okay so this crashed apple rdp.
new plan - nmap all the hosts first to see which are actually open/alive, then see if that number is anywhere near reasonable.

out of ~16,000 ips scanned so far

there are 7 with ports open.
this means the vast majority of discovered endpoints are on DHCP and lost to churn.

To properly weaponize this, one would have to do an internet wide scan, and pump ips live into adp.

Not trivial.
also noisy.

Final numbers.
Shodan output: 81,000 and change
Machines up: 73k and change
Hosts with ports open: 7
Hosts vuln: I dont even care anymore.

Wait one - this may be innacurate. Rerunning stuff.

okay, this is more like it.
Now im finding vnc that isnt apple and trying to filter out the non-apple endpoints.
this is going to take a while.

okay um.
so the first scan was inaccurate.
looks like 'nearly every endpoint is actually open'
and theres no cmdline tool to handle this at all.
so it'll be a grueling manual process in ard, by hand.

Okay, so I took a sample size of 8000 hosts (which turned into 7986 after import.
6365 are listed as "offline" despite the port being open.
.. but wait .. there's more.

LOOKIT ALL THE STUFF ARD LEAKS EVEN WITH NO CREDS!
ard version 3.9.5 and previous do not appear to be affected.
I get username, what app they're running, the os version ...

redteamers: if you see this on a gig LOOT THIS DATA.

This was the first quarter of the data, I'll try the next leg and see if the figures are close to the same.

Second batch of 8000:
7999 after import
6291 "offline" despite port being open
zero leaks like the previous batch.
WEIRD.
will keep going.

Third batch, basically the same as the last. nothing interesting at all. Same as fourth. Bupkis in those two. Working on last batch now.

Huh. Okay, so ARD is buggy. I tried to go back and re-load the first list to get a count of the "leaky" hosts, and it took several tries to get them to come to life again. So far that number is really low, and the high sierra hosts are... gone?