James Woolley

429 posts

James Woolley

@Xtrato

Interested in Network security and Technology

Herefordshire, England Katılım Mart 2008

322 Takip Edilen2.2K Takipçiler

James Woolley@Xtrato·26 Ağu

@Paul_Reviews The fact we have gotten into this mess of users having to submit sensitive information just to verify age is insane. Its only a matter of time before a data breach of one of these verification authorities happens. This is a much better solution for a very simple issue.

English

1.7K

James Woolley@Xtrato·8 Tem

@jwkingsman This is very cool!

English

Jack Kingsman@jwkingsman·5 Tem

@Xtrato This was so cool haha! Your project inspired me so I set it up in a dockerized form to make it easier to try out 🙂 github.com/jkingsman/VNCH…

English

James Woolley@Xtrato·29 Haz

I recently created a VNC honeypot. Many people asked me how I went about setting it up, so I've created a blog post describing the process. You can read about it at: ja.meswoolley.co.uk/vnc-honeypot/

English

312

22.4K

James Woolley@Xtrato·29 Haz

@julianharris Definitely!

English

308

Julian Harris@julianharris·29 Haz

@Xtrato Really brings to life the question “are hackers trying to break into your computer?”. Yes. Most definitely yes.

English

448

James Woolley@Xtrato·29 Haz

@alexpotato Thanks!

English

251

Alex Elliott@alexpotato·29 Haz

@Xtrato These are great! Looking forward to see what you do next.

English

313

James Woolley@Xtrato·7 Haz

@Andr3Baca0 @JimmyMcShill x.com/Xtrato/status/…

James Woolley@Xtrato

@JimmyMcShill 🧵1. I can create a full blog post about it once I've refined the process a bit. I'm essentially running tigervnc server with no username/password required to authenticate. A bash script monitors the vnc log file, if someone connects it starts ffmpeg and records the session.

QME

153

André Bação@Andr3Baca0·7 Haz

@Xtrato @JimmyMcShill Thanks for sharing. I would love a detailed process. There were some lines in the "ps" regarding a ffmpeg. is the user john anything to do with the recording? Have you even tried to hide the backend? All is being done in that particular instance right?

English

139

James Woolley@Xtrato·6 Haz

I left a server online with VNC wide open to see how it would be interacted with. This is one of the more interesting interactions:

English

168

362

5.8K

743.2K

James Woolley@Xtrato·7 Haz

@DaAlphaPanda I haven't gotten around to checking the files properly. I have them saved and intend to though.

English

764

James Woolley@Xtrato·7 Haz

@re_skob Probably scanned for it, it found it in a Shodan listing or something similar.

English

4.9K

RE:Skob@re_skob·7 Haz

@Xtrato how did they find the server?

English

5.4K

James Woolley@Xtrato·7 Haz

@rossb_testRepo Thanks!

English

4.7K

James Woolley@Xtrato·7 Haz

@ptkatchouk They would scan for them, yes. There are also services like Shodan that can be used to find VNC servers.

English

1.2K

Pavel Tkatchouk, Ph.D. 🇨🇦 🇺🇦 🇮🇱@ptkatchouk·7 Haz

@Xtrato Cool. Q from complete security noob - how people find out there's an new VNC open, do they scan IP ranges 24/7?

English

1.3K

James Woolley@Xtrato·7 Haz

@FiveOhFour @InternBerry They are both different protocols, but achieve the same thing. RDP is more Windows-based, although it can be used on Linux as well.

English

Not the Droid you’re looking for@FiveOhFour·7 Haz

@InternBerry @Xtrato What’s the distinction between vnc and rdp in this instance

English

James Woolley@Xtrato·7 Haz

@_romeopeter You won't see the commands entered into SSH on the VNC session, if that's what you mean. Unless you look at the bash history.

English

2.4K

Romeo@_romeopeter·7 Haz

@Xtrato So someone tell me… if I access service terminal via SSH and leave the VNC open, will it output instructions from local machine terminal?

English

2.7K

James Woolley@Xtrato·7 Haz

@DirkSchmedemann Thanks!

English

2.9K

James Woolley@Xtrato·7 Haz

@AlexisPaques The first bot was around 1 hour. The first person was 6 days.

English

Alexis Paques@AlexisPaques·7 Haz

@Xtrato How long was the time to first connection?

English

5.5K

James Woolley@Xtrato·7 Haz

@jcalvarez2 Thanks!

English

6.3K

Jose Alvarez@jcalvarez2·7 Haz

@Xtrato That's pretty interesting, thank you!

English

6.8K

James Woolley@Xtrato·7 Haz

@W95918789 Thanks!

English

4.5K

James Woolley@Xtrato·7 Haz

@alexpotato Thanks!

English

22K

Alex Elliott@alexpotato·7 Haz

@Xtrato I’m impressed they got the tar command switches in the first try. Also, as a DevOps/SRE, you get a follow just for making this whole scenario happen.

English

275

24.6K

James Woolley@Xtrato·7 Haz

@InternBerry I do plan to do that next 🙂

English

25.2K

intern.🍓@InternBerry·7 Haz

@Xtrato try leaving an open RDP server next time i think you'll see more fun stuff

English

131

27.4K

James Woolley@Xtrato·7 Haz

@MakJoris Yea I guess you're right!

English

2.2K

Joris Mak bsky: @jorismak.nl@MakJoris·7 Haz

@Xtrato in my experience (and hacked drupal sites on my servers) they don't care if has a kind of gpu or not... it just runs, specially on servers. Every 0.01% of performance is free for them :).

English

2.9K

James Woolley@Xtrato·7 Haz

@AlessandroDuico Yes they could have. Fred user runs the service. I guess they just didn't spot it 😆

English

113

19.1K

Alessandro Duico@AlessandroDuico·7 Haz

@Xtrato Why didn't they kill the ffmpeg grab? Was the fred user allowed to?

English

20.6K

Keşfet

@Paul_Reviews @jwkingsman @julianharris @alexpotato @Andr3Baca0 @JimmyMcShill @DaAlphaPanda @re_skob