You are reading:
Secrets of Network Cartography: A Comprehensive Guide to nmap
Like the online e-book? You'll love the downloadable version! Buy it here!Windows Operating Systems and nmap
Although Windows-based operating systems exist on a majority of systems throughout the world, the inner workings of Windows have become somewhat of an irritation for developers of network-related software. Microsoft's implementation of the TCP/IP stack is a bit idiosyncratic, and additional operational restrictions related to Microsoft Windows XP's Service Pack 2 have created ongoing challenges for the developers of these powerful applications.
Many of the most recent issues are based on Microsoft's implementation of raw sockets. Raw sockets are methods built into the operating system that allow a developer to bypass the normal TCP/IP processing of the kernel. This means that programmers can create customized (or raw) TCP/IP frames, a functionality that's critical for security programs. Many of nmap's functions make extensive use of these raw sockets.
With the implementation of Windows XP Service Pack 2 (SP2), Microsoft has removed the ability to create TCP frames through the raw sockets Application Programming Interface (API). UDP packets with spoofed IP addresses are also prevented with SP2. To work around these SP2 raw socket issues, nmap was modified to create raw Ethernet frames instead of raw TCP/IP frames. This fix allows most of the nmap options to work properly, although nmap's raw socket functions can now only create frames on Ethernet networks.
Microsoft also implemented another TCP/IP stack change to Windows XP SP2 that limits the number of simultaneous outbound TCP connections. This has a chilling effect on nmap's TCP connect() scan (-sT), since this scan normally creates many TCP connections. There is at least one non-Microsoft patch that removes this limitation, but the use of this patch is outside the scope of this tutorial. The nmap-hackers mailing list archive has more information on Microsoft's changes and some of the workarounds:
http://seclists.org/lists/nmap-hackers/2004/Jul-Sep/0003.html
These stack changes were also part of Microsoft patch MS05-019 relating to Microsoft Knowledgebase article KB893066, "Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service." Even if a Windows XP system hasn't installed Service Pack 2 but still performed the normal security updates, it may exhibit these problems with raw sockets because of MS05-019. It seems clear that these stack revisions may change without notice, and it's highly recommended to stay tuned to the nmap-hackers mailing list.
Creating powerful security tools for Windows-based systems will continue to be an ongoing challenge, but it appears that the nmap developers have worked through many of the current issues. From past experiences, it appears that Windows-based operating systems may not be the best choice for applications such as nmap. Other operating systems have some significant advantages over Windows-based environments when unfettered network access is required for the most efficient network scanning.