What happens if you connect Windows Server 2003 to the Internet in 2024

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everybody my name is Eric and today we're going to be trying out Windows Server 2003 we're going to put it through the same tests that we put uh Windows XP and Windows 2000 through uh we're going to connect it and expose it to the internet now of course using a server edition of Windows much more reasonable to be exposed to the internet because how else do you want your server to work now in my understanding most people using Windows servers probably using them for active directory rather than for uh internet hosting IIs exists and some people do it famously Elon Musk actually the reason he was let go from PayPal is because he wanted to rebase the whole thing around windows instead of Unix uh luckily they did not make we get a custom Windows XP logo and interesting fact for people who didn't know is the server 2003 is actually a bit newer than XP and it was the code base that ultimately Windows Vista would be based off of and set to after the first iteration Longhorn didn't pan out so we can set our region and we can put on our name wow I guess I guessed the license on the first trial see I can't show that put on YouTube okay select the licensing mode you want to do now for those of you who've never used Windows Server before uh this is to do with client AC access licenses which is something for Enterprises what always is kind of weird is it it's not enforced it's just if you're an Enterprise Microsoft will actually audit you to see if you have the right number of these now something unfortunate I have noticed from looking and looking at Shodan and looking at servers is a lot of Windows server providers especially cheaper dedicated server hosts which are mostly focused on Linux will actually ship these servers by default with a very insecure configuration uh network settings uh let's actually not do this right now because if we do it right now it's going to probably get infected before the set even finishes which would be pretty lame and here we go Windows Server 2003 standard edition now interesting thing is that the resource limits are sold by skew and if you had this version I think you couldn't use more than four CPU cores I gave this vm8 but it's just not going to use them and oh all right yes I got to actually put in the password I chose and now we're into uh Windows Server so now uh we can do the dangerous P we can expose it there's a second CD I don't I don't have the iso for that I hope we don't need it I think that's no maybe it isn't I thought that I think that might be a different icon then and we should now have internet but we should also by default I think this comes with a firewall but let let's see what the Windows Server firewall settings look like can also run an end map on it from different computer oh yeah yeah and Windows Server comes with this really weird advant Advanced enhanced security configuration which basically means the Internet Explorer is unusable see if we can get okay but Google works so we can confirm that it's online but it doesn't have any exposed ports and it doesn't respond to pings according to end map just going to try end mapping it with PN just to validate that anything is online of course given I don't have a real product here I don't think activation is going to work and I also don't think the Surfers for it are alive anymore so I think we can we don't need to waste time on that so here is how you enable and disable the firewall on this version so by default it comes with secure firewall settings so I'm guessing then that server hosts are probably the ones setting them to insecure if it's happening by default but uh all we have to do is do this or we could just forward some insecure ports and that would also do it and now this thing is no longer firewalled and immediately when I ran n map uh everything was open and it's responding to pings so now it is just a waiting game to see who claims this free wormable Supple little VM first okay now let's see uh it's been about an hour let's see if we've had any hits uh on the I love I love how it looks oh con hose has already showed up that's actually really interesting so con hose does work on Windows Server 2003 doesn't work on 2000 and in my experience it doesn't install on newer even though it should theoretically so let's see where Kos has gone now I imagine given that as we saw in our Deep dive analysis of conos I'll have an info C up so you can see that if you haven't already seen it uh given how kose works I think it's in system 32 that also should uh patch this oh I just realized is that is that really CS r s. exe uh no no it is definitely not so uh that's also uh living in our uh fake banking server so I'm going to try and get a CIS internal Suite on this so we can get a better idea of what's going on and now we've got CIS internal Suite ready to go so the main ones that we want are process Explorer and process monitor now whether process monitor will even work on this but this will give us a good idea of what's going on so uh this is conos uh maybe it's not the same con hose and this is the fake csrs oh it just died so maybe it's had enough for now or maybe it's done whatever it does and kose has got okay and it's still Microsoft compilation oh that's that's that's just lovely and it's still in Windows temp so not much has changed about Kos what's kind of interesting is that oh oh mic office okay this is also fake see who that's from this kind of feels like it might be from the same H it's in a different folder as conos I I just love the names of these it's so aely ridiculous like micr office and now it's spawned those deal those Registries as well and cd2 chain then I'm guessing is legitimate cuz that's just open this file I'm also going to end map this again just to see if anything has changed to see if in fact it has blocked the vulnerable service Miss info I'm just copying these to the route so that if I do want to download them and actually analyze them it's not going to cause me any TR trouble of course cuz I'm using a residential connection uh these outgoing ports are blocked by my ISP not necessarily by our server but this 9999 Abyss port is open which wasn't originally open and after trying to tell that it it seems to have crashed whatever that server was doing U maybe it figured out it was going to get caught so the only thing we can really do is try and download and analyze the actual incident and after a bit of playing around with permissions I was able to get into the folder I needed and here we go uh we've got both and then we just download these two files now let's try putting this csrs file and Ms info onto virus total so Ms info Mal gent okay it's it's VM protected so we're probably not getting into that at riskware application so pretty much everything be detected is just the VM protect might be able to get a bit more from sandboxes and now let's try the second stage which not which doesn't have the impr protect trickbot okay so this is still appears to be another dropper let's try putting Ms info into triage and see what it has to say static analysis doesn't seem to think anything super interesting is here and we'll we'll give it Windows 7 just to slightly increase the chance that it'll work the realistically cuz Windows backwards compatibility is good so malware forwards compatibility is usually pretty good unless you enable security features okay so it would appear that the first hit uh the MS info uh is not going to run in triage it's it's well protected it's VM protected it's probably got a lot of anti VM now this one okay it's getting a three out of 10 oh PC okay so this is this is python malware and there's a very real challenge that we can get source code there's some sort of debug message that popped up well we'll be able to see it in the replay it looks like it failed so we can terminate this sbox okay it's upx packed and then it's got AC protect running under it okay so they're probably not getting source code but yeah it's got some really old python in there but it seems like either it doesn't work on this version of Windows or it's detecting the sandbox and it doesn't seem to be network based so I'm not going to be able to really use my usual tools but I'm going to assume that this is pretty similar maybe a bit more advanced than conos but it's doing roughly the same thing it might uh steal files but really the main focus of these is to build some sort of botnet which is why for these videos I never leave the VM running longer than I need to so that is going to be all for this video please leave a like if you enjoyed it uh and you can also leave a comment and subscribe and of course uh at least a few people are going to comment about how I somehow faked this one too like they did for the other two so if you're one of those people uh go ahead and if you see any of those people please feel free to make fun of them it's all for now bye

Info

Channel: Eric Parker

Views: 31,885

Rating: undefined out of 5

Keywords:

Id: 1vsjbxN4zP4

Channel Id: undefined

Length: 10min 29sec (629 seconds)

Published: Mon Jul 08 2024