Nettalk, ClarionNet, AnyScreen, AppBroker - How secure?

So I dont know how familiar people are with Shodan.io but its certainly a go to place to get a list of internet connected devices and the search facility is incredibly easy to use. But it does make me wonder how secure internet connected devices are because Shodan is incredibly powerful, engaging in communication formats like initiating email communication to establish the software behind popular ports.

nettalk - Shodan Search
clarionnet - Shodan Search
anyscreen - Shodan Search
clarion - Shodan Search
clw/0.01 - Shodan Search
Clarion Internet Connect - Shodan Search

One thing I noticed about the NetTalk results is that most of the sites - probably all - are running old or VERY old versions of NetTalk.

Yeah I did see the odd version 4.xx, the numbers are interesting as well, it seems like there is quite an adoption of AnyScreen if its the clarion AnyScreen.

The clw/0.01 is an interesting search string, and its kind of interesting looking at other peoples efforts, its one way of grading one’s own abilities.

It would be interesting to see what sites they detected as NetTalk - where the Server: header was not in use.

The Server header was removed some years ago when it became best practice to not advertise the server name/version in the header.

Of course the whole point of a web site on the internet is to be on the internet, and to be exposed to outside connections. So in that sense simply being on a list isn’t that exciting, assuming of course the server is reasonably up to date (and clearly most in this list are not.)

NetTalk itself though is pretty secure, and we regularly do Pen testing, OpenSSL updates and so on. So from that point of view simply being on the list is nothing I’d worry about.

Well you are best placed to know what strings are unique to Nettak and then put those strings into Shodan, to see what its detected.

For example, the clw/0.01 appears to be a unique string.

I’ve seen how quickly you can reset your nettalk webserver on a Saturday morning when it goes unresponsive. Its like when the IP driver server goes unresponsive and the windows service management wont reset the IP driver server again. Its a shame that was written in Java, because a programmatic method to reset the service would be useful.

Because Windows supports UNC I was trying this api
GetNamedSecurityInfoA function (aclapi.h) - Win32 apps | Microsoft Docs
on the live.sysinternals.com website. The Error messages and speed in which the error messages are returned is also interesting.

Its UNC objectname is just \\live.sysinternals.com
so if you wanted to run debugview on a customers/user’s machine without having to ship it, then just use \\live.sysinternals.com\tools\Dbgview.exe

So if the hidden admin shares are enabled on a machine, which they used to be by default on 2000 and 2003 server, you could access a server hard drive or workstation hard drive over a network with ease, with an admin account.

I havent tested any newer windows servers yet but accessing a server\workstation inside a network can be as easy as just using
\\ComputerName\c$\
and a windows box connected to the internet with out proper internet security is as easy as
\\www.capesoft.com\c$\

The Reg key to enable this on a windows Pro or Enterprise machine (Home appears to be disabled/possibly missing dll functionality) is:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
• DWORD(32 bit): LocalAccountTokenFilterPolicy = 1

Also needs UAC switched off (admittedly rare but you might get lucky),
an enabled Built-In Administrator account which is something added to windows workstations connected to windows servers, but you can get Linux Samba server to perform the Active Directory Controller and do it that way, plus you get the source code with Linux!

Administrative share - Wikipedia

Other attack vectors on a windows machine include its registry, which I havent tried yet, but these screen shots document the errors I get when attempting to connect to different things using a C11 app and the GetNamedSecurityInfoA api.

Connecting to an Admin Share on a windows home device over the network
LMShare object type
Error 53 ERROR_BAD_NETPATH 53 (0x35) The network path was not found.

getnamedsecurityinfo11258×607 26.7 KB

UNC path to sysinternals online admin share
LMShare object
Error 53 ERROR_BAD_NETPATH 53 (0x35) The network path was not found.

getnamedsecurityinfo21263×592 26.6 KB

UNC path to sysinternals debugview
File Object
Error 1 (very fast popping up this error) ERROR_INVALID_FUNCTION 1 (0x1) Incorrect function.

getnamedsecurityinfo31226×598 26.4 KB

Hidden folder on local drive
LMshare
Error 2310 is not listed by Microsoft, so dont know what it means.

getnamedsecurityinfo41091×597 25 KB

A known file in a Hidden Folder on local drive
File object
I get the security info I need so now I can change some of its security properties! Voila.

getnamedsecurityinfo51210×804 35.7 KB

Now obviously windows has the benefit, like Linux of deploying files in known locations, even HW manufacturers release updates which can be exploited for very short periods of time, like when the update is actually running in some situations.
Likewise misconfigurations are also a hackers best friend and windows despite having the rollback facility, dont make it that easy to roll back reg settings as anyone who has installed and then uninstalled software will know when trawling through their registry finding left over keys and values.

Now I havent tried connecting to the registry locally, across an internal network or over the internet yet, but with the registry, I wonder if I could add a registry entry that uses UNC to pull an exe off another device/workstation connected to the internal network or off a website over the internet much like we can run debugview on a machine using the UNC path to their webserver as shown above.

How to Access or Modify StartUp Items in the Window Registry - PowerShell Team (microsoft.com)

And how many people monitor their registry settings?

I dont know of any AV product that monitors the registry, thats not to say that it doesnt happen with some AV software and certainly removing reg settings entries when removing viruses does occur, but considering it took over a year to reverse engineer Stuxnet before the AV companies decided if it was a virus or not, there seems to be a window of opportunity that exists for some hackers.

And Shodan just makes acquiring the potential targets even quicker and easier!
Who needs a port scanner when you have Shodan?

“a programmatic method to reset the service would be useful”

If you’re talking Windows services then that’s not hard. Use the API functions that MS declares in winsvc.h, like OpenSCManager. Or am I missing something?

That didnt work.
Services.msc, pick any service, Recovery Tab, setting 1st, 2nd & Subsequent failures to Restart the Service and change the Restart the service after x minutes, would still see it hung in some cases.
Bottom line, with hindsight I needed better notification in place when it happened, plus diagnostic tools to kick in when a failure occurred to attempt to find out what was going on.

I would imagine, pushing specially formatted strings down ports is a speciality for some.

The other problem is somethings are insecure by design, but it keeps us busy!

Edit

One of the other problems was the service was unresponsive, ie it didnt fail in a way windows recognised a failure but I couldnt connect to it, so having to restart it manually was something that had to be done as well.

I was reading about Row hammer - Wikipedia yesterday as it got mentioned again last year, this time affecting machines with DDR4 ram (just as DDR5 is becoming the new standard), and when I read these things I wonder if there is a way to reverse this, so whilst Rowhammer runs in a browser from javascript, I wonder if the technique could be adapted, reversed and delivered to ports.

Well the configuration in services.msc is talking about what happens when the OS thinks the service is hung. What happens if you just right-click on the service and select the restart option?
If that works then you can easily find a way to just restart the service every X hours, whether it’s having a problem or not.

It was running on a webserver in some data center, its not that easy just remote accessing the desktop, you also dont always get access to all functionality on a windows web server in a data centre. Its different if you hire out the entire server or virtual server, but a basic windows web server didnt always have all the access needed as you had to go through interfaces/control panels like cPanel or Plesk.

With hindsight, now that I know these things, I needed some sort of VPN in front of it if the users were known and didnt mind having a vpn client on their workstation, that would have definitely worked.

Another possibility is using Features/HTTPS - Squid Web Proxy Wiki (squid-cache.org)
but I havent tested this, but it might work for those instances when installing a VPN client is not an option.

Edit. I will add separating the encryption from the main server can be useful for machine isolation and if load balancing is needed, that can also help. At least an IPS/IDS can be run on the communication between squid and the http port.
Intrusion detection system - Wikipedia

IPS analyses the packet and can block packets according to some definitions/patterns, IDS analyses packets signatures for threats according to some.

Lots of solutions, some open source like Snort.org, I know British Telecom have used this in the past but dont know if that was the infrastructure part or the retail part of the business. Cisco do their own and MS Azure also recommend some.

It can be used to protect various servers inside a business network like SQL, Exchange and webservers. Switches can also be configured to route everything through an IDS/IPS for internal business networks which can compliment subnet isolation.