Metasploit mailing list archives
vnc reverse question
From: mmiller at hick.org (mmiller at hick.org)
Date: Fri, 17 Sep 2004 12:16:52 -0500
On Fri, Sep 17, 2004 at 11:46:24AM -0500, Neil wrote:
I have a question regarding the win32_reverse_vncinject. I am just a little confuse with the filename specifically on the word "reverse". We know for a fact that a vncserver listens on port 5900. My question is: when using this kind of payload, does the target have to have a running vnc server?
No, the target server does not have to be running VNC, nor does it matter if the host is already running VNC. Reverse refers to how the second stage payload (the thing that loads the VNC DLL into memory) will be obtained, whether by connecting back to the attacker on a given port, or by having the attacker connect to the target on a given port. After the VNC DLL has been read in and loaded, the VNC DLL will re-use the connection that was created between msf and the target machine for the actual VNC protocol. As such, no ports need to be bound on the target machine for VNC to accept incoming connections because the VNC session is simply tunneled through the existing connection. Remember that the VNC "server" that is injected into the target process is a stripped down version of VNC -- it requires no installation and does nothing intrusive to the actual machine itself (such as modifying the registry). It was modified specifically for use with the library injection system in metasploit. Matt
Current thread:
- vnc reverse question Neil (Sep 17)
- Message not available
- Re: vnc reverse question Neil (Sep 17)
- Re: vnc reverse question mmiller at hick.org (Sep 17)
- Re: vnc reverse question H D Moore (Sep 17)
- Re: vnc reverse question Neil (Sep 17)
- Re: vnc reverse question Neil (Sep 17)
- Message not available
- <Possible follow-ups>
- vnc reverse question jerome.athias at caramail.com (Sep 17)
- vnc reverse question mmiller at hick.org (Sep 17)