I have been playing around with the site World of VNC:
World of VNC
On September 21st 2016, a grey hat hacker did a port scan on every IP looking for Port 5900. He exported that data & used it for a custom built program that would go down the list attempting to connect to the IP using a VNC viewer to see if the connection was secured or not. Over 3600 on that list were NOT secured. He then posted his findings online as his program would take a screenshot of a successful connection.
In going through this list, I am finding a lot of refrigerator systems for restaurants, Linux servers, and Windows servers that are sitting at the login screen. There are some systems that I don't understand, but I think are some kind of clock in/out systems. There are a few systems that are set to view machinery such as a Water Treatment plant. Still others that I connect to are simply printers.
One server that had me really concerned was a Linux server for a company that sells coffee in Russia. I connected to it and was at a terminal logged in as root. I quickly contacted the Russian company letting them know that their server is easily hack-able. I sent them the link showing that their information was posted online and a screenshot showing that I had connected to it. They thanked me and have since shutdown their VNC connection. Now they only use SSH.
It hit me after connecting to like 20 or so of these VNC connections. If I can VNC, I bet that these connections have SSH, FTP, HTTP(S), Telnet, etc also. If I hit a connection, I'd try http, https, ssh, & telnet. I was finding that I could access a LOT more than simply looking at what a user is doing on that server. By default, the SSH connections required a Password. There is Hydra which can help me get in to this connection. One HTTPS connection had me concerned though. It showed a login screen. I put in Administrator & P@ssword just for the lolz. The page blinked showing a bunch of tools before it went back to the login screen with a little note saying "Incorrect login, please try again." As the page blinked the second time, I hit the X to stop the page from loading further and was able to use all the tools on that page. I essentially had full access to their SQL Database with NO login required.
The thing that scares me about this is that this data has been public for almost two years. It makes me wonder how MANY people have hacked these IP addresses. If I knew how to manage a DAF system, I could set some factory into turmoil. If I was mean, I would have setup a user on that Linux box, set their permissions to ROOT, and SSH to my hearts content. To clear my tracks, I could have ran a clear command and ran the past 5 commands which were network monitoring commands so that when the real admin logs in, they will see the work that they just ran.
I get it... Sometimes setting up security can be tough. Back in 2010 when I setup a home lab, I set it up with un-encrypted RDP & VNC. At the time, I knew that you could setup a password on VNC but I didn't fully understand the settings and the HOW TO get it done. I didn't know that you could run RDP through a SSH Tunnel. I did it just to learn and there was NOTHING that anyone could have accessed if they had gotten in to my system. Well, some pirated movies maybe, but no credit cards, no personal data. I set it up as a way to access a Cisco Router while I was at work. If I had started to use it for more important stuff, like ensuring the security of a company's email, the ADFS system for my entire company, I'd ensure that security is important. I am amazed that there is no security on these boxes. It makes me want to setup a host server in another country, SSH to it, and run some serious password attacks on these systems. This way, if they track the attack, it will look like it's coming from another country. They will never find me.
Have fun hacking!