5800,5801,5900,5901 - Pentesting VNC

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic Information

Virtual Network Computing (VNC) is a robust graphical desktop-sharing system that utilizes the Remote Frame Buffer (RFB) protocol to enable remote control and collaboration with another computer. With VNC, users can seamlessly interact with a remote computer by transmitting keyboard and mouse events bidirectionally. This allows for real-time access and facilitates efficient remote assistance or collaboration over a network.

VNC usually uses ports 5800 or 5801 or 5900 or 5901.

PORT    STATE SERVICE
5900/tcp open  vnc

Enumeration

nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p <PORT> <IP>
msf> use auxiliary/scanner/vnc/vnc_none_auth

Brute force

Connect to vnc using Kali

vncviewer [-passwd passwd.txt] <IP>::5901

Decrypting VNC password

Default password is stored in: ~/.vnc/passwd

If you have the VNC password and it looks encrypted (a few bytes, like if it could be an encrypted password), it is probably ciphered with 3des. You can get the clear text password using https://github.com/jeroennijhof/vncpwd

make
vncpwd <vnc password file>

You can do this because the password used inside 3des to encrypt the plain-text VNC passwords was reversed years ago.
For Windows you can also use this tool: https://www.raymond.cc/blog/download/did/232/
I save the tool here also for ease of access:

{% file src="../.gitbook/assets/vncpwd.zip" %}

Shodan

port:5900 RFB