Because of the risk associated with running the Windows 2000 operating system and the potential for compromise, many organizations may prohibit its use within their network.

The following custom script may be used to to identify systems running Windows 2000 within the local area network.


Steps for use:

  1. Login to Pwn Pulse, select the Scripts button.
  2. Select Add a script, provide an indicative name for example Custom - Win2K Discovery and select Bash.
  3. In the scripting window, type the following lines and click the Save button.

    #!/bin/bash
    rm -f windows
    nmap --script smb-os-discovery -p 445 --open -oN windows {{target_range}} | grep "OS: Windows 2000"
  4. Next, select Tasks from the main drop-down menu, then select Add a task.

  5. On the New Task page, provide an indicative name for the task for example Win2K Discovery, select the newly created script from the Script drop-down menu.  

  6. For the Add to parameter, choose to run the task specific to a single sensor selected from the drop-down menu, or to a group of sensors.  

  7. Next, specify the target subnet to be scanned for example x.x.x.x/y.

  8. Next, select a Start Time and choose a Frequency how often the task should be run (***).  

  9. When finished, click the Save button.

When this task is run, it will scan the target network looking for systems with TCP port 445 open.  If found, the target is queried using SMB to learn the operating system installed.

When the task is completed, the results of the task may be viewed by returning to the Tasks page, then selecting the Results button.

​​Provided below is an example of the results if there are systems discovered running Windows 2000.

STDOUT | OS: Windows 2000 (Windows 2000 LAN Manager)


STDERR __________________________________________________


To learn the IP address of the system(s) running Windows 2000, establish an SSH connection to the sensor and view the contents of the /opt/pwnie/insight-api/windows file.

Note

If there were no Windows 2000 systems discovered, the STDOUT line will appear blank.


Optional

To create an alert to provide notification should a system running Windows 2000 is discovered, then perform the following steps:

  1. Login to Pwn Pulse, select the Alerts button.
  2. Click the blue Manage Rules button.
  3. Click the blue +Create New Rule button.
    For the Name field, type Windows 2000 Discovery.
    For the Target field, select the Other button, then select Task Result from the drop-down menu.
    For the Attribute field, select STDOUT from the drop-down menu
    For the Condition field, select Attribute Contains from the drop-down menu
    For the Value field, type Windows 2000.
    From the Select Severity Level drop-down menu, select High.
    Optionally enable the Email notification if desired.
  4. Lastly, click the Save button.

If a system running Windows 2000 is detected, an alert will be visible on the Alerts page and if enabled, an email will be sent.