin group (this only applies for Windows NT, 2000 and XP Pro), your Admin has to grant access to raw sockets for all users (this only applies for Windows NT, 2000 and XP Pro) or you use Windows XP Home (you are always Admin).

Your local firewall might prevent the usage of raw sockets.

Windows XP SP2 - 2004-08-18

Microsoft released Service Pack 2 for Windows XP. With a size of about 300 MB it looks like they changed almost everything.

Currently (2004-08-18) Microsoft identified about 223 applications that do not work with XP SP 2. Some of these applications are from Microsoft.

http://support.microsoft.com/default.aspx?kbid=884130

There are additional infos about applications that stop working after installing XP SP 2 and some guides how to make them work again.

http://support.microsoft.com/default.aspx?kbid=842242

Some problems seem to be firewall related.

http://support.microsoft.com/default.aspx?kbid=875357

No more raw sockets

Microsoft has decided to remove the raw sockets option with XP SP 2.

3d Traceroute needs raw sockets to do UDP and TCP traces.

Identify the problem: Windows XP SP2

From security viewpoint removing raw sockets is a silly step.

Why?

Almost all operating systems support raw sockets. Even Windows does. They are in Windows 98 (sort of...), ME (sort of...), 2000, XP/0 and XP/SP1. They exist in most Unix variants including Linux. Of course in Knoppix (needs only a CD and some patience to have a runing Linux and install your l33t hacker scripts!)

Most operating systems only give access to raw sockets for administrators/roots. Or administrators/roots must grant raw sockets to users.

The problem: Windows XP HOME users are always logged in as administrators, so they always have raw sockets.

As we can see now: Microsoft made a design error in Windows XP Home. It is dumb to let a user (in case of 'XP Home' it is a potential unexperienced user) work in 'god mode'.

Microsoft should have added a micro-user-management. This could work in a way that normally the user works as 'normal' user and can switch to admin-mode to do the needed maintenance (install, remove etc). This would greatly improve security. No malware could install itself during surfing/mail reading this way (only if it is done properly, Windows XP Pro shows that Microsoft can do!).

Instead of this step Microsoft decided to remove some parts.

Another step Microsoft should go would be to reducing the risk to get a malware infection. Their Malware Installation Kit (aka Internet Explorer and Outlook Express) has several bugs, all known to Microsoft and still unfixed. Week by week we see new bug reports, some month later we see a fix for them. Or not. Perhaps working. Or not. Who knows.

http://www.promozilla.org/pivx-unpatched-2003-09-11.html
(The original list does not exist any more.)

What will be the future?

For malware? No problem for them. There are a lot of operating systems that allow raw sockets. And most malware does not need raw sockets.

And for 3d Traceroute?

There are currently two solutions for XP SP 2:

the "net stop SharedAccess" trick
it deactivates the internal firewall of Windows XP SP 2 and allows raw sockets

use PCAP
PCAP is a 'universal driver' that bypasses everything and grant access to the network interface
http://www.winpcap.org/

So what do we have in the end?

A lot of difficulties for developers, users, hotlines.

The need to install a new version.

And adapting malware.

Conclusion

Silly step, Microsoft.

Impressum

quittengelb