Today, I decided to install Windows 2000 Advanced Server onto my Dell Latitude D610. The laptop itself is a workhorse, if a bit dated. Mostly, I was just curious what would happen if I left it out on the Internet without any service packs or firewall rules* and I live-tweeted it as I did my research.
Here's my twitter thread with just a few additional notes added. pcap and IDS alerts are at the end:
What happens when I put this on the Internet? pic.twitter.com/d19rvRnitG— ax0n (@ax0n) February 6, 2018
Okay, so... nmap is like DisGunBeGud.gif https://t.co/ZC0Kek8CTQ— ax0n (@ax0n) February 6, 2018
Span port fired up. @Snort on a @Raspberry_Pi 3 is watching intently.
About to drop this sucker into my DMZ.
Cannon fodder mode: Activate pic.twitter.com/3ftrVcOOeA— ax0n (@ax0n) February 6, 2018
So far, the Mirai telnet noise is the most prevalent junk, but I just took my Cowrie honeypot offline for this experiment. Snort with @EmergingThreats ETOpen rules is seeing RDP DoS and SipVicious, and nothing else since the cut-over. Bots are dumb. 30 minutes without being pwnd. pic.twitter.com/tmCyDMWY3Z— ax0n (@ax0n) February 6, 2018
There's basically nothing going on in the logs except for mass hysteria when I corrected the system clock. pic.twitter.com/lfVmdSU2VQ— ax0n (@ax0n) February 7, 2018
RDP login attempts (and counts) so far:— ax0n (@ax0n) February 7, 2018
181.214.87.7 (5)
51.15.184.118 (7)
74.63.221.148 (8)
5.101.40.60 (12)
Alright, so my ISP is giving me some firewall rules of their own, probably to stop the spread of EternalBlue exploit bots and WannaCry ransomware. Honestly, I appreciate it, but it's not helping me get pwned.77.72.82.x is smurfing its recon or something. Low and slow. pic.twitter.com/2fFZUfCIwG— ax0n (@ax0n) February 7, 2018
Here's a big part of the... problem? Apparently ATT UVerse is filtering in-bound connections on SMB/CIFS. https://t.co/QZGJLKfikJ (note: this is a good thing, unless you're *trying* to get pwned) There's still plenty of attack surface.— ax0n (@ax0n) February 7, 2018
[BRUTEFORCE INTENSIFIES] pic.twitter.com/xTOCNNMZiH— ax0n (@ax0n) February 7, 2018
Now let's see who guesses my six-character (4 lowercase alpha, 2 digit) Administrator password.— ax0n (@ax0n) February 7, 2018
The VNC scanners have come out to play. I'm not running VNC server though. pic.twitter.com/aPQSdHQGiF— ax0n (@ax0n) February 7, 2018
Alright kids, we're about 5 hours in without getting pwned (as far as I can tell). Here's the final count of source-IP/destination port tuples for inbound TCP connection attempts where count > 3. pic.twitter.com/eVF4BxCGGN— ax0n (@ax0n) February 7, 2018
With that, here are the links to those:I'm gonna wrap this thread up, link to these tweets in a blog post on @H_i_R tonight or tomorrow, and link to sanitized pcap and snort alert log files. Thanks for watching!— ax0n (@ax0n) February 7, 2018
Sanitized pcap (gzip): http://stuff.h-i-r.net/win2k.pcap.gz
Sanitized IDS log: http://stuff.h-i-r.net/win2k-ids-alerts.txt