-
Notifications
You must be signed in to change notification settings - Fork 13.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
6 changed files
with
464 additions
and
326 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| ## Vulnerable Application | ||
|
|
||
| This module will test a VNC server on a range of machines and | ||
| report successful logins. Currently it supports RFB protocol | ||
| version 3.3, 3.7, 3.8 and 4.001 using the VNC challenge response | ||
| authentication method. | ||
|
|
||
| ## Verification Steps | ||
|
|
||
| 1. Do: `use auxiliary/scanner/vnc/vnc_login` | ||
| 2. Do: `set RHOSTS [IP]` | ||
| 3. Do: `set password [password]` | ||
| 4. Do: `run` | ||
|
|
||
| ## Options | ||
|
|
||
| ## Scenarios | ||
|
|
||
| ### TigerVNC 1.7.0+dfsg-8ubuntu2 on Ubuntu 18.04 | ||
|
|
||
| ``` | ||
| msf6 > use auxiliary/scanner/vnc/vnc_login | ||
| msf6 auxiliary(scanner/vnc/vnc_login) > set rhosts 111.111.1.222 | ||
| rhosts => 111.111.1.222 | ||
| msf6 auxiliary(scanner/vnc/vnc_login) > set rport 5901 | ||
| rport => 5901 | ||
| msf6 auxiliary(scanner/vnc/vnc_login) > set password 111122223333 | ||
| password => 111122223333 | ||
| msf6 auxiliary(scanner/vnc/vnc_login) > run | ||
| [*] 111.111.1.222:5901 - 111.111.1.222:5901 - Starting VNC login sweep | ||
| [+] 111.111.1.222:5901 - 111.111.1.222:5901 - Login Successful: :111122223333 | ||
| [-] 111.111.1.222:5901 - 111.111.1.222:5901 - LOGIN FAILED: :password (Incorrect: Authentication failed: Authentication failed) | ||
| [*] 111.111.1.222:5901 - Scanned 1 of 1 hosts (100% complete) | ||
| [*] Auxiliary module execution completed | ||
| msf6 auxiliary(scanner/vnc/vnc_login) > | ||
| ``` | ||
|
|
||
| #### Credentials | ||
|
|
||
| ``` | ||
| msf6 auxiliary(scanner/vnc/vnc_login) > creds | ||
| Credentials | ||
| =========== | ||
| host origin service public private realm private_type JtR Format | ||
| ---- ------ ------- ------ ------- ----- ------------ ---------- | ||
| 111.111.1.222 111.111.1.222 5901/tcp (vnc) 111122223333 Password | ||
| ``` |
62 changes: 62 additions & 0 deletions
62
documentation/modules/auxiliary/scanner/vnc/vnc_none_auth.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| ## Vulnerable Application | ||
|
|
||
| Detect VNC servers that support the "None" authentication method. | ||
|
|
||
| ### Install | ||
|
|
||
| TigerVNC is one of the VNC servers which still accepts None authentication type. | ||
|
|
||
| #### Windows | ||
|
|
||
| Follow https://github.com/TigerVNC/tigervnc/wiki/Setup-TigerVNC-server-(Windows) to download | ||
| the server, and install with the default. Next start `Configure VNC Service`. | ||
|
|
||
| Set "Session encryption" to `None` and "Authentication" to `None`. Apply and restart the service. | ||
|
|
||
| #### Linux | ||
|
|
||
| tigervncserver is available on Ubuntu 18.04 and possibly newer versions. To start the server | ||
| in a vulnerable way, run the following command: | ||
| `tigervncserver -SecurityTypes None -localhost no --I-KNOW-THIS-IS-INSECURE` | ||
|
|
||
| ## Verification Steps | ||
|
|
||
| 1. Do: `use auxiliary/scanner/vnc/vnc_none_auth` | ||
| 2. Do: `set RHOSTS [IP]` | ||
| 3. Do: `run` | ||
|
|
||
| ## Options | ||
|
|
||
| ## Scenarios | ||
|
|
||
| ### TigerVNC 1.12.80 on Windows | ||
|
|
||
| ``` | ||
| msf6 > use auxiliary/scanner/vnc/vnc_none_auth | ||
| msf6 auxiliary(scanner/vnc/vnc_none_auth) > set rhosts 111.111.1.11 | ||
| rhosts => 111.111.1.11 | ||
| msf6 auxiliary(scanner/vnc/vnc_none_auth) > run | ||
| [*] 111.111.1.11:5900 - 111.111.1.11:5900 - VNC server protocol version: [3, 4].8 | ||
| [*] 111.111.1.11:5900 - 111.111.1.11:5900 - VNC server security types supported: VeNCrypt,None | ||
| [+] 111.111.1.11:5900 - 111.111.1.11:5900 - VNC server security types includes None, free access! | ||
| [*] 111.111.1.11:5900 - Scanned 1 of 1 hosts (100% complete) | ||
| [*] Auxiliary module execution completed | ||
| ``` | ||
|
|
||
| ### TigerVNC 1.7.0+dfsg-8ubuntu2 on Ubuntu 18.04 | ||
|
|
||
| ``` | ||
| msf6 > use auxiliary/scanner/vnc/vnc_none_auth | ||
| msf6 auxiliary(scanner/vnc/vnc_none_auth) > set rhosts 111.111.1.222 | ||
| rhosts => 111.111.1.222 | ||
| msf6 auxiliary(scanner/vnc/vnc_none_auth) > set rport 5901 | ||
| rport => 5901 | ||
| msf6 auxiliary(scanner/vnc/vnc_none_auth) > run | ||
| [*] 111.111.1.222:5901 - 111.111.1.222:5901 - VNC server protocol version: [3, 4].8 | ||
| [*] 111.111.1.222:5901 - 111.111.1.222:5901 - VNC server security types supported: None | ||
| [+] 111.111.1.222:5901 - 111.111.1.222:5901 - VNC server security types includes None, free access! | ||
| [*] 111.111.1.222:5901 - Scanned 1 of 1 hosts (100% complete) | ||
| [*] Auxiliary module execution completed | ||
| ``` |
Oops, something went wrong.