# 5800,5801,5900,5901 - Pentesting VNC {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** ๐Ÿ’ฌ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** ๐Ÿฆ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). {% embed url="https://www.stmcyber.com/careers" %} ## ๊ธฐ๋ณธ ์ •๋ณด **Virtual Network Computing (VNC)**๋Š” **Remote Frame Buffer (RFB)** ํ”„๋กœํ† ์ฝœ์„ ์‚ฌ์šฉํ•˜์—ฌ ์›๊ฒฉ ์ œ์–ด ๋ฐ ๋‹ค๋ฅธ ์ปดํ“จํ„ฐ์™€์˜ ํ˜‘์—…์„ ๊ฐ€๋Šฅํ•˜๊ฒŒ ํ•˜๋Š” ๊ฐ•๋ ฅํ•œ ๊ทธ๋ž˜ํ”ฝ ๋ฐ์Šคํฌํƒ‘ ๊ณต์œ  ์‹œ์Šคํ…œ์ž…๋‹ˆ๋‹ค. VNC๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด ์‚ฌ์šฉ์ž๊ฐ€ ํ‚ค๋ณด๋“œ ๋ฐ ๋งˆ์šฐ์Šค ์ด๋ฒคํŠธ๋ฅผ ์–‘๋ฐฉํ–ฅ์œผ๋กœ ์ „์†กํ•˜์—ฌ ์›๊ฒฉ ์ปดํ“จํ„ฐ์™€ ์›ํ™œํ•˜๊ฒŒ ์ƒํ˜ธ์ž‘์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋ฅผ ํ†ตํ•ด ์‹ค์‹œ๊ฐ„ ์•ก์„ธ์Šค๊ฐ€ ๊ฐ€๋Šฅํ•˜๋ฉฐ ๋„คํŠธ์›Œํฌ๋ฅผ ํ†ตํ•œ ํšจ์œจ์ ์ธ ์›๊ฒฉ ์ง€์› ๋˜๋Š” ํ˜‘์—…์„ ์ด‰์ง„ํ•ฉ๋‹ˆ๋‹ค. VNC๋Š” ์ผ๋ฐ˜์ ์œผ๋กœ **5800 ๋˜๋Š” 5801 ๋˜๋Š” 5900 ๋˜๋Š” 5901** ํฌํŠธ๋ฅผ ์‚ฌ์šฉํ•ฉ๋‹ˆ๋‹ค. ``` PORT STATE SERVICE 5900/tcp open vnc ``` ## ์—ด๊ฑฐ ```bash nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p msf> use auxiliary/scanner/vnc/vnc_none_auth ``` ### [**๋ฌด์ฐจ๋ณ„ ๋Œ€์ž… ๊ณต๊ฒฉ**](../generic-methodologies-and-resources/brute-force.md#vnc) ## Kali๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ vnc์— ์—ฐ๊ฒฐํ•˜๊ธฐ ```bash vncviewer [-passwd passwd.txt] ::5901 ``` ## VNC ๋น„๋ฐ€๋ฒˆํ˜ธ ๋ณตํ˜ธํ™” ๊ธฐ๋ณธ **๋น„๋ฐ€๋ฒˆํ˜ธ๋Š” ์ €์žฅ๋ฉ๋‹ˆ๋‹ค**: \~/.vnc/passwd VNC ๋น„๋ฐ€๋ฒˆํ˜ธ๊ฐ€ ์žˆ๊ณ  ์•”ํ˜ธํ™”๋œ ๊ฒƒ์ฒ˜๋Ÿผ ๋ณด์ธ๋‹ค๋ฉด(๋ช‡ ๋ฐ”์ดํŠธ, ์•”ํ˜ธํ™”๋œ ๋น„๋ฐ€๋ฒˆํ˜ธ์ผ ์ˆ˜ ์žˆ๋Š” ๊ฒฝ์šฐ), ์•„๋งˆ๋„ 3des๋กœ ์•”ํ˜ธํ™”๋œ ๊ฒƒ์ž…๋‹ˆ๋‹ค. [https://github.com/jeroennijhof/vncpwd](https://github.com/jeroennijhof/vncpwd)๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ํ‰๋ฌธ ๋น„๋ฐ€๋ฒˆํ˜ธ๋ฅผ ์–ป์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ```bash make vncpwd ``` You can do this because the password used inside 3des to encrypt the plain-text VNC passwords was reversed years ago.\ For **Windows** you can also use this tool: [https://www.raymond.cc/blog/download/did/232/](https://www.raymond.cc/blog/download/did/232/)\ I save the tool here also for ease of access: {% file src="../.gitbook/assets/vncpwd.zip" %} ## Shodan * `port:5900 RFB`
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_์œ ์ฐฝํ•œ ํด๋ž€๋“œ์–ด ํ•„๊ธฐ ๋ฐ ๊ตฌ์‚ฌ ํ•„์ˆ˜_). {% embed url="https://www.stmcyber.com/careers" %} {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** ๐Ÿ’ฌ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** ๐Ÿฆ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}