Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] new scripts and libraries: vnc

From: Henri Salo <henri () nerv fi>
Date: Sat, 14 Aug 2010 18:46:58 +0300
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 14 Aug 2010 17:13:42 +0200
Patrik Karlsson <patrik () cqure net> wrote:



On 12 aug 2010, at 06.24, David Fifield wrote:


On Sun, Aug 08, 2010 at 05:31:36PM +0200, Patrik Karlsson wrote:

o VNC
- A smallish library that supports listing supported security
types and authentication using the "VNC Authentication" security
type (vnc.lua)
- The following script make use of it:
  x vnc-brute - performs password guessing against VNC based
servers x vnc-info - lists the supported security types for each
VNC server


These look good to me. Here are my results.

This is TightVNC on Windows.

$ ./nmap --datadir . --script vnc-info,vnc-brute 192.168.0.190 -p
5900

Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-08-11 15:25 MDT
Nmap scan report for 192.168.0.190
Host is up (0.00033s latency).
PORT     STATE SERVICE
5900/tcp open  vnc
| vnc-info:
|   Protocol version: 3.8
|   Security types:
|     VNC Authentication
|_    Tight
| vnc-brute:
|   Accounts
|     No valid accounts found
|   Statistics
|     Perfomed 10 guesses in 1 seconds, average tps: 10
|
|_  ERROR: Too many retries, aborted ...

This is screen sharing on Mac OS X.

$ ./nmap --datadir . --script vnc-info,vnc-brute 192.168.0.190 -p
5900 -Pn

Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-08-11 15:41 MDT
Nmap scan report for 192.168.0.190
Host is up (0.00058s latency).
PORT     STATE SERVICE
5900/tcp open  vnc
| vnc-info:
|   Protocol version: 3.889
|   Security types:
|     Mac OS X security type (30)
|     VNC Authentication
|_    Mac OS X security type (35)
| vnc-brute:
|   Accounts
|     No valid accounts found
|   Statistics
|_    Perfomed 5010 guesses in 11 seconds, average tps: 455

This is against the remote desktop in GNOME 2.22.3, with no
password set.

$ ./nmap --datadir . --script vnc-info,vnc-brute 192.168.0.2 -p
5900 -Pn -d

Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-08-11 22:05 MDT
Nmap scan report for 192.168.0.2
Host is up, received user-set (0.00052s latency).
Scanned at 2010-08-11 22:05:49 MDT for 49s
PORT     STATE SERVICE REASON
5900/tcp open  vnc     syn-ack
| vnc-info:
|_  ERROR: ERROR: VNC:handshake failed to recevive protocol version
| vnc-brute:
|   Accounts
|     No valid accounts found
|   Statistics
|     Perfomed 10 guesses in 37 seconds, average tps: 0
|
|_  ERROR: Too many retries, aborted ...

I couldn't get any output against GNOME unless I used the -d
option. If I run vnc-info by itself, I get


My bad, this has now been adressed.



5900/tcp open  vnc
| vnc-info:
|   Protocol version: 3.7
|   Security types:
|     TLS
|     None
|_  WARNING: Server does not require authentication

Running vnc-brute by itself has no change. Setting a password
doesn't help either. I attached packet captures of running each
script individually and together.


I added a check to avoid performing password guessing if the server
does not require authentication :)


I think the library and scripts look good enough to do further
debugging under revision control. Please commit them.


It's commited as r19751.



David Fifield


//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77


Does some of the VNC-servers block password guessing / brute force
attacks and if so how does they reply on the blocked query?

Best regards,
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkxmunIACgkQXf6hBi6kbk8RFACfXdCYufXpLAzNQhzkWYpyJAyD
0LgAoLdhjmPEH0CzeFKLn8z5faepXpec
=lPb3
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: