I've just seen a VNC session on a machine running some PLC software (I've flagged it). There could be god knows what running open VNC sessions in here, and it feels unethical to expose this in an easy-to-exploit way without making a best-efforts attempt to contact the operator.
I've seen a few VNC desktops that now have Paint open (or similar) with messages informing people that they have an open VNC server, but altruism is unlikely to be the norm.
It's a cool idea and it's really well done, but I do wish it was anonymised - no display of the host or port the VNC server is running on, just the screen. (I realise this might be useless in some cases where the screenshot lists the server's FQDN.)
Not really. The site operator has done nothing that has not already been done before, and it's little more than a basic nmap scan for services (which anyone can do).
It might be considered unethical that a PLC system is using VNC with no password.
There's also an awful lot of CirrOS systems in there, which tell you the default username and password, alongside a kind note saying the default user has full sudo privileges and you can just sudo into full root. The particularly bad thing about CirrOS is they are almost all running on OpenStack and other cloud providers, whom should know better.
> The site operator has done nothing that has not already been done before, and it's little more than a basic nmap scan for services (which anyone can do).
I realise this. Which is why I carefully phrased the objection as "easy-to-exploit". You and I may think the phrase "basic nmap scan" is simple, but it opens the door to lots of people who don't know what that sentence means but can easily click a link in their browser and be directly connected to an exploitable host (I don't like the phrase 'script kiddie' but I think that conveys what I mean).
> It might be considered unethical that a PLC system is using VNC with no password.
It might. It might also be more properly called incompetence. But that's orthogonal to providing an easy way to exploit such a system and not notifying the operator, which I feel is "more unethical" if such a concept exists.
There are ways to do this if the intent was to highlight how many people run open VNC server (as I'm guessing is implied by calling the site Srsly?)
1) Don't publish the server's hostname and port.
2) Attempt to notify the operator.
3) Publish screenshots only.
By publishing the connection details, this turned something that could have been interesting and done some public good into something that I feel is dangerous and fairly exploitative.
Shodan has existed for years and does practically the same thing (enumerates services, etc), but to a far greater extent.
This year at Defcon there was a great talk about masscan and scanning the entire internet (they enumerated a lot of open VNC's right onstage during the talk).
> Attempt to notify the operator.
How? If it's just some IP address, there's little you can do other than login and leave a text file open telling them they have an open VNC (that would surely get my attention).
The argument that a site like this should not exist because someone may exploit it just doesn't hold up. It's like saying we shouldn't post the IP addresses online of open mail relays, or open dns resolvers... which we (the "white-hat" community) did not... until it was discovered they were already posted online. Someone will do it...
If a vendor is so incompetent as-to put an important PLC on the internet, let alone with a completely open VNC, that vendor should be shamed. If we build a list like this site has done, perhaps we can strongly encourage folks to not do this anymore.
Heck, I'd love a search feature to be implemented on the site so I can double check I have no open VNC's on any of my IP's...
> Not really. The site operator has done nothing that has not already been done before, and it's little more than a basic nmap scan for services (which anyone can do).
Merely because something is easy, or common, does not make it ethical. In fact, I think those factors should be entirety unrelated to ethics.
Theft has been done before. Theft is easy to do. Therefore, it's ethical to steal. This seems to be the logic you're following... Correct me if I'm wrong?
Because it is unethical. Giving this ability to 100,000s of people (even for the short time before this site is taken down) is the wrong way to highlight the faults in VNC.
E.g. We should tell people that guns are dangerous, but we shouldn't highlight this by giving guns to children -- someone is going to get to hurt.
IANAL but connecting to any of these VNC's listened here is probably a felony .
At least in the netherlands it probably is. Eventhough these are open to the public, the intention was probably to be private. Deliberately connecting to something that has the mere intention to be private is a felony here. [0]
You are probably right, at least in some jurisdictions. If in doubt, just use the web VNC client (click on the screenshot).
The web client uses our machine to proxy the websocket connection the client uses to the VNC server and we don't collect user data, especially not who used the VNC client to connect to which server.
A SSL certificate that doesn't help people get used to ignoring certificate errors can be had for free from StartSSL or for less than ten euros from a company that has a UI that won't make you want to cry.
We actually tried a StartSSL certificate, but got OCSP errors with (at least) Firefox. We'll retry the certificate in the (very) near future, maybe it just takes a while for the OCSP information to trickle through after creating a cert.
If I remember correctly, with StartSSL you have to wait for up to 24 hours before the OCSP servers are updated. I ran into the same issue with my last certificate from them, just have some patience :)
You shouldn't walk down a public street at night checking for unlocked doors. And after finding one, you certainly should not open the door and walk in and then tell all of your friends where the unlocked door is. You are probably breaking various laws.
I don't see how this is any different. It's virtual (not physical) but that's about it. Unless you are a professional security technologist (with lawyers and contracts) and are being paid to do scans and pentests such as this, you're risking a lot by probing and then connecting to these sites.
Is the database available somewhere? I can imagine that some providers want to scan for their ranges to inform their users. The following is time-consuming:
$ while true; do curl -sk https://srsly.de | html2text | awk '/Address/ {print $2}' | tee -a vnsservers; done
$ sort -u vncservers | wc -l
3128
Minimally, require a password. This password would be separate from your Windows/Linux/OSX account password.
You could also use a non-standard port or configure some sort of port knocking system, or just close the VNC port to the outside world and allow connections over VPN or SSH tunnels only.
Holy cow, the one I got was even nice enough to include the default username and password before the login prompt. I didn't test to see if it'd work :-p.
Edit: I've also seen several now with the root prompt already open. Now I know how so many botnets are formed.
No, he probably got one of the many CirrOS boxes, which tell you the username and password, alongside a kind note that the default user has full sudo privileges.
We're using zmap to basically scan 0.0.0.0/0 on ports ranging from 5900 to 5910.
Adresses that have at least one of these open then get passed to a Python script that attempts to connect to those machines and take a screenshot.
The web frontend is built using Go httpd by the way.
Edit: We are able to do this because we're at the 31c3 with an enormeously fast internet connection. The machine this is running on has a 1Gbps connection to the internet.
Are you using the old RealVNC bug that allows the password to be bypassed by ignoring what authentication methods the server advertises and using "none", or only hitting stuff that actually says it supports connecting without a password?
The latter. We didn't know about that bug until now, but we'll probably keep it this way so connections work with any VNC client people might have lying around.
I thought you could possibly be exploiting the bug unintentionally - a hacked together client that just attempts to connect with null auth would do it. Not sure how common that vuln is.
Hmm, surely a lot of windows machines on there. Why would one put VNC on there? It's not exactly the best remote screen tool out there (had to use it often in the past unfotunately), or did I miss something? Just because it can be passwordless? Or because they don't know about RDP maybe?
my entire office uses vnc, reason is helpdesk sometimes needs to see what you're doing in order to help you. But you most definitely have to be on the network and we have a password, albeit very weak.
both Firefox and Chrome don't like the certificate if you hadn't already heard that, but otherwise this is a funny and good idea, and I'm having some fun tooling around wondering why these connections went unsecured and how many more are out there (lots and lots) that aren't listed yet
Because VNC is a major clustfucker of bad ideas? Almost every VNC installer I've used has made passwords optional. Who makes these brain dead decisions? Its bad enough that it cannot, typically, integrate with the built-in OS authentication, but the "roll your own" mentality from devs is especially off-putting. Application devs shouldn't be writing authentication mechanisms. They should be tying to the OS's auth using the proper libraries.
If you must run VNC for legacy reasons, please run it in an SSH tunnel without an open port to the world.
With things like RDP, NX/nomachine, xwindows forwarding in an ssh tunnel, etc, there's really no excuse to keep using it. For all the shit Windows gets, at least it doesn't allowed password-free RDP connections. I think the world of cheap Linux VPS have opened up a pandora's box of bad security practices. There's no shortage of forums out there that tell the uninitiated to "just apt-get" VNC and be done with it. Running ssh tunneled nomachine is just as easy to configure, has better performance, and loads better security.
Also this looks like an applet that runs a js vnc client locally and connects you directly various open VNC servers. Its your IP address in those logs and depending on your jurisdiction or policies, may get you in trouble just for visiting the site. Took me a second to realize this. May want a warning here for those at work.
It's a self-signed certificate, so I'm pretty sure the person who runs this is well aware that it will produce in a warning in Firefox, Chrome, and about every other browser out there. ;)