
VNC Roulette - dewey
https://srsly.de
======
supersheep
This _feels_ unethical to me.

I've just seen a VNC session on a machine running some PLC software (I've
flagged it). There could be god knows what running open VNC sessions in here,
and it feels unethical to expose this in an easy-to-exploit way without making
a best-efforts attempt to contact the operator.

I've seen a few VNC desktops that now have Paint open (or similar) with
messages informing people that they have an open VNC server, but altruism is
unlikely to be the norm.

It's a cool idea and it's really well done, but I do wish it was anonymised -
no display of the host or port the VNC server is running on, just the screen.
(I realise this might be useless in some cases where the screenshot lists the
server's FQDN.)

~~~
Alupis
> This feels unethical to me.

Not really. The site operator has done nothing that has not already been done
before, and it's little more than a basic nmap scan for services (which anyone
can do).

It might be considered unethical that a PLC system is using VNC with no
password.

There's also an awful lot of CirrOS systems in there, which tell you the
default username and password, alongside a kind note saying the default user
has full sudo privileges and you can just sudo into full root. The
particularly bad thing about CirrOS is they are almost all running on
OpenStack and other cloud providers, whom should know better.

~~~
supersheep
> The site operator has done nothing that has not already been done before,
> and it's little more than a basic nmap scan for services (which anyone can
> do).

I realise this. Which is why I carefully phrased the objection as "easy-to-
exploit". You and I may think the phrase "basic nmap scan" is simple, but it
opens the door to lots of people who don't know what that sentence means but
can easily click a link in their browser and be directly connected to an
exploitable host (I don't like the phrase 'script kiddie' but I think that
conveys what I mean).

> It might be considered unethical that a PLC system is using VNC with no
> password.

It might. It might also be more properly called incompetence. But that's
orthogonal to providing an easy way to exploit such a system and _not
notifying the operator_ , which I feel is "more unethical" if such a concept
exists.

There are ways to do this if the intent was to highlight how many people run
open VNC server (as I'm guessing is implied by calling the site Srsly?)

1) Don't publish the server's hostname and port.

2) Attempt to notify the operator.

3) Publish screenshots only.

By publishing the connection details, this turned something that could have
been interesting and done some public good into something that I feel is
dangerous and fairly exploitative.

~~~
Alupis
Shodan has existed for years and does practically the same thing (enumerates
services, etc), but to a far greater extent.

This year at Defcon there was a great talk about masscan and scanning the
entire internet (they enumerated a lot of open VNC's right onstage during the
talk).

> Attempt to notify the operator.

How? If it's just some IP address, there's little you can do other than login
and leave a text file open telling them they have an open VNC (that would
surely get my attention).

The argument that a site like this should not exist because someone may
exploit it just doesn't hold up. It's like saying we shouldn't post the IP
addresses online of open mail relays, or open dns resolvers... which we (the
"white-hat" community) did not... until it was discovered they were already
posted online. Someone will do it...

If a vendor is so incompetent as-to put an important PLC on the internet, let
alone with a completely open VNC, that vendor should be shamed. If we build a
list like this site has done, perhaps we can strongly encourage folks to not
do this anymore.

Heck, I'd love a search feature to be implemented on the site so I can double
check I have no open VNC's on any of my IP's...

~~~
supersheep
> Shodan has existed for years and does practically the same thing (enumerates
> services, etc), but to a far greater extent.

Good point. But it's not laser-focused on a single thing and making that thing
as easy as possible (I can just click on an image and be connected to the
server!)

> How?

For some hosts it will be impossible. For others, it may be obvious or at
least feasible; the company's name may be in the FQDN, the server may give a
name in the VNC response that could be used, and if you're feeling grey-hat
you could poke around and see what it does and who may own it.

> The argument that a site like this should not exist because someone may
> exploit it just doesn't hold up

I didn't say it shouldn't exist - just that some minimum form of self-
censorship is the ethical course of action.

> Someone will do it...

Of course. But not everyone will make it this easy and accessible.

And I can appreciate the spirit in which this is done, if the "Hail Eris!"
text on the page didn't make it obvious :) Being able to flag stuff is the
concession, assuming it really does remove it from rotation.

------
arianvanp
IANAL but connecting to any of these VNC's listened here is probably a felony
. At least in the netherlands it probably is. Eventhough these are open to the
public, the intention was probably to be private. Deliberately connecting to
something that has the mere intention to be private is a felony here. [0]

[0]
[http://wetten.overheid.nl/BWBR0001854/TweedeBoek/TitelV/Arti...](http://wetten.overheid.nl/BWBR0001854/TweedeBoek/TitelV/Artikel138ab/geldigheidsdatum_01-12-2014)

~~~
srsly-0001
You are probably right, at least in some jurisdictions. If in doubt, just use
the web VNC client (click on the screenshot).

The web client uses our machine to proxy the websocket connection the client
uses to the VNC server and we don't collect user data, especially not who used
the VNC client to connect to which server.

~~~
ryan-c
A SSL certificate that doesn't help people get used to ignoring certificate
errors can be had for free from StartSSL or for less than ten euros from a
company that has a UI that won't make you want to cry.

~~~
srsly-0001
We actually tried a StartSSL certificate, but got OCSP errors with (at least)
Firefox. We'll retry the certificate in the (very) near future, maybe it just
takes a while for the OCSP information to trickle through after creating a
cert.

~~~
8_hours_ago
If I remember correctly, with StartSSL you have to wait for up to 24 hours
before the OCSP servers are updated. I ran into the same issue with my last
certificate from them, just have some patience :)

------
aesthetics1
I knew it was only a matter of time until I refreshed to someone watching
YouPorn. NSFW, kids.

------
Retr0spectrum
I saw loads of servers that looked like this:
[http://151.217.171.219:6080/vnc.html?autoconnect=true&token=...](http://151.217.171.219:6080/vnc.html?autoconnect=true&token=136.243.11.30-5907-vnc)

They appear to be automated viewbots. I would have thought that there were
more efficient ways of generating views.

------
neals
Ok, so how do I know my VNC is secure?

[edit] I don't have anything like VNC set-up, but maybe we (I) can learn
something from this.

~~~
drzaiusapelord
Is it running through an SSH tunnel? If not, its not remotely secure.

Switch to NX instead.

~~~
deadfece
Just an FYI here, but UltraVNC and RealVNC Enterprise do support VNC
encryption.

[http://adamwalling.com/SecureVNC/](http://adamwalling.com/SecureVNC/)

[https://www.realvnc.com/products/vnc/documentation/5.0/guide...](https://www.realvnc.com/products/vnc/documentation/5.0/guides/user/aj1078704.html)

------
Kenji
[https://srsly.de/hardlink/115.47.47.168-5909-vnc](https://srsly.de/hardlink/115.47.47.168-5909-vnc)
Wait, does Windows OS continue running in the background when you have a
bluescreen, such that you can make a screenshot? I didn't know that.

~~~
ValdikSS
This is VNC is provided by QEMU, not OS.

------
david_shaw
A few quick comments:

\- First of all, I think the title of this submission might want to imply that
it could be NSFW (see some comments below re: porn), and that it could be in a
strange grey-area legally (especially if you actually connect to these
machines)

\- On one hand, there's nothing revelatory about this project. VNC, RDP, web
cams, etc. are frequently found on the Internet because sysadmins don't secure
them correctly. See something like Shodan, for example, to get a really
realistic view of this.

On the other hand, though, bringing attention to it is a great way to get
people to _stop_ being idiots in this way.

Unfortunately, I doubt that the sysadmins in question will actually see this
site.

------
Ecco
I may be missing something obvious, but how does it find VNC servers?

~~~
srsly-0001
We're using zmap to basically scan 0.0.0.0/0 on ports ranging from 5900 to
5910.

Adresses that have at least one of these open then get passed to a Python
script that attempts to connect to those machines and take a screenshot.

The web frontend is built using Go httpd by the way.

Edit: We are able to do this because we're at the 31c3 with an enormeously
fast internet connection. The machine this is running on has a 1Gbps
connection to the internet.

~~~
ryan-c
Are you using the old RealVNC bug that allows the password to be bypassed by
ignoring what authentication methods the server advertises and using "none",
or only hitting stuff that actually says it supports connecting without a
password?

~~~
srsly-0001
The latter. We didn't know about that bug until now, but we'll probably keep
it this way so connections work with any VNC client people might have lying
around.

~~~
ryan-c
I thought you could possibly be exploiting the bug unintentionally - a hacked
together client that just attempts to connect with null auth would do it. Not
sure how common that vuln is.

------
mdewinter
Is the database available somewhere? I can imagine that some providers want to
scan for their ranges to inform their users. The following is time-consuming:

    
    
        $ while true; do curl -sk https://srsly.de | html2text | awk '/Address/ {print $2}' | tee -a vnsservers; done
        $ sort -u vncservers | wc -l
        3128

~~~
jwandborg
Here's a dump of an Elasticsearch database with 7573 of them in it and whois
information attached to each document: [https://shining-
inferno-2609.firebaseio.com/.json](https://shining-
inferno-2609.firebaseio.com/.json)

Here's an `asn_country_code`-based aggregation of countries:

    
    
      {
        "took" : 2,
        "timed_out" : false,
        "_shards" : {
          "total" : 5,
          "successful" : 5,
          "failed" : 0
        },
        "hits" : {
          "total" : 7612,
          "max_score" : 0.0,
          "hits" : [ ]
        },
        "aggregations" : {
          "countries" : {
            "doc_count_error_upper_bound" : 5,
            "sum_other_doc_count" : 1894,
            "buckets" : [ {
              "key" : "cn",
              "doc_count" : 1891
            }, {
              "key" : "us",
              "doc_count" : 1155
            }, {
              "key" : "de",
              "doc_count" : 894
            }, {
              "key" : "kr",
              "doc_count" : 457
            }, {
              "key" : "ch",
              "doc_count" : 398
            }, {
              "key" : "mx",
              "doc_count" : 244
            }, {
              "key" : "ru",
              "doc_count" : 178
            }, {
              "key" : "ca",
              "doc_count" : 171
            }, {
              "key" : "it",
              "doc_count" : 167
            }, {
              "key" : "gb",
              "doc_count" : 163
            } ]
          }
        }
      }

------
stinos
Hmm, surely a lot of windows machines on there. Why would one put VNC on
there? It's not exactly the best remote screen tool out there (had to use it
often in the past unfotunately), or did I miss something? Just because it can
be passwordless? Or because they don't know about RDP maybe?

~~~
anonymfus
Because most of PCs are windows machines.

p(windows|vnc)=p(vnc|windows) * p(windows) / ( p(vnc|windows) * p(windows) +
p(vnc|non-windows) * p(non-windows) )

------
Volundr
Holy cow, the one I got was even nice enough to include the default username
and password before the login prompt. I didn't test to see if it'd work :-p.

Edit: I've also seen several now with the root prompt already open. Now I know
how so many botnets are formed.

~~~
dunham
Maybe some of these vnc servers were put up after the machines were broken
into, as a means of remote access for the attackers.

~~~
Alupis
No, he probably got one of the many CirrOS boxes, which tell you the username
and password, alongside a kind note that the default user has full sudo
privileges.

------
Retr0spectrum
Lol:
[https://srsly.de/image?id=210.70.80.52-5901-vnc](https://srsly.de/image?id=210.70.80.52-5901-vnc)

------
mcescalante
both Firefox and Chrome don't like the certificate if you hadn't already heard
that, but otherwise this is a funny and good idea, and I'm having some fun
tooling around wondering why these connections went unsecured and how many
more are out there (lots and lots) that aren't listed yet

~~~
drzaiusapelord
Because VNC is a major clustfucker of bad ideas? Almost every VNC installer
I've used has made passwords optional. Who makes these brain dead decisions?
Its bad enough that it cannot, typically, integrate with the built-in OS
authentication, but the "roll your own" mentality from devs is especially off-
putting. Application devs shouldn't be writing authentication mechanisms. They
should be tying to the OS's auth using the proper libraries.

If you must run VNC for legacy reasons, please run it in an SSH tunnel without
an open port to the world.

With things like RDP, NX/nomachine, xwindows forwarding in an ssh tunnel, etc,
there's really no excuse to keep using it. For all the shit Windows gets, at
least it doesn't allowed password-free RDP connections. I think the world of
cheap Linux VPS have opened up a pandora's box of bad security practices.
There's no shortage of forums out there that tell the uninitiated to "just
apt-get" VNC and be done with it. Running ssh tunneled nomachine is just as
easy to configure, has better performance, and loads better security.

Also this looks like an applet that runs a js vnc client locally and connects
you directly various open VNC servers. Its your IP address in those logs and
depending on your jurisdiction or policies, may get you in trouble just for
visiting the site. Took me a second to realize this. May want a warning here
for those at work.

~~~
srsly-0001
> Also this looks like an applet that runs a js vnc client locally and
> connects you directly various open VNC servers. Its your IP address in those
> logs and depending on your jurisdiction or policies, may get you in trouble
> just for visiting the site. Took me a second to realize this. May want a
> warning here for those at work.

Not quite. The VNC client is noVNC, with a websocket proxy on the same machine
[http://srsly.de](http://srsly.de) runs on. The connections you make with the
web interface will go to our server, be translated from websockets to regular
sockets, and then forwarded to the real VNC server. The address they see in
their logs is ours.

We don't log access to the VNC client, by the way.

------
johnjreiser
Surprised and saddened to see so many machines called "cloud".

------
ryanmarsh
Oh Jesus, I might be getting a visit from the feds soon...

------
thesorrow
It's down for me...

~~~
srsly-0001
If that's the case, please retry. We're actively working on the backend of the
site and restarting the application sometimes takes a second.

------
ValdikSS
Damn, this is addicting

~~~
tyrelb
love it!

------
mauz0r
Lots of pun. The counter is going up quite fast, I wonder how long this wil be
up.

~~~
ErikRogneby
the counter was going down when I was flipping through. Folks must be flagging
sites?

------
kakashka
Hello world!

------
funvit
hmm. i see android device! omg!

