Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/pentesting-vnc.md
Translator workflow b442ae90c4 Translated to Klingon
2024-02-10 17:52:19 +00:00

5.6 KiB
Raw Permalink Blame History

5800,5801,5900,5901 - Pentesting VNC

htARTE (HackTricks AWS Red Team Expert) !HackTricks AWS Red Team Expert!

Other ways to support HackTricks:

Basic Information

Virtual Network Computing (VNC) is a robust graphical desktop-sharing system that utilizes the Remote Frame Buffer (RFB) protocol to enable remote control and collaboration with another computer. With VNC, users can seamlessly interact with a remote computer by transmitting keyboard and mouse events bidirectionally. This allows for real-time access and facilitates efficient remote assistance or collaboration over a network.

VNC usually uses ports 5800 or 5801 or 5900 or 5901.

PORT    STATE SERVICE
5900/tcp open  vnc

Enumeration

Port Scanning

Nmap

Nmap is a powerful tool for port scanning. It allows you to discover open ports on a target system. Here are some useful Nmap commands:

  • Basic TCP scan: nmap -p- <target>
  • Service version detection: nmap -sV <target>
  • OS detection: nmap -O <target>
  • UDP scan: nmap -sU <target>

Masscan

Masscan is another fast and powerful port scanner. It is designed for high-speed scanning of large networks. Here is an example command:

  • Basic TCP scan: masscan -p1-65535 <target>

VNC (Virtual Network Computing)

VNC is a remote desktop protocol that allows you to control a remote system over the network. It uses the RFB (Remote Framebuffer) protocol to transmit screen updates and user input. VNC servers listen on TCP port 5900 by default.

VNC Enumeration

To enumerate VNC servers, you can use the following tools:

  • vncscan: A Python script that scans for VNC servers and attempts to connect to them.
  • vnmap: A Nmap script that detects VNC servers and provides information about them.

VNC Password Cracking

If you have obtained a VNC password hash, you can try to crack it using tools like vncrack or vncpasswd.

SNMP (Simple Network Management Protocol)

SNMP is a protocol used for network management and monitoring. It allows you to gather information about network devices, such as routers, switches, and servers. SNMP uses UDP port 161 for communication.

SNMP Enumeration

To enumerate SNMP devices, you can use the following tools:

  • snmpwalk: A command-line tool for walking SNMP objects on a target device.
  • onesixtyone: A tool for discovering SNMP community strings on a target device.
  • snmp-check: A script that checks for common SNMP vulnerabilities.

SNMP Password Cracking

If you have obtained an SNMP community string, you can try to crack it using tools like hydra or snmpcrack.

nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p <PORT> <IP>
msf> use auxiliary/scanner/vnc/vnc_none_auth

Brute force

Kali jatlh vnc vIlo'laHbe'chugh

Brute force vIlo'laHbe'chugh vnc vIlo'laHbe'chugh vIlo'laHbe'chugh Kali jatlh vnc vIlo'laHbe'chugh.

vncviewer [-passwd passwd.txt] <IP>::5901

Decrypting VNC password

Default password is stored in: ~/.vnc/passwd

If you have the VNC password and it looks encrypted (a few bytes, like if it could be and encrypted password). It is probably ciphered with 3des. You can get the clear text password using https://github.com/jeroennijhof/vncpwd

make
vncpwd <vnc password file>

jIyajbe'chugh, 3desDaq vnc password plain-text encrypt qar'a' vItlhutlh.
Windows Daq vay' tool vaj: https://www.raymond.cc/blog/download/did/232/
vaj vncpwd.zip vItlhutlh:

{% file src="../.gitbook/assets/vncpwd.zip" %}

Shodan

  • port:5900 RFB
htARTE (HackTricks AWS Red Team Expert) qaStaHvIS!

HackTricks vItlhutlh: