Because of the risk associated with running the Windows XP operating system and the potential for compromise, many organizations may prohibit its use within their network.

The following custom script may be used to to identify systems running Windows XP within the local area network


Steps for use:

  1. Login to Pwn Pulse, select the Scripts button.
  2. Select Add a script, provide an indicative name, for example Custom - WinXP Discovery and select Bash.
  3. In the scripting window, type the following two lines and click the Save button.

    #!/bin/bash
    rm -f winxp
    nmap --script smb-os-discovery -p 445 --open -oN winxp {{target_range}} | grep "OS: Windows XP"
  4. Next, select Tasks from the main drop-down menu, then select Add a task.

  5. On the New Task page, provide an indicative name for the task for example WinXP Discovery, select the newly created script from the Script drop-down menu.  

  6. For the Add to parameter, choose to run the task specific to a single sensor selected from the drop-down menu, or to a group of sensors.  

  7. Next, specify the target subnet to be scanned for example x.x.x.x/y.  

  8. Next, select a Start Time and choose a Frequency how often the task should be run (***).

  9. When finished, click the Save button.

When this task is run, it scans the target network looking for systems with TCP port 445 open.  If found, the target is queried using SMB to learn the operating system installed.

When the task is completed, the results of the task may be viewed by returning to the Tasks page, then selecting the Results button.

​​​​Provided below is an example of the results if there are systems discovered running Windows XP.

STDOUT | OS: Windows XP (Windows 2000 LAN Manager)


STDERR __________________________________________________


To learn the IP address of the system(s) running Windows XP, establish an SSH connection to the sensor and view the contents of the /opt/pwnie/insight-api/winxp file.

Note

If there were no Windows XP systems discovered, the STDOUT line will appear blank.

Optional

To create an alert to provide notification should a system running Windows XP is discovered, then perform the following steps:
  1. Login to Pwn Pulse, select the Alerts button.
  2. Click the blue Manage Rules button.
  3. Click the blue +Create New Rule button.
    For the Name field, type "Windows XP Discovery".
    For the Target field, select the Other button, then select Task Result from the drop-down menu.
    For the Attribute field, select STDOUT from the drop-down menu.
    For the Condition field, select Attribute Contains from the drop-down menu.
    For the Value field, type Windows XP.
    From the Select Severity Level drop-down menu, select High.
    Optionally enable the Email notification if desired.
  4. Lastly, click the Save button.

If a system running Windows XP is detected, an alert will be visible on the Alerts page and if enabled, an email will be sent.