smb-psexec.nse example -- remotely grabbing a vnc password

[rilian4 rilian4 <rilian4 () gmail com>]

Using vncpwdump from Patrik Karlsson's website:
http://www.cqure.net/wp/vncpwdump, I was able to generate the following
results from Ron's smb-psexec.nse script against a windows xp box running
the free version of RealVNC.

Host script results:
| smb-psexec:
|   Local VNC Password Dump
|     -------------------------------------
|     Password: mypass
|_    ERROR: Found no password for current user

Nmap done: 1 IP address (1 host up) scanned in 3.32 seconds


This requires the .exe and a .dll to be uploaded to the target and
administrative creds supplied to the nmap command. The results are accurate.
The first password returned is the vnc password stored if vnc is running as
a service. The ERROR line is generated when the .exe attempts to find a
password set by the local user, which in the case of my box does not exist.
You can manipulate the .lua to scan for either or both. This output is
exactly the same as if you run the command locally on the xp box.

I have a .lua I wrote using ron's default.lua as an example that generates
the results above. Would anyone like the .lua posted here or to have a copy
offlist? I would be happy to license it under the nmap license or whatever
else is needed.

I thought up using this tool in combination with smb-psexec as a great test
of the smb-psexec.nse script and it passed with flying colors. Great work
Ron! I plan to keep on finding new and inventive ways to use
smb-psexec.nse!! This is a humongously useful tool. Also a big thank you to
Patrik Karlsson(Who apaprently has an array of nmap contributions as well!)
for creating the vncpwdump tool!

Also of note: This tool can be used to set the service or user passwords as
well as read them.
Let me know if anyone wants more information on this.

-Aaron
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/