mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-25 04:23:33 +00:00
81 lines
3.9 KiB
Markdown
81 lines
3.9 KiB
Markdown
# 5800,5801,5900,5901 - Pentesting VNC
|
|
|
|
<details>
|
|
|
|
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
|
|
|
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
|
|
|
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
|
|
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|
|
|
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
|
|
|
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
|
|
|
</details>
|
|
|
|
## Basic Information
|
|
|
|
In computing, **Virtual Network Computing** (**VNC**) is a graphical desktop-sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely control another computer. It transmits the keyboard and mouse events from one computer to another, relaying the graphical-screen updates back in the other direction, over a network.\
|
|
From [wikipedia](https://en.wikipedia.org/wiki/Virtual\_Network\_Computing).
|
|
|
|
VNC usually uses ports **5800 or 5801 or 5900 or 5901.**
|
|
|
|
```
|
|
PORT STATE SERVICE
|
|
5900/tcp open vnc
|
|
```
|
|
|
|
## Enumeration
|
|
|
|
```bash
|
|
nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p <PORT> <IP>
|
|
msf> use auxiliary/scanner/vnc/vnc_none_auth
|
|
```
|
|
|
|
### [**Brute force**](../generic-methodologies-and-resources/brute-force.md#vnc)
|
|
|
|
## Connect to vnc using Kali
|
|
|
|
```bash
|
|
vncviewer [-passwd passwd.txt] <IP>::5901
|
|
```
|
|
|
|
## Decrypting VNC password
|
|
|
|
Default **password is stored** in: \~/.vnc/passwd
|
|
|
|
If you have the VNC password and it looks encrypted (a few bytes, like if it could be and encrypted password). It is probably ciphered with 3des. You can get the clear text password using [https://github.com/jeroennijhof/vncpwd](https://github.com/jeroennijhof/vncpwd)
|
|
|
|
```bash
|
|
make
|
|
vncpwd <vnc password file>
|
|
```
|
|
|
|
You can do this because the password used inside 3des to encrypt the plain-text VNC passwords was reversed years ago.\
|
|
For **Windows** you can also use this tool: [https://www.raymond.cc/blog/download/did/232/](https://www.raymond.cc/blog/download/did/232/)\
|
|
I save the tool here also for ease of access:
|
|
|
|
{% file src="../.gitbook/assets/vncpwd.zip" %}
|
|
|
|
## Shodan
|
|
|
|
* `port:5900 RFB`
|
|
|
|
<details>
|
|
|
|
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
|
|
|
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
|
|
|
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
|
|
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|
|
|
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
|
|
|
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
|
|
|
</details>
|