rapid7 · gwillcox-r7 · Mar 22, 2022 · Feb 21, 2022 · Mar 21, 2022 · Mar 22, 2022
diff --git a/documentation/modules/auxiliary/scanner/vnc/ard_root_pw.md b/documentation/modules/auxiliary/scanner/vnc/ard_root_pw.md
@@ -1,12 +1,14 @@
-## Description
+## Vulnerable Application
 
 This module remotely exploits the remote CVE-2017-13872 (iamroot) vulnerability over Apple Remote Desktop protocol (ARD). It assumes that "System Preferences > Sharing > Screen Sharing" is enabled.
 
 ## Verification Steps
 
 1. Do: `use auxiliary/scanner/vnc/ard_root_pw`
 2. Do: `set RHOSTS [IP]`
-4. Do: `run`
+3. Do: `run`
+
+## Options
 
 ## Scenarios
 

diff --git a/documentation/modules/auxiliary/scanner/vnc/vnc_login.md b/documentation/modules/auxiliary/scanner/vnc/vnc_login.md
@@ -0,0 +1,49 @@
+## Vulnerable Application
+
+This module will test a VNC server on a range of machines and
+report successful logins. Currently it supports RFB protocol
+version 3.3, 3.7, 3.8 and 4.001 using the VNC challenge response
+authentication method.
+
+## Verification Steps
+
+1. Do: `use auxiliary/scanner/vnc/vnc_login`
+2. Do: `set RHOSTS [IP]`
+3. Do: `set password [password]`
+4. Do: `run`
+
+## Options
+
+## Scenarios
+
+### TigerVNC 1.7.0+dfsg-8ubuntu2 on Ubuntu 18.04
+
+```
+msf6 > use auxiliary/scanner/vnc/vnc_login
+msf6 auxiliary(scanner/vnc/vnc_login) > set rhosts 111.111.1.222
+rhosts => 111.111.1.222
+msf6 auxiliary(scanner/vnc/vnc_login) > set rport 5901
+rport => 5901
+msf6 auxiliary(scanner/vnc/vnc_login) > set password 111122223333
+password => 111122223333
+msf6 auxiliary(scanner/vnc/vnc_login) > run
+
+[*] 111.111.1.222:5901    - 111.111.1.222:5901 - Starting VNC login sweep
+[+] 111.111.1.222:5901    - 111.111.1.222:5901 - Login Successful: :111122223333
+[-] 111.111.1.222:5901    - 111.111.1.222:5901 - LOGIN FAILED: :password (Incorrect: Authentication failed: Authentication failed)
+[*] 111.111.1.222:5901    - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/vnc/vnc_login) > 
+```
+
+#### Credentials
+
+```
+msf6 auxiliary(scanner/vnc/vnc_login) > creds
+Credentials
+===========
+
+host           origin         service         public  private       realm  private_type  JtR Format
+----           ------         -------         ------  -------       -----  ------------  ----------
+111.111.1.222  111.111.1.222  5901/tcp (vnc)          111122223333         Password      
+```
diff --git a/documentation/modules/auxiliary/scanner/vnc/vnc_none_auth.md b/documentation/modules/auxiliary/scanner/vnc/vnc_none_auth.md
@@ -0,0 +1,62 @@
+## Vulnerable Application
+
+Detect VNC servers that support the "None" authentication method.
+
+### Install
+
+TigerVNC is one of the VNC servers which still accepts None authentication type.
+
+#### Windows
+
+Follow https://github.com/TigerVNC/tigervnc/wiki/Setup-TigerVNC-server-(Windows) to download
+the server, and install with the default.  Next start `Configure VNC Service`.
+
+Set "Session encryption" to `None` and "Authentication" to `None`. Apply and restart the service.
+
+#### Linux
+
+tigervncserver is available on Ubuntu 18.04 and possibly newer versions. To start the server
+in a vulnerable way, run the following command:
+`tigervncserver -SecurityTypes None -localhost no --I-KNOW-THIS-IS-INSECURE`
+
+## Verification Steps
+
+1. Do: `use auxiliary/scanner/vnc/vnc_none_auth`
+2. Do: `set RHOSTS [IP]`
+3. Do: `run`
+
+## Options
+
+## Scenarios
+
+### TigerVNC 1.12.80 on Windows
+
+```
+msf6 > use auxiliary/scanner/vnc/vnc_none_auth
+msf6 auxiliary(scanner/vnc/vnc_none_auth) > set rhosts 111.111.1.11
+rhosts => 111.111.1.11
+msf6 auxiliary(scanner/vnc/vnc_none_auth) > run
+
+[*] 111.111.1.11:5900     - 111.111.1.11:5900 - VNC server protocol version: [3, 4].8
+[*] 111.111.1.11:5900     - 111.111.1.11:5900 - VNC server security types supported: VeNCrypt,None
+[+] 111.111.1.11:5900     - 111.111.1.11:5900 - VNC server security types includes None, free access!
+[*] 111.111.1.11:5900     - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### TigerVNC 1.7.0+dfsg-8ubuntu2 on Ubuntu 18.04
+
+```
+msf6 > use auxiliary/scanner/vnc/vnc_none_auth
+msf6 auxiliary(scanner/vnc/vnc_none_auth) > set rhosts 111.111.1.222
+rhosts => 111.111.1.222
+msf6 auxiliary(scanner/vnc/vnc_none_auth) > set rport 5901
+rport => 5901
+msf6 auxiliary(scanner/vnc/vnc_none_auth) > run
+
+[*] 111.111.1.222:5901    - 111.111.1.222:5901 - VNC server protocol version: [3, 4].8
+[*] 111.111.1.222:5901    - 111.111.1.222:5901 - VNC server security types supported: None
+[+] 111.111.1.222:5901    - 111.111.1.222:5901 - VNC server security types includes None, free access!
+[*] 111.111.1.222:5901    - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```