Comments for Dan Kaminsky's Blog

Comment on RDP and the Critical Server Attack Surface by Chris Kubecka

Chris Kubecka — Fri, 30 Mar 2012 04:36:07 +0000

What we have been advising is to apply the patch to all at risk assets, review the status of all at risk assets (are they patched, do they have AV, are they being pen and/or vulnerability tested, are there other issues like out of date backup software, etc….), minimize the attack surface, apply a second layer of security controls and monitor the logs and access of any at risk systems.
Do you have any additional guidance?

Comment on RDP and the Critical Server Attack Surface by Chris Kubecka

Chris Kubecka — Fri, 30 Mar 2012 04:29:53 +0000

Very nice passive technique to scan especially if you are in a country which might consider scanning IP ranges (ore any IP) “hacking”.

Comment on White Hat Hacker Flowchart by Touz

Touz — Fri, 23 Mar 2012 10:01:01 +0000

Hilariously painfully true! Can’t believe I missed this when it was posted. Too many cool shiny article objects on your site! BTW: Sometimes my “Ruh Roh” has occurred in the midst of “Sending Unusual Traffic”. Going up on my office wall. thanks!

Comment on RDP and the Critical Server Attack Surface by Dan Kaminsky

Dan Kaminsky — Mon, 19 Mar 2012 08:42:13 +0000

It’s a base of 5M or so. I wouldn’t be surprised if there’s a hundred thousand RDP listeners on 443, not to mention TSG, but I’d be surprised if there were another 1-2M.

My data isn’t showing how vulnerable RDP, just that it’s exposed. Specifically it doesn’t show what is and isn’t patched.

Comment on RDP and the Critical Server Attack Surface by A.K

A.K — Mon, 19 Mar 2012 08:31:36 +0000

So true of Joe Gatt’s reply. There is another point on using PAT on external firewalls later then translate to respective 3389/tcp hosts. While Dan’s research gave us brief overview on how vulnerable RDP on internet, we still have to know there are always more underlying issues.

Comment on RDP and the Critical Server Attack Surface by anon y mouse

anon y mouse — Mon, 19 Mar 2012 06:11:28 +0000

Note there’s a non-standard port of Windows Home Server and Windows Small Business server – http://social.technet.microsoft.com/wiki/contents/articles/922.windows-home-server-router-setup.aspx#Manual_Router_Configuration has it on 4125 and WHS/SBS will happy use uPNP to open that port on your router and forward it to the exposed service.

Comment on RDP and the Critical Server Attack Surface by Dan Kaminsky

Dan Kaminsky — Mon, 19 Mar 2012 05:45:54 +0000

Interesting idea.

Comment on RDP and the Critical Server Attack Surface by Joe Gatt

Joe Gatt — Mon, 19 Mar 2012 05:40:32 +0000

Hey Dan, I know it’s crazy, but have you considered scanning for hosts listening on RDP on non-standard ports like 80/tcp and 443/tcp? We recently implemented egress filtering in my organization only allow these ports outbound. So some of our “IT guys” complained to me because they had to change their home RDP listeners to 80 or 443

Comment on RDP and the Critical Server Attack Surface by Matthew Hackling

Matthew Hackling — Mon, 19 Mar 2012 04:48:06 +0000

Check out http://www.rdpcheck.com to test your IP address

Comment on RDP and the Critical Server Attack Surface by Dan Kaminsky

Dan Kaminsky — Sun, 18 Mar 2012 13:29:41 +0000

Thanks! Yeah, I had lots of interpretation I was going to throw onto to this data, and may yet still, but I wanted to get the raw survey data out ASAP.

I actually suspect that there’s a lot of enterprise RDP, in the same way there’s lots of enterprise SSH. It’s just the default mechanism for Microsoft shops, for those not deploying TS Gateway at least…