XPSP2 Closes Off Nmap

12 August 2004 20:45 UTC
A simple command line and it's 'game over'?

In a post to his own forum entitled 'Nmap Hackers: Windows XP SP2 incompatible with Nmap' Nmap author Fyodor discloses that Windows XP Service Pack 2 seems to have broken his ubiquitous port scanner - deliberately.

'This is just a heads-up that most Nmap functionality will not work on the just-released Microsoft Windows SP2. Why? Microsoft apparently broke it on purpose! When an Nmap user asked MS why security tools such as Nmap broke, MS responded:

'We have removed support for TCP sends over RAW sockets in SP2. We surveyed applications and found the only apps using this on XP were people writing attack tools.'

Which admittedly puzzles Fyodor:

'I don't know why they consider Nmap an attack tool, particularly when they recommend it on some of their own pages (as a security tool)'.

Nmap does work on Win9x, so transitioning it to a new model shouldn't be all that difficult. Still, Fyodor rightly does not prioritise Windows compatibility - few security experts would run the platform anyway.

Robin Keir has written to Fyodor to inform him that the issue is both better and worse than reported.

In contrast to what Microsoft themselves have reported, Robin has found that raw sockets have not been removed from Windows XP - only from the crafting of TCP packets. UDP packets for ICMP requests can still use raw sockets.

Even TCP packets can use raw sockets, says Robin: all you have to do is turn off the Internet Connection Firewall - which is a simple command line accessible from anywhere.

Asks Robin rhetorically: 'What do you think's the first thing hackers are going to do when they gain access to a XPSP2 machine?'

See Also
High Hopes
Service Pack 3
Windows XP Service Pack 2