Nmap Development mailing list archives

ncrack vnc

From: Ryan Hayward <rhhayward () att net>
Date: Tue, 28 Sep 2010 10:41:00 -0500

Attached is a patch for a rough version of a VNC module for ncrack.There are several TODO's remaining, mostly involving error checking.


To get the patch to work, I had to do the following:


1. patch < ncrack_vnc.patch

2. since modules/modules.h failed to patch, I added the line 'voidncrack_rdp(nsock_pool nsp, Connection *con);' at the end of the moduleslist.

3. mv d3des.cc ncrack_vnc.cc modules/
4. ./configure
5. patch < ncrack_vnc_makefiles.patch

6. modules/Makefile didn't patch, so I added 'd3des.cc ncrack_vnc.cc' tothe end of the SRCS line and 'd3des.o ncrack_vnc.o' to the end of theOBJS line.

7. make


That got me a version that would make, and run.

A couple of other notes:

1. User doesn't matter, as VNC auth just uses a password. I've beencalling it with '--user whatever' just to make it not try a bunch ofdifferent users.

2. Currently the patch only adds 5901 to the ncrack-services. I'vetested adding 5900, 5901 and 5902 to the ncrack-services, and it worksfine. A range would be nice, though.

3. On the tightvncserver version I was testing against, a run-away bruteforce would lead to many


    "vnc://127.0.0.1:5901 Too many authentication failures"

messages.  I'm currently just doing the following in that case:

if (memsearch((const char *)con->inbuf->get_dataptr(), "Too manyauthentication failures", con->inbuf->get_len())) {

        error("%s Too many authentication failures\n", serv->HostInfo());
        return ncrack_module_end(nsp, con);
      }

But it seems to me that when the vnc thread receives that, it shouldsuspend for some amount of time before trying that pass again, or tryinga different pass. I don't know what that would be, nor was I able tofind an example of how to suspend a thread in a polite manner.

Attachment: ncrack_vnc.patch
Description:

Attachment: ncrack_vnc_makefiles.patch
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

ncrack vnc Ryan Hayward (Sep 28)
- Re: ncrack vnc ithilgore (Sep 29)