Nmap and XP SP2; Phishin' Phrenzy Continues

If you're one of the countless network administrators who use the hugely popular Network Mapper (Nmap) network exploration and auditing tool, then you might already know that it doesn't work on Windows XP Service Pack 2 (SP2). The reason is that in SP2, Microsoft changed the way raw sockets (which are used by Nmap) operate. According to a message posted by Nmap author, Fyodor, on his Insecure.org Web site, someone from Microsoft stated that Microsoft changed raw socket operation because "the only apps using [raw sockets] on XP were people writing attack tools."

http://seclists.org/lists/nmap-hackers/2004/Jul-Sep/0002.html

Michael Howard, security program manager on the XP team, posted an interesting entry ("A little more info on raw sockets and Windows XP SP2," at the first URL below) to his blog that excerpts a portion of the Microsoft document "Changes to Functionality in Microsoft Windows XP SP2." The Microsoft document (at the second URL below) points out that "The Windows implementation of TCP/IP still supports receiving traffic on raw IP sockets. However, the ability to send traffic over raw sockets has been restricted in two ways:

" - TCP data cannot be sent over raw sockets, UDP datagrams with invalid source addresses cannot be sent over raw sockets.

- The IP source address for any outgoing UDP datagram must exist on a network interface or the datagram is dropped."

http://blogs.msdn.com/michael_howard/archive/2004/08/12/213611.aspx

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2chngs.mspx

Fyodor is looking for a way around the problem, and a solution might have already been found by the time you read this newsletter. If you recall, Windows 95 doesn't support raw sockets either and Nmap runs on that platform, so there's a good chance that a workaround is possible for XP SP2.

You can read more about or download Nmap at the Insecure.org Web site (at the first URL below). A Microsoft Security Tools Web page links directly to Nmap (at the second URL below).

http://www.insecure.org/nmap/index.html

http://www.microsoft.com/serviceproviders/security/tools.asp

On another note, have you had enough phishing yet? The Anti-Phishing Working Group has recently released a report that offers insight into phishing attacks and trends, and apparently the piranha are still swarming.

According to the report, 1422 unique phishing scam attempts were reported in June. Citibank was the most targeted company, experiencing some 492 scams against its customers. The next three most-targeted companies were eBay, U.S. Bank, and PayPal. In May, the number of unique scam attempts was 1107; in April, the number was 475; and in those two months, the same four companies' customers were the most targeted. One reason might be that those companies are very popular.

If you're interested in more detail about trends in phishing, including which industry sectors are attacked most, the life span of spoofed sites, and more, then you can download a copy of the latest report in PDF format from the Anti-Phishing Working Group's Web site.

http://www.antiphishing.org/APWG_Phishing_Attack_Report-Jun2004.pdf