Nmap Development mailing list archives
Re: [NSE] new scripts and libraries: vnc
From: Patrik Karlsson <patrik () cqure net>
Date: Sat, 14 Aug 2010 19:16:28 +0200
On 14 aug 2010, at 17.46, Henri Salo wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 14 Aug 2010 17:13:42 +0200 Patrik Karlsson <patrik () cqure net> wrote:On 12 aug 2010, at 06.24, David Fifield wrote:On Sun, Aug 08, 2010 at 05:31:36PM +0200, Patrik Karlsson wrote:o VNC - A smallish library that supports listing supported security types and authentication using the "VNC Authentication" security type (vnc.lua) - The following script make use of it: x vnc-brute - performs password guessing against VNC based servers x vnc-info - lists the supported security types for each VNC serverThese look good to me. Here are my results. This is TightVNC on Windows. $ ./nmap --datadir . --script vnc-info,vnc-brute 192.168.0.190 -p 5900 Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-08-11 15:25 MDT Nmap scan report for 192.168.0.190 Host is up (0.00033s latency). PORT STATE SERVICE 5900/tcp open vnc | vnc-info: | Protocol version: 3.8 | Security types: | VNC Authentication |_ Tight | vnc-brute: | Accounts | No valid accounts found | Statistics | Perfomed 10 guesses in 1 seconds, average tps: 10 | |_ ERROR: Too many retries, aborted ... This is screen sharing on Mac OS X. $ ./nmap --datadir . --script vnc-info,vnc-brute 192.168.0.190 -p 5900 -Pn Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-08-11 15:41 MDT Nmap scan report for 192.168.0.190 Host is up (0.00058s latency). PORT STATE SERVICE 5900/tcp open vnc | vnc-info: | Protocol version: 3.889 | Security types: | Mac OS X security type (30) | VNC Authentication |_ Mac OS X security type (35) | vnc-brute: | Accounts | No valid accounts found | Statistics |_ Perfomed 5010 guesses in 11 seconds, average tps: 455 This is against the remote desktop in GNOME 2.22.3, with no password set. $ ./nmap --datadir . --script vnc-info,vnc-brute 192.168.0.2 -p 5900 -Pn -d Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-08-11 22:05 MDT Nmap scan report for 192.168.0.2 Host is up, received user-set (0.00052s latency). Scanned at 2010-08-11 22:05:49 MDT for 49s PORT STATE SERVICE REASON 5900/tcp open vnc syn-ack | vnc-info: |_ ERROR: ERROR: VNC:handshake failed to recevive protocol version | vnc-brute: | Accounts | No valid accounts found | Statistics | Perfomed 10 guesses in 37 seconds, average tps: 0 | |_ ERROR: Too many retries, aborted ... I couldn't get any output against GNOME unless I used the -d option. If I run vnc-info by itself, I getMy bad, this has now been adressed.5900/tcp open vnc | vnc-info: | Protocol version: 3.7 | Security types: | TLS | None |_ WARNING: Server does not require authentication Running vnc-brute by itself has no change. Setting a password doesn't help either. I attached packet captures of running each script individually and together.I added a check to avoid performing password guessing if the server does not require authentication :)I think the library and scripts look good enough to do further debugging under revision control. Please commit them.It's commited as r19751.David Fifield//Patrik -- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77Does some of the VNC-servers block password guessing / brute force attacks and if so how does they reply on the blocked query?
I just commited a change in r19752 which modifies a single line in the brute library. It now reports back the error set by the driver in case it signals the engine to abort. For a scan that get's blocked against TightVNC it now looks like this. PORT STATE SERVICE REASON 5901/tcp open vnc-1 syn-ack | vnc-info: | Protocol version: 3.8 | Security types: | VNC Authentication |_ Tight | vnc-brute: | Accounts | No valid accounts found | Statistics | Perfomed 7 guesses in 4 seconds, average tps: 1 | |_ ERROR: Too many authentication failures Final times for host: srtt: 1043 rttvar: 3011 to: 100000
Best regards, Henri Salo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkxmunIACgkQXf6hBi6kbk8RFACfXdCYufXpLAzNQhzkWYpyJAyD 0LgAoLdhjmPEH0CzeFKLn8z5faepXpec =lPb3 -----END PGP SIGNATURE-----
//Patrik -- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] new scripts and libraries: brute library, (continued)
- Re: [NSE] new scripts and libraries: brute library Ron (Aug 11)
- Re: [NSE] new scripts and libraries: brute library Patrik Karlsson (Aug 14)
- Re: [NSE] new scripts and libraries: brute library David Fifield (Aug 18)
- Re: [NSE] new scripts and libraries: brute library Patrik Karlsson (Aug 19)
- Re: [NSE] new scripts and libraries: brute library David Fifield (Aug 20)
- Re: [NSE] new scripts and libraries: brute library Patrik Karlsson (Aug 20)
- Re: [NSE] new scripts and libraries: brute library David Fifield (Aug 21)
- Re: [NSE] new scripts and libraries: vnc Patrik Karlsson (Aug 14)
- Re: [NSE] new scripts and libraries: vnc Henri Salo (Aug 14)
- Re: [NSE] new scripts and libraries: vnc Patrik Karlsson (Aug 14)
- Re: [NSE] new scripts and libraries: http Patrik Karlsson (Aug 19)
- Re: [NSE] new scripts and libraries: http David Fifield (Sep 06)
- Message not available
- Re: [NSE] new scripts and libraries: http DePriest, Jason R. (Sep 06)
- Re: [NSE] new scripts and libraries: http David Fifield (Sep 06)
- Re: [NSE] new scripts and libraries: svn Patrik Karlsson (Aug 18)
- Re: [NSE] new scripts and libraries: svn David Fifield (Aug 18)
- Re: [NSE] new scripts and libraries: svn Patrik Karlsson (Aug 18)
- Re: [NSE] new scripts and libraries: svn Patrick Donnelly (Aug 19)