2

After seeing this question I am wondering what could actually happen if a Windows XP machine was connected to a local network via WIFI. Imagine the machine will be used to browse the internet, read and write documents, so think of the usual basic tasks. I know WinXP is not supported anymore, and if I'm not mistaken I think some software (like Chrome) can't even be updated on such OS because the latest versions are not supported, so I know the threat comes from outdated software, but what I don't know is how exactly this threat can harm the local network.

I suppose it could be considered to be the same as having an attacker inside the local network, so the WinXP machine if infected could intercept, read, or modify all the traffic on the network (if not encrypted with TLS). Then portscanning, trying to find vulnerabilities in other machines connected to the same network. Am I right? Anything else?

I also wonder if this threat can be mitigated, or if the only way to deal with this is really to make sure that such an outdated machine is never connected to the network.

reed
  • 15,398
  • 6
  • 43
  • 64

2 Answers2

4

TL;DR - keep it off the web!

The longer version is that because is no longer supported, it is highly vulnerable and easy to exploit with almost no effort. (To see how little effort, search XP on https://www.exploit-db.com/). Vulnerabilities are being found more or less ad infinitum because of the volume of XP's still used - but there are no new patches being written for those vulnerabilities. With newer OS's, patches are at least identifying weaknesses and actively trying to mitigate them.

If someone is on the same network as you, it is child's play with nmap and metasploit to take over an XP machine. Even with most of your ports closed, XP has lots of attack vectors. To an experienced hacker, it takes a few minutes. I have fully compromised an XP with domain admin privileges in less than 5 minutes, and I'm not a "master" white hat by any means.

If you are behind a NAT firewall or some other means of protection (other than XP's joke of a firewall) it would be "safer," but still highly dangerous and susceptible to incoming traffic, downloading something via Trojan, and other risk factors that newer OS's automatically mitigate with little or no input from the user. This is doubly true if you use something like bit-torrent or other risky applications.

Finally, once your computer is compromised, it's a safe assumption that anything on that specific subnet is also fully compromised, and anything on adjacent networks is at extremely high risk and is either already compromised or will be soon, depending on what kind of malware you downloaded. Once a computer is infected, it serves as a beach head, jump box, landing point, or whatever else you want to call it to attack other computers - but there is NO firewall or protection between them. Domains, by and large, trust other computers on that domain. If this is networked to Active Directory for instance, those credentials will likely work on any other computer in the domain - and if someone compromises your AD server, you are in a very, very, very bad position.

SomeGuy
  • 730
  • 3
  • 18
  • 1
    My question was more about what happens to the local network once the XP machine is compromised. For example, you said "one your computer is compromised, it's a safe assumption that anything on that subnet is also fully compromised". Why, and how? That's what's not clear to me. – reed May 02 '18 at 21:53
  • Let's say you have XP 1 and Windows 7. XP1 becomes infected frmo a drive by download or infected torrent. There is nothing between XP 1 and Windows 7 to stop a computer from taking it over. All of the exterior stuff (firewalls, routers, IPS, etc) that usually blocks malware is gone. What's more; Windows 7 "knows" XP 1 and "trusts" it because it's on the local network (after all - it would not be on the local company's/home's network if it were dangerous, would it?) so any requests or TCP connections would more or less be automatically acccepted (think: Samba, File explorer "sharing," etc. – SomeGuy May 03 '18 at 16:40
  • Finally, malware and ransomware applications like WannaCry send out malware via any and all mapped drives - which, by default, is local. If you're conncted to a shared Drive "S:/" or `\\management\shares\yourfolderhere` that drive is almost always infected as well. Malware is written to spread as far and wide as possible, and as long as you have a trust with others on your LAN (and windows networking is designed to use and maintain said trust) they either will be or are at extremely high risk of becoming infected. – SomeGuy May 03 '18 at 16:46
  • @reed - if this answers your question, can you please click "answered?" If not, I'm happy to clarify. – SomeGuy May 17 '18 at 16:54
0

Protecting the XP machine while still connecting it to the internet may be hard, bordering on the impossible. But protecting other machines from it is not. You can use VLAN to separate it from the rest of your network (if your networking equipment supports it).

Peter Harmann
  • 7,728
  • 5
  • 20
  • 28
  • 1
    You can also just block everything at the host-based firewall. ufw or windows firewall makes this trivial and should be implemented anyways. – Monica Apologists Get Out May 02 '18 at 19:51
  • 2
    @Adonalsium that is easy at desktops and laptops, but what about mobile phones, smart appliances, printers, etc... – Peter Harmann May 02 '18 at 20:12
  • Putting risky equipment on your network and bocking it with a firewall is certainly not security best practice. Not to mention, either the firewall allows outbound access (and thus the ability to download malware) or it allows NO access, in which case there is no benefit to being on the network at all. I cannot think of a time when you would want to have LAN access ONLY and still follow security best practices. – SomeGuy May 07 '18 at 19:02