Re: Hardening TCP/IP Stack; conflicting sources

From: Jean-Baptiste Marchand (Jean-Baptiste.Marchand_at_hsc.fr)
Date: 03/22/04

Next message: Joanna Rutkowska: "process tracking"

Previous message: Jean-Baptiste Marchand: "Re: Hardening TCP/IP Stack; conflicting sources"
In reply to: captmeoff_at_yahoo.com: "Hardening TCP/IP Stack; conflicting sources"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 22 Mar 2004 22:58:01 +0100
To: focus-ms@securityfocus.com

[ Moderator: this message superseeds the one I've just sent to the list.
Thanks! ]

* captmeoff@yahoo.com <captmeoff@yahoo.com> [21/03/04 - 11:47]:

> HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\NoNameReleaseOnDemand

is correct, as said by other posters (the NoNameReleaseOnDemand registry
value refers to NetBIOS names, handled by the NetBIOS over TCP/IP
driver (NetBT) driver).

> HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableFragmentChecking

Does not seem to be valid, see below.

> HKLM\SYSTEM\CurrentControlSet\Services\IPFilterDriver\Parameters\EnableFragmentChecking

Does not seem to be valid any more on Windows 2000.

More generally, there are at least two methods to determine which
registry values are read by a system component such as a driver or a
service:

- start manually the driver or service using the net start command and
watch with regmon (http://www.sysinternals.com/) which registry keys
and values are read at startup.

Of course, you might need to stop the driver or service before
attempting to start it. This is what I've just used with the Windows
2000 IPv4 filtering driver:

C:\>net stop ipfilterdriver

-> start regmon

C:\>net start ipfilterdriver

-> watch in regmon output which registry values (typically under the
Parameters\ keys of the driver or service configuration, under
HKLM\SYSTEM\CCS\Services\service_or_driver_name\Parameters\).

For instance, the W2K ipfilter driver seems to read the following
registry keys:
- FragmentLifetime
- FragmentCacheSize
- AddressHashSize
- FragmentThreshold

With services or drivers that can not be started manually (because they
are typically automatically started early in the boot process), such as
the tcpip driver, you can use the Log Boot feature of regmon (Edit ->
Log Boot).

When enabled, all registry accesses occuring during system startup will
be logged in a regmon.log file under the system directory.

You can then grep for the registry keys and parameters that are read by
a given driver.

By the way, this is a good way to discover undocumented registry values.

Sometimes, you'll need to create the Parameters\ subkey if it does not
exist, otherwise, the driver or service won't try to read values under
the Parameters\ key if this key does not exist:

http://www.hsc.fr/ressources/presentations/sambaxp2003/slide35.html

- use a strings command (Sysinternals has one, that understands Unicode)
to extract strings in binaries, for instance:

C:\>strings %systemroot%\system32\drivers\tcpip.sys

For instance:

C:\>strings %systemroot%\system32\drivers\ipfltdrv.sys

will show the 4 registry values aforementionned.

C:\>strings %systemroot%\system32\drivers\tcpip.sys | find "Frag"

does not return any line, whereas

C:\>strings %systemroot%\system32\drivers\tcpip.sys | find "Enable"

returns the following registry values:

EnableTrafficControl
EnableTOSsetting
EnableDHCP
IpEnableRouter
EnableAddrMaskReply
EnableDeadGWDetect
EnablePMTUDiscovery
EnableICMPRedirects
EnableFastRouteLookup
EnableBcastArpReply
EnablePMTUBHDetect
EnablePMTUDiscovery
EnableDeadGWDetect
EnableSecurityFilters

So, the EnableFragmentChecking registry value does not seem to be
applicable to either the tcpip or ipfilterdriver driver...

Jean-Baptiste Marchand

-- 
Jean-Baptiste.Marchand@hsc.fr
HSC - http://www.hsc.fr/
---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, 
wireless security
Protect your network against hackers, viruses, spam and other risks with 
Astaro Security Linux, the comprehensive security solution that combines six 
applications in one software solution for ease of use and lower total cost 
of ownership. 
Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_focus-ms_040301
---------------------------------------------------------------------------

Next message: Joanna Rutkowska: "process tracking"

Previous message: Jean-Baptiste Marchand: "Re: Hardening TCP/IP Stack; conflicting sources"
In reply to: captmeoff_at_yahoo.com: "Hardening TCP/IP Stack; conflicting sources"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

IRC Packets being generated. Dont know where from...
... *Registry value not found* ... Autorun entries from Registry: ... Enumerating ICQ Agent Autostart apps: ... RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual ...
(microsoft.public.security.virus)
hijack this startup - can someone tell me the hack i am experienci
... *Registry value not found* ... Enumerating ICQ Agent Autostart apps: ... Intel82801 Audio Driver Install Service: ... Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual ...
(microsoft.public.windowsxp.security_admin)
Re: BSOD Error 0x000000B8
... *Registry value not found* ... Enumerating ICQ Agent Autostart apps: ... ADI UAA Function Driver for High Definition Audio Service: ... Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs ...
(microsoft.public.windowsxp.help_and_support)
Multiple vulnerabilities in SUPERAntiSpyware and Super Ad Blocker
... parameters passed from user mode. ... equivalent of the above driver ... Possibility of arbitrary code execution is very low because user does ... registry key. ...
(Bugtraq)
[Full-disclosure] Multiple vulnerabilities in SUPERAntiSpyware and Super Ad Blocker
... parameters passed from user mode. ... equivalent of the above driver ... Possibility of arbitrary code execution is very low because user does ... registry key. ...
(Full-Disclosure)